PGP Email Encryption
Overview of PGP email encryption covering Web of Trust model, key management challenges, Efail vulnerabilities, and comparison with S/MIME for enterprise use.
Continue your mission
Overview of PGP email encryption covering Web of Trust model, key management challenges, Efail vulnerabilities, and comparison with S/MIME for enterprise use.
# PGP Email Encryption
Pretty Good Privacy (PGP) is a cryptographic system designed to protect email communications and files through a combination of symmetric encryption, public-key encryption, and digital signatures. It exists because email was designed without any native security mechanisms: messages travel across the internet in plaintext, readable by any intermediate server or attacker with network access. PGP solves this by allowing two parties to exchange encrypted messages without requiring a shared secret established in advance, and without trusting any central authority to vouch for identity. First developed by Phil Zimmermann in 1991 and later standardized as OpenPGP under RFC 4880, PGP remains the foundational technology behind encrypted email workflows in journalism, activism, government, and enterprise security operations where centralized certificate infrastructure is impractical or politically unacceptable.
---
PGP is a hybrid cryptographic protocol that combines asymmetric public-key cryptography for key exchange with symmetric encryption for bulk message content. It provides two core security properties: confidentiality (only the intended recipient can read the message) and authenticity (the recipient can verify the message came from the claimed sender and was not altered in transit).
PGP is not a mail protocol. It does not replace SMTP, IMAP, or any other transport mechanism. It operates as a layer applied to message content before transmission, meaning the underlying transport remains unchanged. PGP is also distinct from S/MIME, the competing email encryption standard used widely in enterprise environments. S/MIME relies on a centralized Public Key Infrastructure (PKI) where certificate authorities (CAs) issue and validate certificates. PGP replaces this with the Web of Trust, a decentralized model where users themselves vouch for each other's public keys through digital signatures.
OpenPGP (RFC 4880, updated by RFC 4880bis and the emerging RFC 9580) defines the message format and packet structure used by all compliant implementations. GnuPG (GPG) is the dominant open-source implementation, used directly via command line or integrated into mail clients through plugins such as Enigmail (for Thunderbird, now largely superseded by Thunderbird's native OpenPGP support) and GPG Suite on macOS.
PGP is not a complete security solution. It does not encrypt email metadata (sender, recipient, subject line, timestamps), does not protect against endpoint compromise, and does not verify that a key truly belongs to the person claimed unless out-of-band verification is performed. These boundaries matter operationally.
---
A PGP user begins by generating a key pair: a public key and a private key. Modern implementations typically default to RSA-4096 or elliptic curve Curve25519. The public key is distributed freely. The private key is stored locally, protected by a passphrase, and must never leave the user's control.
Each key pair carries metadata: the user's name, email address, and a creation timestamp. The key is identified by its fingerprint, a 40-character hexadecimal string derived from hashing the public key. For example, a fingerprint might look like: A1B2 C3D4 E5F6 7890 ABCD 1234 EF56 7890 ABCD 1234. This fingerprint is used for out-of-band verification: two parties can confirm over a phone call, in person, or via a separate channel that they each have the correct key, not a substituted one.
Key distribution typically occurs through public keyservers like keys.openpgp.org, the historical SKS pool (now largely defunct), or direct exchange via websites, business cards, or file transfer. The keyserver acts as a public directory but does not verify identity. Anyone can upload any key claiming any email address, making verification essential.
When Alice wants to send an encrypted message to Bob, the process works as follows:
This hybrid approach is necessary because asymmetric encryption is computationally expensive for large payloads. Encrypting only the session key keeps performance practical while maintaining the security benefits of public-key cryptography.
When Alice wants to sign a message so Bob can verify it came from her:
Signing and encrypting can be combined: Alice signs first, then encrypts the signed message. This prevents an attacker who manages to decrypt the outer layer from stripping the signature and substituting their own.
Rather than relying on CAs, PGP uses a peer-based trust model. If Alice trusts Carol and Carol has signed Bob's public key, Alice can extend a degree of trust to Bob's key transitively. Users accumulate signatures from others who know them, forming a distributed network of mutual vouching.
In practice, the Web of Trust works well within small, technically sophisticated communities. The global keyserver network historically exposed significant metadata about social and professional relationships, because the graph of who signed whose key is public. The modern keys.openpgp.org keyserver mitigates this by not publishing third-party signatures without explicit consent.
A journalist publishes their PGP public key fingerprint on their publication's staff page and social media profiles. A source downloads the key, verifies the fingerprint matches what appears on multiple official channels, and composes an encrypted message using the journalist's public key. The encrypted file is sent via email or uploaded to a secure drop system. The journalist's mail client (Thunderbird with native OpenPGP support) automatically decrypts the message using the journalist's private key stored locally. Even if the journalist's email provider is subpoenaed, the provider holds only ciphertext. The content is inaccessible without the journalist's private key and passphrase.
If a private key is compromised or a user wants to retire it, they must publish a revocation certificate to the keyserver network. This requires having generated the revocation certificate in advance, when the key was created. Keys without published revocations remain usable and trusted by recipients who have not been notified through other channels. This is one of the most operationally fragile aspects of PGP in practice.
