PGP Basics: Encrypt Messages Without a Central Server
Key points
- PGP lets you protect message content without trusting one company.
- Fingerprint checks matter more than keyserver convenience.
- PGP hides content, not the metadataData about data, such as who contacted whom, when, from what device, and from which location. Metadata often remains exposed even when content is encrypted.Glossary → around it.
OpenPGP
Standard
RFCKey trust
Main risk
GnuPGEmail
Best for
PracticeMetadata
No
Model1
Start with the threat model. PGP is not magic. It gives you decentralized encryption and signatures for content. It does not make email anonymous. Your mail provider, the recipient domain, and anyone watching the network can still learn who talked to whom and when. If you need content protection, software signing, or a way to stop providers reading message bodies, PGP still helps. If you want easy chat, use Signal and keep PGP for email and files.
2
Use tools people already trust. The safest default is GnuPG, the standard tool for encryption, decryption, key management, and signatures on Linux, macOS, and Windows. If you want a cleaner interface, Kleopatra helps manage keys, and Thunderbird includes OpenPGP mail support. Skip random browser tools unless you know how they store keys.
3
Generate a key pair and guard the secret key. Create a new key on a device you control, set a long passphrase, and export a revocation certificate right away. The OpenPGP standard now lives in RFC 9580. A stronger setup keeps the certification key offline and uses a daily subkey, but even a simple setup beats plain text files.
4
Verify fingerprints, not names. Keyservers and pasted public keys only distribute keys. They do not prove identity. Before you encrypt anything sensitive, compare the full fingerprint over a second channel such as a voice call or in-person scan. The keys.openpgp.org service helps people find keys, but it does not replace verification. Trusting a key because the email address looks right is how you lose.
5
Encrypt, sign, and keep your expectations straight. Encrypt when you need secrecy. Sign when you need the recipient to know the message came from your private key. Most serious users do both. For files, PGP works well for archived documents, wallet backups, and sensitive notes. For email, run it over TorThe Tor network uses onion routing to obscure IP addresses and browsing paths by relaying traffic through multiple volunteer-run nodes.Glossary → when you can. Read the FSF Email Self-Defense guide, then tighten your own rules.
- Encrypting files before cloud backup.
- Signing software releases or public statements.
- Exchanging sensitive email when both parties can verify fingerprints.
- Creating durable identity keys not tied to one platform.
6
Know the usual failure points. Most mistakes are simple: weak passphrases, no revocation backup, trusting the wrong key, or forgetting that the subject line and routing data stay visible. Another common failure is keeping your private key on a machine full of spyware. If the endpoint is compromised, PGP is compromised with it. For stronger setups, split identities, keep master keys offline, and consider a YubiKey for daily signing or decryption.
Frequently Asked Questions
Is PGP still useful in 2026?
Yes. PGP still works for email, file encryption, software signing, and identity checks when both sides verify fingerprints and protect private keys. It does not hide metadata, and it is clumsier than Signal, but it remains one of the few decentralized options.
Does PGP hide who I talk to?
No. OpenPGP protects message content and signatures. Email headers, timing, recipient data, and server logs still expose metadata unless you add separate transport protection and keep identities compartmentalized.
What is the most important safety check?
Verify the full key fingerprint through a second channel before trusting a public key. Skip that step and you can encrypt to an attacker key without realizing it.