How to generate PGP keys, encrypt and sign messages, and verify identities without trusting a central server.
PGP Basics: Encrypt Messages Without a Central Server
Key points
- PGP lets you protect message content without trusting one company.
- Fingerprint checks matter more than keyserver convenience.
- PGP hides content, not the metadataData about data, such as who contacted whom, when, from what device, and from which location. Metadata often remains exposed even when content is encrypted.Glossary → around it.
Snapshot
Practical steps
- Encrypting files before cloud backup.
- Signing software releases or public statements.
- Exchanging sensitive email when both parties can verify fingerprints.
- Creating durable identity keys not tied to one platform.
Frequently Asked Questions
Is PGP still useful in 2026?
Yes. PGP still works for email, file encryption, software signing, and identity checks when both sides verify fingerprints and protect private keys. It does not hide metadata, and it is clumsier than Signal, but it remains one of the few decentralized options.
Does PGP hide who I talk to?
No. OpenPGP protects message content and signatures. Email headers, timing, recipient data, and server logs still expose metadata unless you add separate transport protection and keep identities compartmentalized.
What is the most important safety check?
Verify the full key fingerprint through a second channel before trusting a public key. Skip that step and you can encrypt to an attacker key without realizing it.