Skip to Main Content

It’s time to get good at Pretty Good Privacy

Sending sensitive information securely via email (and, indeed, other online mediums) can often feel like a clandestine mission—akin to working for the CIA. What if a malicious individual intercepts my email and uses it for something sinister? Bank details, company records, or even your nan’s top-secret, famous Christmas pudding recipe that has delighted generations for decades. All of these could end up in the wrong hands. But what if you had software that could mitigate this? Pretty Good Privacy is the answer to your question. Created in 1991 by Phil Zimmermann and released as an open standard called OpenPGP in 1997, it’s a tried-and-tested encryption program that can be used to encrypt text, files, emails, or entire disks

Think of it as your digital bodyguard.

What is PGP exactly? Let’s get up close and personal.

Arguably the most widely used software package for email and file protection, Pretty Good Privacy (PGP) is a cryptographic used to safeguard private emails against hackers and other users—only the intended recipient will be able to open and/or view its contents.

PGP achieves its goals by employing two keys or standard cryptographic mathematical formulae. The first key, known as a “public key,” converts the message or raw file into an incomprehensible form of code—one that not even your Silicon Valley geek will be able to decipher. The recipient who uses the second key is then able to enter a de-code to turn the message into everyday language. This second key is referred to as a “private key”.

How does Pretty Good Privacy work?

Now that you have a sense of PGP, let’s take a deeper dive. PGP utilizes a key system, whereby each user has a private key that is known only to them. It uses a combination of symmetric and asymmetric key technology, private-key, and public-key cryptography to encrypt data as it moves across networks. This may seem rather complex, so if your head is spinning don’t despair. Let’s look at how this could play out in real life with the example below for more context.

Suppose you work for a leading health NGO and have just uncovered a damning fraud scheme involving millions of pounds. To your horror, you learn that senior management, assisted by an audit firm, masterminded this scheme, and have kept their activities secret for nearly 10 years. This not only threatens to bring the company’s name into disrepute but could possibly compromise service delivery to target beneficiaries in an impoverished community.

Your moral compass just won’t let you overlook this great injustice. While you want to bring this to the attention of Katherine X, a renowned (and fictitious) investigative journalist in your country, you also want to protect your identity and guarantee that this information reaches the intended recipient—and only them.

Having heard about Pretty Good Privacy from a geeky and slightly paranoid friend, you consult your preferred search engine to buy this software program. You then compile all your findings and engage Katherine on the matter by sending her an encrypted email—all thanks to the magic and security of Pretty Good Privacy: “Hi Katherine, I’ve just uncovered a possible fraud crime involving XYZ and wish to bring this to your attention. Please let me know if you are available to meet and discuss this matter soon.”

Pretty Good Privacy generates a unique session key after the file has been compressed. Using symmetric-key cryptography, this key encrypts the plaintext, converting it into ciphertext. You can relax (a little) as your communications with the investigative journalist are now more secure and there’s very little chance of them being exposed. Katherine X (who will leave no stone unturned in investigating this fraud) then receives the ciphertext, the encrypted session-key, and the digital signature. The message could look like this when it reaches the journalist: 


How will Katherine read your message? She decrypts it using her private key. This then restores the code to its original format, i.e., everyday language. And the best part? It’s unlikely that anyone

knows that you’ve just become a whistle-blower (except you and Katherine X of course, and the cat that was on your lap while you were typing pre-encryption).

How do I install Pretty Good Privacy ?

So, you’ve decided to send encrypted messages? Here’s how to get going:

1) Pick your PGP provider. There are several to choose from depending on your operating system. Popular brands include:

  • GPG4Win (Windows)
  • GPGTools (macOS)
  • Engmail (Linux Ubuntu)
  • OpenKeyChain (Android)
  • iPGMail (iOS mobile devices)

Simply find and download a current version (and please make sure it’s straight from the manufacturer or a highly reputable alternative!) and follow the instructions to install it. So far, it’s just like any other program, but using your PGP then requires more effort.

2) Generate a PGP key—and don’t be scared off by the long list of instructions. It’s do-able, even for first timers. Here an example from GPGTools for Mac:

  • When you start the software a “Create a new key pair” pop-up window appears.
  • Enter your name, email address, and password and click “Create Key”. When creating a password, consider a password manager like Avira Password Manager, which helps generate, store, and manage your passwords more securely.
  • A short message telling you that your key is being generated appears and then a second pop-up window will confirm that your key was created successfully. (You can now upload your public key by clicking “Upload Public Key” or skip this by selecting “No, Thanks!”). Your key and its fingerprint are now visible when you launch the GPG Keychain app.

3) Create a PGP Revocation Certificate because what happens if you lose or forget your private key, or someone gets their hands on it? You can use the revocation certificate to revoke the key. To create a revocation certificate, simply select the PGP key, right-click on it and select “Create Revocation Certificate” in the menu.

How secure is Pretty Good Privacy and is it worth it?

Provided it’s used correctly by individuals and organizations’ employees, PGP is regarded as extremely safe, so the name “ Pretty Awesome Security” would be more apt. The encryption method deploys algorithms that are generally considered unbreakable, so protecting your data with PGP makes it nearly impossible to be intercepted by hackers.

All in all, encryption with PGP can be a powerful tool in protecting your data and online privacy—and even your own safety if the information you’re sharing will land you in hot water should it fall into the wrong hands. But, in an age where you can do so much with a single swipe on a mobile phone—from setting up a date to buying a fridge—PGP can be complex and cumbersome to use. It all depends on how much privacy you truly need and how hard you’re willing to work for it. For most of us, there are other more user-friendly, cost-effective, and even free solutions to help safeguard your digital life. Avira offers a host of products and services dedicated to security, online privacy, and device performance. For example, explore the features and benefits of Avira Free Security.

This post is also available in: GermanFrenchItalian

Freelance Cybersecurity Writer
Nicola Massier-Dhillon is an experienced cybersecurity and technology writer. Nicola spent many years as a senior copywriter and creative lead in marketing agencies, crafting compelling content and campaigns for major tech brands like HP, Dell, and Microsoft. She originally hales from Namibia and is a passionate advocate for the conservation of wild habitats--also putting her words to work for charities, eco-tourism, and healthcare. Nicola spends her time looking after her (wild) twins, rescue cats, and a crested gecko called Giles.