<img src="https://ad.doubleclick.net/ddm/activity/src=11631230;type=pagevw0;cat=pw_allpg;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;npa=;gdpr=${GDPR};gdpr_consent=${GDPR_CONSENT_755};ord=1;num=1?" width="1" height="1" alt=""> What is PGP Encryption?
Email Encryption
March 19, 2024

What is PGP Encryption?

Editorial Team
By Editorial Team

TABLE OF CONTENTS

    See Virtru In Action

    { content.featured_image.alt }}

    If you're familiar with the world of email encryption, you've probably heard of PGP, which stands for Pretty Good Privacy. PGP is a data encryption technology that enables the secure exchange of files and communications, such as email. PGP uses cryptography to encrypt data in such a way that it can only be decrypted by the intended recipient's private key. This ensures privacy and prevents unauthorized access to sensitive data.

    While PGP can work well in some scenarios with standard, predictable workflows between existing contacts, many find it cumbersome because it requires subject matter knowledge, manual effort, maintenance, and communication between the sender and recipient before any encrypted information exchange can take place. 

    In this post, we'll walk through how PGP works, and what alternatives are available for PGP.

    How Does PGP Encryption Work?

    PGP encryption uses a combination of symmetric-key cryptography for data encryption, and public-key cryptography for distributing the symmetric keys. Here's a high-level overview of how it works:

    1. Both the sender and the recipient need PGP encryption enabled in their email clients, and each needs to have established their own public-private key pair. 
    2. The sender generates a random session key and uses it to encrypt the email content with a symmetric cipher.
    3. The session key itself is encrypted using the recipient's public key. This encrypted session key is transmitted along with the encrypted data.
    4. The recipient decrypts the session key with their private key
    5. The decrypted session key is then used to decrypt the content.

    This use of public-key encryption to securely distribute the session key, combined with symmetric encryption for the bulk data, allows PGP to be secure while still maintaining performance.

    What's the Password? PGP Keeps Data Under Lock and Key (and Lock and Key). 

    Need a visual for how PGP works? Picture a series of nesting dolls, where each layer is locked. The tiniest doll at the center is your unencrypted message, the content. Then you nest that inside another doll — a layer of encryption that's locked with a key. Then the key to that doll is contained in yet another larger doll, which again requires its own key. 

    So, if you're the recipient of this lovely encryption nesting doll, to get past the first layer, you need to provide your own private key — a key that only you have access to. After successfully opening the first layer, you then get access to a key that gets you through the second layer. Then, nested in the middle, is your message that you get to read. 

    Still a little hazy on the concept? Here's one more example.

    Put another way, imagine you want to send a valuable package securely to someone across the country. PGP encryption is like using two locks and keys to protect the package.

    The first lock is a sturdy combination lock (Lock 1) that you use to actually secure the package itself. This is the symmetric encryption that protects the email/file data itself. You use a random combination to set this padlock each time.

    But, you want the recipient to be able to open the package, so you need to get them the combination to Lock 1 (a.k.a. the symmetric key). However, simply sending the combination in the open is not secure. So you use a second lock. Lock 2 is a lockbox with its own combination lock. This represents the public-key encryption used to protect the symmetric key itself.

    You look up the recipient's unique key code for opening these kinds of lockboxes. Using this, you securely place the padlock combination (symmetric key) for Lock 1 inside the lockbox (Lock 2) and lock it with their key code. Now, only your recipient can unlock this lockbox (Lock 2) with their private key.

    Now, your package can travel securely to its destination, with the key to Lock 1 safely nested inside of the lockbox with Lock 2. You then send the locked package (encrypted data) along with the locked lockbox containing the padlock's combination (encrypted symmetric key).

    When your recipient gets the shipment, they use their private lockbox key to unlock Lock 2 and retrieve the padlock's combination. With this, they can unlock the main padlock (Lock 1) and open the package securely. The hybrid approach uses a simple single-use padlock to efficiently secure the valuable package contents, while using the more complex lockbox with personal keys to securely share the padlock codes.

    How to Generate a PGP Key Pair

    To use PGP encryption, you first need to generate a key pair consisting of a public and a private key:

    1. Install PGP software or a plugin for your email client that supports PGP.
    2. Use the key generation wizard to generate a key pair. You'll need to choose an algorithm, key size, and enter a secure passphrase.
    3. Your public key can be shared openly, while you must protect your private key.
    4. Share your public key by uploading to key servers or sending to contacts. 

    How to Open a PGP Encrypted Email

    As highlighted above, the recipient needs to have PGP set up on their end in order to decrypt and access the contents of a PGP email. To read a PGP encrypted email:

    1. Open your email. The encrypted email will include the encrypted message body and the session key encrypted to your public key.
    2. Decrypt the session key: Your email client's PGP plugin will automatically use your private key to decrypt the session key.
    3. Decrypt the content: The decrypted session key is then used to decrypt the message content.
    4. Read your email: You can now read the decrypted plaintext email content.

