This page was last updated 13 December 2013.

What's a PGP key?

PGP stands for Pretty Good Privacy, originally invented by Phil Zimmerman. It's a package of tools that allows you to send me mail (or files) encrypted so that only I can read them. Without encryption, anyone who has access to one of the many computers that the mail passes through on its way to me can read the content. Some governments with little respect for their citizens' privacy, such as the US and Chinese governments, routinely record personal communications. Unencrypted mail is like an open postcard, except that there are lots of mailmen on the way...

Many mailers now support PGP natively, or simple plugins or add-ons, that make encryption as easy as pressing a button. Also, PGP is not the only encryption package, GPG (Gnu Privacy Guard) has very similar features and is fully compatible. For Apple MacOS, check out GPG Tools , which adds GPG support to the Apple Mail program.

But your mailer must know the recipient to know how to encrypt the mail. It knows that by importing my personal public PGP key. Usually you just click on that link, save it on disk, and then tell your mailer about the file. The mailer will put the key into its ``keyring'', and you can then send me secure mail.

If you are curious, this is what a PGP key looks like:

Version: GnuPG v2.0.4-svn0 (GNU/Linux)


And if you are wondering why I can publish this key without allowing everyone to read my secure mail: the neat thing about PGP is that there is one key for encrypting (the one you see here) and another key for decrypting it again (I keep that one secret). That's called an asymmetric cipher.

Paranoid people now wonder if the page you are looking at has been tampered with, and you are seeing a forged key. That's called a man-in-the-middle attack. To get around this, you can ask your mailer to tell you the key's fingerprint, a short string that uniquely identifies the key so you don't have to call me and verify the huge text block you see above. My key's fingerprint is

4D1A 2192 63DB 1B74 9AA7  CCCE 20E5 6A60 5D06 972F

Now you may wonder how you can be sure that the fingerprint isn't forged too. Well, you can call me up and ask me to verify it, but usually it's considered sufficient to scatter the fingerprint widely. For a long time I have put it in every mail I sent. An attacker would have a very hard time intercepting and forging them all.

In this day and age many people feel it's a good idea to routinely encrypt all mail. Would you send all your personal letters on open postcards? You can consider encryption as the electronic equivalent of putting your letter into a sealed envelope, except it's much more difficult to ``open'' an encrypted mail than steaming open an envelope. So, go ahead, send me secure mail!

Here is a good article with technical details.

Tell me if you found this information interesting or useful, or if you have comments.