If you're familiar with the world of email encryption, you've probably heard of PGP, which stands for Pretty Good Privacy. PGP is a data encryption technology that enables the secure exchange of files and communications, such as email. PGP uses cryptography to encrypt data in such a way that it can only be decrypted by the intended recipient's private key. This ensures privacy and prevents unauthorized access to sensitive data.
While PGP can work well in some scenarios with standard, predictable workflows between existing contacts, many find it cumbersome because it requires subject matter knowledge, manual effort, maintenance, and communication between the sender and recipient before any encrypted information exchange can take place.
In this post, we'll walk through how PGP works, and what alternatives are available for PGP.
PGP encryption uses a combination of symmetric-key cryptography for data encryption, and public-key cryptography for distributing the symmetric keys. Here's a high-level overview of how it works:
This use of public-key encryption to securely distribute the session key, combined with symmetric encryption for the bulk data, allows PGP to be secure while still maintaining performance.
Need a visual for how PGP works? Picture a series of nesting dolls, where each layer is locked. The tiniest doll at the center is your unencrypted message, the content. Then you nest that inside another doll — a layer of encryption that's locked with a key. Then the key to that doll is contained in yet another larger doll, which again requires its own key.
So, if you're the recipient of this lovely encryption nesting doll, to get past the first layer, you need to provide your own private key — a key that only you have access to. After successfully opening the first layer, you then get access to a key that gets you through the second layer. Then, nested in the middle, is your message that you get to read.
Still a little hazy on the concept? Here's one more example.
Put another way, imagine you want to send a valuable package securely to someone across the country. PGP encryption is like using two locks and keys to protect the package.
The first lock is a sturdy combination lock (Lock 1) that you use to actually secure the package itself. This is the symmetric encryption that protects the email/file data itself. You use a random combination to set this padlock each time.
But, you want the recipient to be able to open the package, so you need to get them the combination to Lock 1 (a.k.a. the symmetric key). However, simply sending the combination in the open is not secure. So you use a second lock. Lock 2 is a lockbox with its own combination lock. This represents the public-key encryption used to protect the symmetric key itself.
You look up the recipient's unique key code for opening these kinds of lockboxes. Using this, you securely place the padlock combination (symmetric key) for Lock 1 inside the lockbox (Lock 2) and lock it with their key code. Now, only your recipient can unlock this lockbox (Lock 2) with their private key.
Now, your package can travel securely to its destination, with the key to Lock 1 safely nested inside of the lockbox with Lock 2. You then send the locked package (encrypted data) along with the locked lockbox containing the padlock's combination (encrypted symmetric key).
When your recipient gets the shipment, they use their private lockbox key to unlock Lock 2 and retrieve the padlock's combination. With this, they can unlock the main padlock (Lock 1) and open the package securely. The hybrid approach uses a simple single-use padlock to efficiently secure the valuable package contents, while using the more complex lockbox with personal keys to securely share the padlock codes.
To use PGP encryption, you first need to generate a key pair consisting of a public and a private key:
As highlighted above, the recipient needs to have PGP set up on their end in order to decrypt and access the contents of a PGP email. To read a PGP encrypted email:
As with any technology, PGP encryption has pros and cons.
While PGP is a solution that works well in some cases, its complexities around key management and software integration — especially at scale — lead most technology leaders to more user-friendly alternatives.
While PGP has been around for decades and is still widely used, some alternatives have emerged that aim to improve usability. Of course, there are technologies like S/MIME and secure email portals, but these technologies can also be cumbersome for users and recipients.
Like PGP, S/MIME requires an exchange between sender and recipient to establish a secure connection via digital signature before any encrypted information can be shared, and there's also a lot of manual effort that takes place behind the scenes, as each user needs their own certificate. Overall, this creates additional work for admins, users, and recipients — and more work for admins to support users that aren't particularly tech savvy.
Secure email portals are a common solution, but they don't deliver good user experiences. For one, they're cumbersome for internal users. They also likely require the installation of an email gateway, which can be time-consuming for admins. They are also frustrating for the external recipients of encrypted email, who often have to jump through hoops to create new accounts and passwords just to access information shared with them.
There's an easier way to protect email: Virtru's seamless email encryption for Gmail and Outlook.
Unlike PGP, Virtru email encryption:
Many customers have made the switch from PGP to Virtru, and they haven't looked back: Here is just one example from Virtru customer, TrueCar, whose case study is featured in our library of Virtru Customer Stories.
“All our teams are over-utilized in terms of time. So to have a tool like Virtru that we could roll out ourselves, that didn’t require a lot of work to put it in the hands of our users, was an advantage,” said Brett Henry, Senior Security Engineer at TrueCar. “We even had two people on the dealer partner team use Virtru during the demo, even sharing information with partners back and forth to see how it worked for them business-flow-wise, in real life. They were like, ‘Yeah!’”
If we can get salespeople at auto dealerships excited about email encryption, just think about what we can do for your organization. If you're ready to learn more about Virtru, contact our team to see a demo.