Key expiration dates provide another lifecycle control. Keys can be configured to expire automatically after a specified period, forcing regular key rotation. However, expiration dates can be extended by the key holder, so they function more as a maintenance reminder than a hard security control.
---
Without PGP or an equivalent encryption layer, every email sent through standard infrastructure is readable in plaintext by email providers, network intermediaries, and any attacker with access to mail servers or network traffic. This exposure is not theoretical: it is routine in targeted attacks against journalists, executives, lawyers, and political dissidents.
Organizations that handle confidential communications (legal correspondence, source protection, M&A negotiations, security research disclosures) face direct risk when email content is unprotected. Regulatory frameworks including GDPR treat email as a data processing activity subject to appropriate security requirements, and plaintext email containing personal data can constitute a reportable breach under data protection laws.
The legal discovery process also creates risks for organizations that handle sensitive communications. Unencrypted email is directly accessible to opposing counsel during litigation. Encrypted email requires additional steps to compel decryption, and in some jurisdictions, the encryption itself may be protected under attorney-client privilege or other legal protections.
In 2015, the Italian surveillance software company Hacking Team suffered a catastrophic breach in which approximately 400 gigabytes of internal data were exfiltrated and published publicly. Post-breach analysis revealed that internal email communications were stored and transmitted without encryption. The exposed emails documented the company's clients, pricing, internal disputes, and the capabilities of their products sold to authoritarian governments. The breach destroyed the company's reputation and exposed clients in multiple countries. Encrypted internal email would not have prevented the breach at the network perimeter, but would have rendered much of the exfiltrated correspondence unreadable, limiting the damage from publication.
More recently, the 2020 SolarWinds supply chain attack demonstrated how email compromise can serve as a pivot point for broader network intrusion. Attackers who gained access to email accounts used that access to understand organizational structure, identify high-value targets, and craft convincing social engineering attacks against other employees. Encrypted email content would have limited the intelligence value of compromised accounts.
The most common misconception about PGP is that it provides comprehensive communication security. It does not. PGP encrypts message content but leaves metadata fully visible: who sent the message, who received it, when, from what server, and often the subject line. An adversary observing email traffic can construct a detailed communication graph even when content is encrypted.
A second misconception is that key length alone determines security. Operational key management matters as much as algorithm choice. A 4096-bit RSA key stored in plaintext on an unencrypted laptop provides no meaningful protection against targeted attacks.
A third misconception is that PGP is obsolete. While Signal and other end-to-end encrypted messaging tools have largely replaced PGP for interpersonal communication, PGP remains the standard for software signing, package verification, and asynchronous encrypted correspondence in contexts where a persistent contact address (email) is operationally required.
---
The Center for Data Autonomy approaches PGP through the lens of the Planetary Defense Model (PDM), specifically within the Data Protection and Sovereignty (DPS) domain. The operative methodology is the Sovereign Data Protocol (SDP), which holds a single operational principle: your data lives where you decide, period.
PGP is one of the few encryption technologies that operationalizes this principle directly for communications. Because key management is local and decentralized, a user who controls their private key controls access to their encrypted correspondence entirely, regardless of what happens to their email provider. If the provider is breached, compelled by legal process, or simply discontinued, the encrypted content remains inaccessible to any party without the private key.
CDA's SDP implementation treats PGP not as an optional best practice but as a minimum baseline for any organization handling sensitive correspondence outside of controlled internal infrastructure. The SDP methodology prescribes specific operational steps: generate keys on air-gapped or hardened devices where threat models warrant it, store private keys in hardware security tokens (YubiKey or similar) rather than on general-purpose computing devices, maintain revocation certificates in offline secure storage, and verify key fingerprints through at least one out-of-band channel before sending sensitive content.
What CDA does differently is treat key management as an organizational process, not an individual responsibility. Most PGP deployment failures occur because key backup, revocation, and rotation are treated as personal tasks that get neglected. CDA's framework assigns key management roles explicitly, defines key rotation schedules, and requires documented verification procedures for all external correspondent keys. This transforms PGP from a fragile individual practice into a maintainable organizational capability.
CDA also takes a direct position on the Web of Trust: in most operational contexts, organizations should not rely on the Web of Trust for key validation. Instead, CDA recommends direct key exchange over verified channels, combined with fingerprint confirmation, as the only operationally reliable authentication method. This eliminates the ambiguity and social complexity of trust transitivity while preserving PGP's core advantage of decentralized key control.
---
---
---
CDA Theater missions that address topics covered in this article.
Cryptographic technique that encrypts data while preserving its original format and length, enabling protection without breaking legacy system compatibility.
Guide to HTTP/2 security covering binary framing, HPACK compression attacks, rapid reset vulnerability, stream multiplexing risks, and mitigation strategies.
Explanation of Certificate Transparency framework, covering log servers, Signed Certificate Timestamps, monitoring capabilities, and detection of fraudulent certificates.
Written by CDA Editorial
Found an issue? Help improve this article.