Notice: This guide is a work in progress. There may be a lot of the explanation that is oversimplified or incorrect. This guide should be revised and additional information will be added in a future update. Please consult Google or Wikipedia for accurate information.
Okay so I wrote this to explain the basis of how PGP / GPG works in practice. The first two paragraphs are optional reading and explain the differences between different versions.
As a side note, PGP, OpenPGP, and GPG are essentially the same thing. They are not exactly the same but they are interchangeable and cross compatible with each other. Regular PGP is the original product which is closed source and owned by a private company. OpenPGP is an open source standard that replaces original PGP with an open source version which is newer and has additional features that classic PGP did not. Finally GPG is the most modern open source version with essentially the most additional features and security improvements.
Essentially GPG is the better option because it has the most features and is the easiest to use because it is designed to be used with a graphical interface out of the box rather than the command line. However it is still compatible with OpenPGP so you can still use it to encrypt and decrypt messages to and from OpenPGP users. From this point I’m going to be referring to the encryption as GPG because that’s the solution I use as well as the option I recommend for new users as it is designed to be easiest.
So now to the essential explanation. GPG was designed mainly for encrypting email messages because email is originally insecure. They are insecure because even with modern security standards, messages you send and receive are stored in regular plaintext by the email provider at some point. They also need to be unencrypted to be sent between different email providers.
So the encryption starts out with everyone using the program to create something called a keypair. The keypair contains a private key and a public key. The private key is a secret as it implies and stays on your computer and should never shared with anyone. The public key on the other hand can be shared with anyone and posted to on the public internet.
The next step is to share your public key with whoever and anyone. This can be done by literally copying and pasting your public key to other people in a message or by posting the public key to a directory key server like Keybase.
Posting your key to a service is completely optional but allows anyone to access your public key so anyone can send you an encrypted message. Keybase also allows people to ensure someone’s public key really belongs to the person by verifying things like email address or twitter account. It essentially just allows you to send someone an encrypted message by searching for them.
So for example two or more people could exchange public keys and now they can send encrypted messages to each other because they can address the message to the other person’s public key.
When you address a message to one or more people’s public key and encrypt the message, that message can only be decrypted by the private key of the person or people you’ve addressed it to. It is also impossible to see who or what public key the message is addressed to because the entire message will be encrypted.
Anyone that the message wasn’t addressed to who finds the encrypted message or receives it by mistake would never be able to see what the message is, who it was sent by, or who it is being sent to because it was completely encrypted by private key that only the sender has. This is the exact basis of how GPG or PGP encryption works in a nutshell. Because the entire message is encrypted it is safe to post on public sites like pastebin.
Encrypted email or messaging apps with “end-to-end encryption” like Telegram or Signal essentially use some variant of this design. The difference between using an app and using GPG is that the app does the process for you without you needing to even think about it.
However with GPG or PGP programs you can see everything in the process as it happens since you are doing it semi-manually. Also, you aren’t forced to use an app that requires you to make an account or verify your phone number. Even better any risk is reduced because the private key that you use to keep everything protected is never sent over the internet and is far too complex to guess or brute force (“crack”).
Explaining the process of how this works, even at a basic level can seem much more complicated than actually using these tools. So here’s an explanation of how it works in practice. Honestly the only complicated part of this guide is making the keypair which you only need to do once when you start using the program.
The program I use is Gpgfrontend and this is for Windows as well as the other two systems. There’s many options for programs but honestly this one has the best layout. So after you download, install, and start it for the first time the first thing you will need to do is make a keypair. You’re going to see an button at the top, second from the right, that says Manage Keys. After you click that a window will open and the first button on the left will say Generate. Click that, then click New Keypair.
In the window that opens you’re going to need to fill in something for the Name and email address. If you’re just sharing this with another person and not using it for email or publishing your key online, you could fill this with literally anything and it wouldn’t matter. As in you could use “Whoever” for name and “[email protected]” for email. It doesn’t need to be valid info for private use. You can check the Non Pass Phrase if you don’t want to encrypt the key using a password. Adding a password will make it so even if someone gets a hold of your private key, they wouldn’t be able to use it without the password, this comes at the cost of needing to enter the password every time you use the key. Otherwise you will be prompted to enter a new password after filling in name and email and clicking OK.
After it makes a new keypair and you see it on the list. You can close the key management window. In the main window on the right side you should now right on your key and select “Append to text editor”. Its going to put your public key block into the text editor on the left. You can now copy and paste that to send to someone through any messaging program or save it in a text file to send.
When you want to add someone else’s public key you can copy it from a message or use a .txt or .asc file. Then you can click Import Key at the top and then click either Clipboard if you copied their block from a message or click File if you downloaded it in a file.
Now that you have your keypair setup, you’ve given someone else your public key and you’ve imported the other person’s public key, you’re actually ready to start encrypting and decrypting messages and files.
When you want to send text to someone you can type or paste text in the empty box on the left side. Once you are ready to encrypt it, on the right side check the boxes for your own keypair as well as checking the public keys of anyone you want to send to.
After you select the corresponding keys click Encrypt at the top and you will see your text in the tab turn into an encrypted message. Now you can either copy and paste the encrypted block into email, a messenger, or something like pastebin or click save to save it as a .txt file to send out.
If receiving a message copy the block and paste into the empty space on the left (or click open to open it if its a text file) and click Decrypt. The message should now be readable in plaintext.
Encrypting files works similar to encrypting text. Start by clicking File Browser at the top. It will open a new tab with your Documents folder. Navigate to wherever the file is you want to encrypt. Click once on the file from the list to highlight it, then make sure your keypair is checked on right side as well as checking anyone’s public key you want to send it to. Finally click Encrypt and it should make a copy of the file with the format “.gpg”. You can then send this through any file sharing method. Any type of file can be encrypted.
Decrypting Files works essentially the same way but in reverse. Start by clicking File Browser at the top. Navigate to whatever folder directory and click once on the encrypted file that ends in “.gpg”. Then click Decrypt at the top. Now the file should be decrypted in the folder as a regular file which you can now use and open normally.