PGP Encryption: How It Works and How to Install PGP on Linux?

Today PGP, or Pretty Good Privacy, is pretty much the standard in email security and encryption. If your email provider doesn't protect you with PGP encryption, it's not really secure.

But what is PGP and how it works?

In this article, we'll go over what PGP is and how it works and also show you how to set up PGP encryption on Linux step-by-step.

What is PGP?

On our blog, we already covered PGP encryption in detail, so we'll give you a short version here.

PGP is an encryption system developed in 1991 initially as freeware (until its purchase by Symantec in 2010 when it became a licensed software) that fuses two encryption standards: symmetric and asymmetric.

symmetric and asymmetric

This means that PGP uses both a public and private key and can take the efficiency from the symmetric system and the security of the asymmetric system.

What is symmetric and asymmetric cryptography or encryption?

In symmetric encryption, only one key is used to encrypt and decrypt.

The benefit of this method is that it is significantly faster, but also less safe since the same key has to be shared between the sender and the recipient in a safe way. If a 3rd party, like an attacker, intercepts this email, they'll also have the key.

Asymmetric encryption, on the other hand, uses two keys like we explained - private and public.

The public key is used to encrypt data, while the private one decrypts it. This method is slower, but is a lot more secure since the private one is not shared and instead remains with the recipient.

How PGP Works?

First, for PGP to work, it has to be present on both sides of the communication - sender and recipient. The two need to be able to share public and private keys to communicate securely.

Here's a simple explanation of using PGP:

  1. Let's say you want to send a secure email to someone, but worry that a 3rd party or person will read it (like your boss)
  2. The person you want to send the message to needs to generate two keys: one public and one private. You can share your public key freely, but not the private one
  3. They then share the public key with you, while keeping the private PGP key for themselves
  4. With the public key they shared with you, you can now encrypt your email
  5. Once you encrypt a message with the public key, you can share it with the other person
  6. Finally, when they receive your message, they can decrypt it using their private key and read it

It all sounds simple enough, right?

There's a key pair -public and private. The public one for encrypting and the private one for decrypting.

Both sides can have the public key, but only the recipient of the message can have the private one to read the message.

However, if you ever tried to set up PGP on an email that doesn't support it by default, you might have found that it's not as easy as it sounds.

How to Set Up PGP Encryption on Linux?

First of all, keep in mind that there are dozens of Linux distributions out there (read our review of the best Linux distros for privacy and security), so the installation process won't be the same for all distros.

This how-to will use Linux Mint with GnuPG and GPA (Gnu Privacy Assistant).

Step 1: Download and Install the Encryption Software

  1. Open your Terminal and type the following command: sudo apt-get install gap gnupg2.
  2. Enter your password
  3. The system will now let you know how much space you need on the drive, so press "Y" and "Enter" to confirm
  4. The installation should take a minute or two, so you can wait a while until it finishes and you can move on to the next step

Step 2: Make a PGP Key Pair

Like we explained, PGP uses two keys - public and private key to encrypt and decrypt an email message.

  1. In the Terminal, type gpg -gen-key
  2. Next, you can choose your RSA key length, which can be from 1024 to 4096 bits long. The longer the key, the more secure it will be
  3. You can also next set for how long your key will be valid, or after what time will it expire. You can set this to "0", meaning "key does not expire" or a specific number of days, weeks, months, or years and press "Y" to confirm your choice
  4. Next, you will need to create an ID for people to identify your key. The user ID will be generated from your real name, email address and comment. Press "O" to confirm your choices
  5. Now create a password for your secret or public key
  6. Once you've done this, you can generate the public key. Type something on your keyboard or move your mouse around to create entropy for the random number generator

Step 3: Getting the Public Key

Now you can obtain your public key.

  1. In the Terminal, type the command sudo gpa
  2. Enter your passphrase
  3. This will open the GPA Key Manager window (keep this open for future steps after you're finished with obtaining public keys)
  4. Highlight the PGP keys you created in the list
  5. Click the "Keys" tab in the menu above and select "Export" from the menu
  6. Select a location on your drive to save this, give it a filename and click "Save"
  7. In your file manager, open the file with the text editor

Step 4: Getting the Private Key

Next, you'll need to obtain the private key as well.

