Pretty Good Privacy (PGP)

Contributor(s): Rob Wright

Pretty Good Privacy or PGP is a popular program used to encrypt and decrypt email over the Internet, as well as authenticate messages with digital signatures and encrypted stored files.

Previously available as freeware and now only available as a low-cost commercial version, PGP was once the most widely used privacy-ensuring program by individuals and is also used by many corporations. It was developed by Philip R. Zimmermann in 1991 and has become a de facto standard for email security.

Content Continues Below

How PGP works

Pretty Good Privacy uses a variation of the public key system. In this system, each user has an encryption key that is publicly known and a private key that is known only to that user. You encrypt a message you send to someone else using their public key. When they receive it, they decrypt it using their private key. Since encrypting an entire message can be time-consuming, PGP uses a faster encryption algorithm to encrypt the message and then uses the public key to encrypt the shorter key that was used to encrypt the entire message. Both the encrypted message and the short key are sent to the receiver who first uses the receiver's private key to decrypt the short key and then uses that key to decrypt the message.

PGP comes in two public key versions -- Rivest-Shamir-Adleman (RSA) and Diffie-Hellman. The RSA version, for which PGP must pay a license fee to RSA, uses the IDEA algorithm to generate a short key for the entire message and RSA to encrypt the short key. The Diffie-Hellman version uses the CAST algorithm for the short key to encrypt the message and the Diffie-Hellman algorithm to encrypt the short key.

When sending digital signatures, PGP uses an efficient algorithm that generates a hash (a mathematical summary) from the user's name and other signature information. This hash code is then encrypted with the sender's private key. The receiver uses the sender's public key to decrypt the hash code. If it matches the hash code sent as the digital signature for the message, the receiver is sure that the message has arrived securely from the stated sender. PGP's RSA version uses the MD5 algorithm to generate the hash code. PGP's Diffie-Hellman version uses the SHA-1 algorithm to generate the hash code.

Getting PGP

To use Pretty Good Privacy, download or purchase it and install it on your computer system. It typically contains a user interface that works with your customary email program. You may also need to register the public key that your PGP program gives you with a PGP public-key server so that people you exchange messages with will be able to find your public key.

PGP freeware is available for older versions of Windows, Mac, DOS, Unix and other operating systems. In 2010, Symantec Corp. acquired PGP Corp., which held the rights to the PGP code, and soon stopped offering a freeware version of the technology. The vendor currently offers PGP technology in a variety of its encryption products, such as Symantec Encryption Desktop, Symantec Desktop Email Encryption and Symantec Encryption Desktop Storage. Symantec also makes the Symantec Encryption Desktop source code available for peer review.

Though Symantec ended PGP freeware, there are other non-proprietary versions of the technology that are available. OpenPGP is an open source version of PGP that's supported by the Internet Engineering Task Force (IETF). OpenPGP is used by several software vendors, including as Coviant Software, which offers a free tool for OpenPGP encryption, and HushMail, which offers a Web-based encrypted email service powered by OpenPGP. In addition, the Free Software Foundation developed GNU Privacy Guard (GPG), an OpenPGG-compliant encryption software.

Where can you use PGP?

Pretty Good Privacy can be used to authenticate digital certificates and encrypt/decrypt texts, emails, files, directories and whole disk partitions. Symantec, for example, offers PGP-based products such as Symantec File Share Encryption for encrypting files shared across a network and Symantec Endpoint Encryption for full disk encryption on desktops, mobile devices and removable storage. In the case of using PGP technology for files and drives instead of messages, the Symantec products allows users to decrypt and re-encrypt data via a single sign-on.

Originally, the U.S. government restricted the exportation of PGP technology and even launched a criminal investigation against Zimmermann for putting the technology in the public domain (the investigation was later dropped). Network Associates Inc. (NAI)  acquired Zimmermann's company, PGP Inc., in 1997 and was able to legally publish the source code (NAI later sold the PGP assets and IP to ex-PGP developers that joined together to form PGP Corp. in 2002, which was acquired by Symantec in 2010).

Today, PGP encrypted email can be exchanged with users outside the U.S if you have the correct versions of PGP at both ends.

There are several versions of PGP in use. Add-ons can be purchased that allow backwards compatibility for newer RSA versions with older versions. However, the Diffie-Hellman and RSA versions of PGP do not work with each other since they use different algorithms. There are also a number of technology companies that have released tools or services supporting PGP. Google this year introduced an OpenPGP email encryption plug-in for Chrome, while Yahoo also began offering PGP encryption for its email service.


This was last updated in November 2014

Next Steps

Expert Karen Scarfone provides an in-depth explanation of why enterprises need email encryption technology and reviews the different business cases for protecting emails in transit and storage.

With so many email encryption products available on the market, selecting the right one is a challenge. Read our expert advice on what to look for when evaluating email encryption software and find advice on determining which product is the right fit for your organization.

Continue Reading About Pretty Good Privacy (PGP)

Dig Deeper on Email Security Guidelines, Encryption and Appliances

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

If your using PGP can the NSA (Feds) get into your computer and monitor your emails?
Do open source versions of PGP still serve a useful purpose, or have other encryption methods superseded it?
I have always been an advocate of Open Source software; it's the first place I look for solutions. The open source versions of PGP are as valid as they ever were especially as now embraced by Google in their End-to-End email encryption plugin for the Chrome browser, and I see quite a few third-part developers working with it.

Like anything else, open source PGP will evolve and possibly eventually become obsolete; for now, it's alive and well.
Other encryption methods haven't superseded it. However there is a basic fallacy in PGP. By using long key pairs, typically 2048+ bits and passphrases, typically 100+ characters, it gives the user a false sense of protection. The truth is that the key length used to encrypt messages is 256 bits which is NO protection to government agencies sponsored attacks. Such agencies, like NSA, have annual budgets around $10 Billion, enough money to buy enough processing power to break 256 bit keys on a brute force attack.
Sure, we still use it. It works for our purposes.
Absolutely YES. Although PGP uses 2048+ bit key pairs and 100+ character passphrases, it uses 256 bit keys in the encryption of the message. 256 bit keys are no hurdle to brute force attacks sponsored by NSA. Think about something better if you want to preserve your Constitutional right to privacy.
You want to send a secret message to Aarav which has a private key put connected public key on web page download public key encrypt the message using it send it that person will decode it cause that person has the corresponding private key
You must be asymmetrical eleptical cylindrical encrypted to have any hope not having you data opened. It is less complicated if you have end to end hardware or you can do this with the highest level intel processors and time via software. Good luck....

File Extensions and File Formats

Powered by: