Amazing encryption from humble PGP

(An illustrated explanation)

There’s one tool available that will almost guarantee that nobody will be able to read the content of messages and other data you’re sending online. That tool is called PGP.

User A

PGP stands for “Pretty Good Privacy.” It enables two people to securely send and receive emails and documents.

User B

Because of the decentralized structure of the internet it's possible for bad actors to see messages as they travel across the web.

To help protect communications PGP relies on a set of three keys to encode and decode messages.


Encodes a message that only the matching private key can decode.


Used to decode messages sent to the user.


Unique to each communication. Encrypted with the public key.

Public keys can be shared freely. There are even directories of public keys.

But the private key must be kept secure. It is accessed via a password.

A bad actor may still be able to intercept the communication, but without the private key, they won't be able to decipher it.

portrait of Phil Zimmermann

PGP was first created in the early 1990’s by pioneering engineer Phil Zimmermann and has since had several major updates and additions. What it is, in practice, is a very powerful cryptography program.

When something is “encrypted,” it’s essentially converted from normal text into a secret code that’s ideally only decipherable with the aid of a electronic key. Anyone receiving the encrypted message without the secret key would only see gibberish and would have to try and crack the code. The more sophisticated the key, the harder it is to crack.

PGP can encrypt emails, texts, documents or even an entire computer’s memory through a combination of extremely powerful encryption tricks. Once something is wrapped in PGP, users feel relatively comfortable that almost nobody – right up to the most sophisticated code-breakers anywhere in the world – will be able to break the code and spy on what they’re doing.

How PGP works

Any tool as powerful as PGP brings with it complications and confusion. Few PGP users truly understand the sophisticated encryption algorithms and steps employed, but the concepts of how to use PGP are fairly basic.

Rather than using just one key, PGP  employs several electronic code keys: one that’s public, one that’s private, and one just for the session.

Public keys are shared freely for everyone else using PGP and are used to encrypt documents. Private keys are only for the end user to decrypt data sent to them via their public key. Finally, the session key is unique to each action of encryption.

It works like this. One of the very first things a new PGP user does is generate their public and private keys, which are long strings of what looks like electronic nonsense. Key lengths can vary depending on the degree of encryption a user wants to employ, but the difference between public and private is paramount.

PGP users are encouraged to share their public key where-ever they wish: it’s what other PGP users will need when they send an encrypted message or document to you. Private keys must remain exactly that: for the user only and never shared. It must also be protected, because if you lose your private key it’s lost for good and any documents encrypted with it will be lost.

Once you have the email or document you want to encrypt, and the public key of the person you’re sending it to, a user will “sign” or encrypt their text using what’s called a “PGP passphrase” and send it to the intended recipient.

When it arrives to the recipient, it will look like digital gibberish, but the recipient – using their private key and unique passphrase – will uniquely be able to decipher the text because of the key information that’s wrapped in the encryption. The process works exactly the same in the other direction. It’s like locking the message in two boxes which only the intended sender and recipient will be able to unlock.

While there is debate at the highest levels of cryptography whether any digital coding system is truly “unbreakable”, there’s wide-scale agreement that PGP provides the closest thing to  guaranteeing truly private communication. At the highest privacy settings, it is nearly impossible to unlock PGP-encrypted documents without the aid of supercomputers and a team of talented code-breakers…and maybe not even then. If you have documents you want to make sure nobody but you will see, or need iron-clad guarantees that your email communications remain private, you can’t do better than PGP.

Possible drawbacks

But there are some downsides.

First, while PGP all but ensures the privacy of encrypted documents, it does nothing to protect the identity of both sender and recipient. It is strictly an encryption tool; even while using it your online activities will be exactly as exposed as they would without it. That means authorities would have no idea what you’re saying online, but they would know who you were saying it to. Additionally, PGP is a complicated tool. Even experienced users often have to think through the precise steps of encrypting and decrypting. Individuals who might describe themselves as novices on the Web should think strongly about using PGP.

The bottom line

If you need to send or store documents securely without the likelihood of them being intercepted and read, and you’re willing to jump through a few hoops to make that happen, PGP is your tool. If you want something to help you circumvent Internet firewalls or guard your online privacy, or you’re easily discouraged by complicated software, PGP has very little to offer.

Comparing the Tools Anonymity Circumvention Portability Encryption
TOR (The Onion Router)
VPN (Virtual Private Network)