PGP Email Encryption: A Practical Guide

PGP (Pretty Good Privacy) and its open-source implementation GPG (GNU Privacy Guard) provide end-to-end encryption for email, file signing, and identity verification. Despite being over 30 years old, PGP remains the standard for encrypted email in professional security, journalism, and software distribution. This guide walks you through generating keys, sending encrypted email, and managing your keyring.

Generating Your Key Pair

A PGP key pair consists of a public key (which you share freely) and a private key (which you protect with your life). Anyone with your public key can encrypt messages that only your private key can decrypt. Your private key also lets you digitally sign messages, proving they came from you.

# Generate a new key pair (interactive)
gpg --full-generate-key

# Recommended selections:
#   Key type: ECC (sign and encrypt) — option 9
#   Elliptic curve: Curve 25519
#   Expiration: 2y (you can extend it later)
#   Real name: Your Name
#   Email: your@email.com
#   Passphrase: use a strong, unique passphrase

# Verify your new key
gpg --list-keys --keyid-format long

Exporting and Sharing Your Public Key

# Export your public key in ASCII armor format
gpg --armor --export your@email.com > publickey.asc

# Upload to a keyserver
gpg --keyserver keys.openpgp.org --send-keys YOUR_KEY_ID

# Or share the .asc file directly via your website, email signature,
# or a service like keys.openpgp.org

Encrypting and Decrypting Messages

# Import someone else's public key
gpg --import their-publickey.asc

# Verify the key fingerprint (confirm via a separate channel!)
gpg --fingerprint their@email.com

# Encrypt a message for a recipient
echo "Confidential message here" | gpg --armor --encrypt \
  --recipient their@email.com > encrypted_message.asc

# Decrypt a message sent to you
gpg --decrypt encrypted_message.asc

# Encrypt a file
gpg --armor --encrypt --recipient their@email.com document.pdf

# Sign and encrypt
gpg --armor --sign --encrypt --recipient their@email.com document.pdf

Key Management Best Practices

• Back up your private key to an encrypted USB drive stored in a physically secure location.
• Use subkeys for daily operations and keep your master key offline. This limits exposure if your daily-use device is compromised.
• Verify key fingerprints through an out-of-band channel (phone call, in-person meeting) before trusting a key for sensitive communication.
• Publish a key transition statement signed by both your old and new keys if you ever need to rotate keys.
• Revoke compromised keys immediately and publish the revocation certificate to keyservers.

# Generate a revocation certificate (do this immediately after key creation)
gpg --gen-revoke YOUR_KEY_ID > revocation-certificate.asc

# Store this file securely and separately from your private key
# If your key is ever compromised:
gpg --import revocation-certificate.asc
gpg --keyserver keys.openpgp.org --send-keys YOUR_KEY_ID

Email Client Integration

Several email clients support PGP natively or through plugins. Thunderbird has built-in OpenPGP support since version 78 — no add-on required. On mobile, apps like FairEmail (Android) and Canary Mail (iOS) support PGP. For webmail, the Mailvelope browser extension adds PGP to Gmail, Outlook.com, and other providers, though webmail PGP is inherently less secure since the provider's JavaScript has access to the page DOM.

Limitations and Alternatives

PGP has well-known usability problems: key management is complex, there is no forward secrecy (a compromised key decrypts all past messages), and the ecosystem is fragmented. For most person-to-person communication, a modern encrypted messenger provides better security with far less friction. PGP remains valuable for email encryption (where no better alternative exists), file signing, software distribution verification, and encrypted backups.