    Pros and Cons of PGP Encryption

    As with any technology, PGP encryption has pros and cons.

    Pros of PGP Encryption

    • The encryption methodology is secure: PGP uses robust cryptographic algorithms and key lengths that make it difficult to crack or decrypt data without the private key. However, if those private keys are compromised, the impact can be substantial.
    • It's an open standard: PGP is an open protocol and standard, not controlled by any single company or entity.
    • It is accessible: PGP encryption is available across many platforms, email clients, and applications.
    • It supports digital signatures: PGP supports digital signatures to verify the authenticity and integrity of data.
    • It's non-proprietary: You don't need to pay licensing fees to implement PGP encryption.

    Cons of PGP Encryption

    • It's complex to use: Generating, exchanging, and managing PGP keys can be complex, especially for non-technical users and for admins responsible for multiple users and recipients.
    • You and your users are responsible for key management: Securing and backing up private keys is crucial and requires care.
    • Lack of interoperability: Integrating PGP into email clients and apps doesn't always work smoothly. PGP also requires that every recipient is set up to receive PGP-encrypted content.
    • Low adoption, internally and externally. Both parties need PGP for encrypted communications, limiting adoption both internally and externally. This can result in important information not reaching its intended recipient, slowing down collaboration.
    • No forward secrecy: PGP does not provide forward secrecy, so if your (or your recipients') private keys become compromised, past messages remain vulnerable.
    • No key expiration: PGP keys don't expire by default, which can be a security risk if not managed properly.
    • Large file sizes can be problematic: Encrypted emails become significantly larger with PGP encryption, which can become an issue for large file sharing.

    While PGP is a solution that works well in some cases, its complexities around key management and software integration — especially at scale — lead most technology leaders to more user-friendly alternatives.

    Alternatives to PGP Encryption

    While PGP has been around for decades and is still widely used, some alternatives have emerged that aim to improve usability. Of course, there are technologies like S/MIME and secure email portals, but these technologies can also be cumbersome for users and recipients.

    Like PGP, S/MIME requires an exchange between sender and recipient to establish a secure connection via digital signature before any encrypted information can be shared, and there's also a lot of manual effort that takes place behind the scenes, as each user needs their own certificate. Overall, this creates additional work for admins, users, and recipients — and more work for admins to support users that aren't particularly tech savvy.

    Secure email portals are a common solution, but they don't deliver good user experiences. For one, they're cumbersome for internal users. They also likely require the installation of an email gateway, which can be time-consuming for admins. They are also frustrating for the external recipients of encrypted email, who often have to jump through hoops to create new accounts and passwords just to access information shared with them. 

    PGP vs. Virtru Email Encryption

    There's an easier way to protect email: Virtru's seamless email encryption for Gmail and Outlook. 

    Unlike PGP, Virtru email encryption: 

    • Natively integrates with Gmail and Outlook 
    • Protects sensitive information instantly, in one click — no manual key exchanges, digital signatures, certificates, or clunky portals necessary. 
    • Deploys in minutes, not hours or days — as a Chrome plugin for Gmail and an add-on for Outlook. 
    • Is easy for recipients: They simply click a link in their email and log in with their existing Google or Microsoft credentials, so there are no new accounts to create (or passwords to remember).
    • Provides central admin visibility and control, supporting audit needs and compliance requirements. 
    • Adds granular access control to data shared internally and externally — allowing the user or admin to make changes and revoke access any time they choose, even after the email has left the organization's network. 

    Many customers have made the switch from PGP to Virtru, and they haven't looked back: Here is just one example from Virtru customer, TrueCar, whose case study is featured in our library of Virtru Customer Stories

    “All our teams are over-utilized in terms of time. So to have a tool like Virtru that we could roll out ourselves, that didn’t require a lot of work to put it in the hands of our users, was an advantage,” said Brett Henry, Senior Security Engineer at TrueCar. “We even had two people on the dealer partner team use Virtru during the demo, even sharing information with partners back and forth to see how it worked for them business-flow-wise, in real life. They were like, ‘Yeah!’” 

    If we can get salespeople at auto dealerships excited about email encryption, just think about what we can do for your organization. If you're ready to learn more about Virtru, contact our team to see a demo. 

    Editorial Team

    Editorial Team

    The editorial team consists of Virtru brand experts, content editors, and vetted field authorities. We ensure quality, accuracy, and integrity through robust editorial oversight, review, and optimization of content from trusted sources, including use of generative AI tools.

    View more posts by Editorial Team

    See Virtru In Action