PGP, which stands for Pretty Good Privacy, is a software package that is used to encrypt data (most often files and/or emails). The purpose of this article is to help you understand at a high level where PGP fits into the general security landscape so you can make good decisions about how and where to use PGP as part of your infrastructure.
PGP was created by Philip Zimmermann in 1991 and was given away freely for both commercial and non-commercial use. Since then, use of PGP and compatible software based on the OpenPGP standard has grown steadily. Many experts name it as the most widely used encryption system in use around the world today.
What Security Features Does PGP Provide?
When evaluating the security of a particular method of encrypting data, most users are concerned with meeting three conditions:
- Confidentiality – Ensuring that nobody but the intended recipient can see the data being sent.
- Integrity – Ensuring that the data cannot be modified by an unauthorized party before reaching the intended recipient.
- Authenticity – Ensuring that both the sender and recipient are who they say they are.
PGP, when used as intended, meets all three of these conditions.
PGP vs. OpenPGP
Strictly speaking, PGP refers to a specific product. At first, this was the freely available PGP program released by Philip Zimmermann. A few years after its initial release, PGP became a commercial product. Ownership of this product changed hands numerous times over the years and is now sold and supported by PGP Corporation.
OpenPGP is not actually a product, but rather a standard. This standard grew out of concerns about patent issues surrounding certain encryption algorithms used by PGP (RSA, specifically) as well as a desire by Zimmermann to see PGP more widely used. Products which adhere to the OpenPGP standard (including PGP and other compatible products) are able to interoperate seamlessly in most cases.
In practice, many people use the terms PGP and OpenPGP interchangeably.
How Does It Work?
PGP uses a combination of encryption technologies to achieve the security features described above. These include:
- Hashing
- Compression
- Symmetric-key cryptography
- Public-key cryptography
In practice, you do not need to understand how these technologies work in order to effectively and safely use PGP. You just need to understand the basics of how to work with encryption keys.
The OpenPGP-compatible software you choose should offer a utility that enables you to create and manage keys. When you create a key, you are actually creating a key pair that includes a private key and public key. You keep the private key on your PC. The private key is itself encrypted and protected with a pass phrase, making it difficult for somebody to steal your private key even if your system is compromised. You use the key management utility to export the public key to a file, which you may then distribute to those who would like to encrypt information that is for your eyes only. Likewise, others create key pairs and distribute to you their public keys, which you may import and use for encrypting data.
The easiest way to think about it is this:
You use somebody’s public key to encrypt data in such a way that only the holder of the matching private key can decrypt it. This means that even the person doing the encrypting will not be able to decrypt the data.
In addition to encryption, you can also “sign” the data with your private key. The recipient can verify the signature with your public key, which you would have previously exported and given to them.
Together, this combination of encrypting and signing ensures that you meet the three security conditions described previously of confidentiality, integrity, and authenticity.
Is It Secure?
In a word, yes. There are no publicly known methods to break the encryption offered by PGP and OpenPGP compatible solutions. Furthermore, numerous reports in the media from the past several years highlight the inability of both the US government (including the FBI) and the British government to access data secured with PGP.
Of course, it is important to make sure you keep up to date with the latest versions of whatever OpenPGP compatible solution you choose as there may be vulnerabilities in the software itself that could lead to compromising your data.
Data At Rest vs. Data In Motion
Data that is sent over secure channels, such as SFTP (using SSH), FTPS (using SSL), or HTTPS (using SSL) is encrypted while it is in motion. However, this does not protect the data while it is at rest (sitting on your local machine or the remote system from which you are pulling the data). PGP encryption protects the data both while it is in motion and while it is at rest.
Having said that, it is important to understand that your data may still be at risk on your local drive on any system where the data has been stored in an unencrypted state at one point or another. Operating systems store information in all sorts of temporary files, logs, etc. Also, even if you delete the unencrypted version of the file after creating the encrypted version, the unencrypted data can often still be recovered from the hard drive.
This is generally not an issue for cases where the primary concern is being able to send the data across a network and assure that the data is safe in transit and at rest on the remote system. In such cases, the data only leaves your system after it is in an encrypted state.
In summary, PGP encryption’s combination of relative ease of use, widespread adoption, and proven security track record make it an excellent choice for many applications where transmitting data securely is a requirement.