GPG/PGP Based Encryption & Authentication for Emails

One of the other things you will have likely noticed me touching on is companies who are willing to share their PGP Key for customers so they can use email + PGP for communication to support. First, let’s tackle the difference between PGP and GPG. PGP is short for Pretty Good Privacy and was developed by Phil Zimmerman in 1991. GPG is short for Gnu Privacy Guard, which is an adapted version of this released in 1999. And OpenPGP is the standard that both pieces of software are compliant with. So when people talk about GPG keys, they are technically still PGP keys but ones that are derived from a GPG program like GPG Keychain for OSX. On my website, I have listed my key as G/PGP because it is a PGP Key using the GPG software.

RSA is the basics of generating a private key and a public key unique to a user. These keys could be compared to 2 pieces of a puzzle that are each the size of a football field, containing hundred of thousands of little notches along each side. The public and private keys that are generated are the only 2 puzzle pieces that will fit with each other.

Related Categories on PrivacyTools.io:

• https://www.privacytools.io/#email
• https://www.privacytools.io/#email-client
• https://www.privacytools.io/#encryption

Typically PGP keys are used for both communicating securely in an encrypted form, and signing messages that can be validated for authenticity. Once generated, one distributes their public key and sends it to key-servers on the Internet that store it for retrieval by others. However your private key, which is protected by a long passphrase, is kept private and should never be distributed publicly. Once your public key has been distributed, people can use it to encrypt messages to you that can only be decrypted by your private key. You could also sign a message that would protect it from being altered. Users could then take the message and use your public key to validate the authenticity of the message. If even so much as a space was removed, the message would not verify correctly and the recipients or audience of the message would know it has been altered. This is especially useful in security related messages from a company/website like signing notifications and updates to verify that the website owner is the one posting said messages and not a hacker or Government body.

Recently, I purchased ProtonMail Plus, which meant linking up my domain name with ProtonMail so it was routed through their servers. This however meant that the email I added to my primary PGP key was not the email I was giving out to the public. Same inbox, different email. Check out my method for switching over to a new key with my new email while still maximizing the trust vector for those who communicated frequently with me or simply had my old PGP key saved. I’m not saying this is something everyone would need to do. However, I wanted to make sure the transition to a new key couldn’t in any way, shape, or form be misinterpreted as malicious or my security being compromised.

If you are an individual within this category, I would say it is prudent that the generation of this key is done on a system that has networking disabled with your GPG program of choice firewalled to block all connections to and from keyservers. The last thing you need is a backdoored program maliciously uploading your private key somewhere without your knowledge. Yes, your private key should have a very strong password protecting it from attacks like this, but it also shouldn’t be “that easy” to steal. Your GPG program doesn’t need to do key retrieval or anything like that as importing them is simple with copy/paste so no point in letting it access the Internet at all.