  1. In the GPA Key Manager window click on the same pair of keys in the list
  2. Click the "Keys" tab, but instead of "Export", this time., you will select "Backup" from the menu
  3. Choose the save location on your drive and click "Save". Don't change the filename
  4. You'll get a pop-up window letting you know that you've got your private key. Just click "Close" here

Step 5: Importing the Public Key

We'll next show you how to obtain the public key.

  1. You'll need to first obtain the public key from the recipient, which you'll find on their profile
  2. Copy-paste everything in a text editor and make sure to store it in a safe location
  3. In the GPA Key Manager, click "Keys" and select "Import" from the menu
  4. Select the key you just copied and click "Open"

Step 6: Importing the Private Key

You'll also need to import the private key. Here's how to do this:

  1. Again in the GPA Key Manager, select the "Keys" tab
  2. Click "Import Keys" from the menu
  3. Select the key you wish to import from the next window.

Step 7: Encrypting Your Message

Congratulations! By now you've successfully created and imported both keys and now you can encrypt your mail.

To do this:

  1. In GPA, open the "Windows" tab in the tabs menu above
  2. Click on "Clipboard" to open the clipboard window
  3. Enter the message that you would like encrypted in this window
  4. Go to the menu and select the envelope icon with the blue key
  5. Select how you want to receive the encrypted email and sign the message with your key before hitting the "Ok" button
  6. The message will next be encrypted in the clipboard in place of the message you wrote earlier. Copy this to save the file and send it to the other person

Step 8: How to Decrypt the Message?

Of course, to read an encrypted mail, that someone sent you, you will have to decrypt it using your decryption key.

To do this, you will need to:

  1. Open the encrypted message you sent them and copy/paste it in the GPA clipboard on your end
  2. Next, you'll need to click the envelope icon with the yellow key in the menu above and enter the passphrase you've created before
  3. You can now read the decrypted message clearly

And that is it! That's how you set up PGP on Linux, obtain private and public keys, import them and finally encrypt and decrypt your email messages.

What Else Can You Use PGP For?

Apart from encrypting and decrypting emails, here is what else can you use PGP for:

  1. Checking the data for integrity
  2. To verify the recipient's authenticity
  3. ´╗┐File encryption

Integrity ensures that the message has not been changed between the moment of creation and the time the recipient got it.

PGP creates a digital signature for the email by creating a hash from plain text using the sender's key, which can then be added to their signature to the other person's public key and this will show that the sender is the rightful owner

Authentication will verify that you are sending the email to the right person and not an imposter. PGP uses a certificate to detect any tampering and PGP software will also determine if the certificate belongs to the right recipient.

Finally, the third use PGP has is file encryption. Since PGP uses the RSA algorithm it offers a very secure option to encrypt files, in particular when used together with a good cyber threat detection solution.

Pros and Cons of PGP

Like everything else in life, PGP is not perfect either. It has its advantages, but also its disadvantages.

Pros and Cons of PGP

The biggest pro of using PGP is that it's extremely secure. PGP is essentially unbreakable, as long as recipients keep their private keys secure.

The second advantage of PGP, more precisely OpenPGP, is that it is open source and therefore free to use. Unfortunately, this is not the case with the default PGP, which is owned by Symantec and is proprietary.

On the other hand, PGP has some disadvantages that should be mentioned.

The biggest of these is that it is not very user-friendly.

Installing PGP may not be the easiest task, especially if you are not very tech-savvy. For instance, for someone to send you encrypted messages via Gmail, they need to download and install a 3rd party program like Mailvelope or FlowCrypt extensions.

Luckily, there are more and more encrypted emails that not only support, but also use PGP by default, so you don't have to set anything up.

One of them is CTemplar: Armored Email.

CTemplar is an end-to-end encrypted email service that uses OpenPGP to protect your emails to protect your important mail.

We use the OpenPGP.js library in our front-end code. This is an open source JavScript library, which allows the creation of keys for encryption and decryption. OpenPGP.js is maintained and audited by a cybersecurity company from Germany, Cure53.

All emails that you send via CTemplar are encrypted on the client-side using the RSA 4096-bit encryption and the OpenPGP standard. Both the RSA public and private keys are created using the user's password as the private key passphrase.

The keys are then stored securely on our server, with the private key being encrypted and the password is never sent to the server in plain text, but hashed, so it's impossible to get the actual password from it.

This way, not even CTemplar can decrypt your email and read its contents without knowing the actual password and neither can anyone else (like the government).

Are you ready to take back your online privacy right now? Join us now and sign up for a CTemplar account and get a 14-day full money-back guarantee if you don't like it!