Pretty Good Privacy (PGP)… sounds like a children’s detective agency novel doesn’t it?
Instead, PGP is a tried and true encryption system that has been in widespread use since 1991 (long before flashy tech names were the standard). PGP encryption provides layers of protection that email senders (aka everyone nowadays) can use to mask sensitive information while it travels through the internet.
Everything that can be sent in an email: pictures, body, attachments, etc. can be protected by PGP. It even goes beyond sending correspondences securly. Other uses include a) verifying the identity of the sender and receiver of an email and b) encrypting files stored on your device or in the cloud.
In this article we’ll cover basic PGP FAQ’s by answering everything you’ve ever wanted to know about:
- PGP’s History
- Why you need PGP
- What PGP encryption is
- How PGP encryption works
- How end-to-end encryption works
- Security risks prevented by PGP
- How PGP prevents hacking
- Canary’s unique PGP and SecureSend functions
- How to recover a forgotten passphrase
Brief History of Pretty Good Privacy (PGP)
For decades, PGP has been the de facto email security tool for anyone and everyone.
Over the years, that “everyone” has extended from “in the know” tech wizards to the general public. With tools like our Canary SecureSend toggle function, email security has become widely accessible.
Its common usage, however, has obscured Pretty Good Privacy’s gripping inception and backstory. Here’s a brief timeline for you historian types:
- US government attempts (unsuccessfully) to pass Senate Bill 266 that would allow the government to “obtain the plain text contents of voice, data, and other communications… from providers of electronic communications services”
- Anti-nuclear activist Phil Zimmerman releases PGP (the first form of public-key cryptography) for free via FTP
- PGP is categorized as “high-strength cryptography,” which was (at the time) deemed a form of munition and required a license to be exported
- PGP encryption is popularized outside of the US
- United States Customs Service (USCS) investigates Zimmerman
- Zimmermann publishes PGP’s source code through MIT PRess
- Zimmermann avoids legal charges due to the US’s first amendment protection
- PGP Inc is founded by Zimmerman
- PGP becomes licensed-software
The history continues on, but those are the major beats of how PGP became widely used and trusted. In short, its notoriety is built on its free availability and its use of two encryption types: symmetric and public- key.
Lately, however, the best PGP services (like Canary) come with a negligible price tag. One that covers the service’s improved accessibility and additional email functions. Therefore, mitigating the need for an unwieldy amount of add-ons, extensions, apps, and etc.
Why do I need PGP encryption?
Well, To operate in the digital age, we must have an email id. An email is required to sign up for any social media account, and any other internet service. Email is also used extensively for internet banking, shopping, and financial activities. Most email providers give some degree of protection against spying or manipulation of their users’ emails, but do not provide the highest level of privacy and security. Every individual deserves email security, making sure no one can access his/her messages. This is why we encrypt your emails from beginning to end (with SecureSend or PGP).
Canary encrypts your email with PGP encryption. This article discusses the technology that enables us to keep our security promise.
What is Pretty Good Privacy (PGP) encryption?
Pretty Good Privacy is an abbreviation for Pretty Good Privacy. It is the world’s most extensively used email encryption technology. In short it has two basic functions: encryption and authentication.
It has been extensively tested over years of use, has few known flaws, and is widely compatible with various encryption clients. PGP is the core of CanaryMail security architecture for these reasons.
PGP is a cryptographic way of communicating secretly over the internet. When you send safely a message using encryption software, your device converts the message into unreadable cipher text before sending it over the web. The receiver is the only one who can turn the text into a readable message on their device.
PGP software additionally confirms the sender’s identity and that the communication was not altered while in transit.
How does PGP work?
To safeguard emails symmetric and asymmetric encryption are being used.
PGP begins by employing symmetric encryption to generate a random session key. This key is exclusive and is used to encrypt the email’s contents. Then the session key is encrypted with the recipient’s public key and transmitted along with the encrypted email to the recipient. The recipient uses his/her private key to decrypt the session key which in turn can then be employed to decrypt the encrypted email.
It works unobtrusively when employed properly while delivering the utmost safety, anonymity, and authorization for your emails.
The following examples show how PGP works in Canary Mail:
Alice is registered with Canary and wants to send safely an email to Bob who may be registered with Canary or be an external recipient. To encrypt an email, Alice will require Bob’s public key which she can store in Canary’s PGP keys. After the encrypted email is sent, to decrypt the email on Bob’s end, he will need his Private key which is only accessible to him. Thus, only Alice and Bob will have access to the email information.
What functions does PGP have?
Now that you have a sense for what PGP does, here are some need-to-know phrases that describe the functions PGP completes for you:
- creating a PGP public key pair;
- revoking a PGP public key pair, so that others will no longer use it;
- key server functions, like specifying a default key server and registering key pairs;
- encrypting a message or file;
- decrypting a message or file;
- digitally signing a message or file;
- authenticating a digital signature;
- signing a public key; and
- key management.
How does end-to-end encrypted email work?
PGP is the benchmark for communication security. Its goal is to prevent data from being read or covertly manipulated by eavesdroppers other than the sender and recipient(s). The sender encrypts the messages, but the third party has no way of decrypting them and storing them protected. The receivers obtain and decrypt the encrypted data on their own.
The encryption in canary is based on PGP key pairs. Every key pair has two keys, a public key, and a secret key. To encrypt an email, the sender would require the recipient’s public key. The recipient would use their Secret key to decrypt the message the sender sent them. Similarly, to receive encrypted emails, you would have to share your public key. This public key, which you share, will be used by others to send you encrypted emails. The encrypted emails in turn would only be decrypted by your secret key. As the name suggests, secret keys should never be shared and stay with their owner, whereas the public key is shared with people who wish to send encrypted emails to you.
For more info on how it works, you can read the CanaryMail guide to end-to-end encryption.
What is the difference between TLS and PGP?
When an email is sent, it is transported from server to server until it reaches the receiver’s inbox. TLS (Transport Layer Security) is used by all major email providers to offer an encrypted path for the email as it travels between servers. This ensures that a user’s communication remains private during transmission.
TLS encryption method lets email providers to securely carry emails, but there are major security risks if the emails are not end-to-end encrypted. TLS encryption decrypts the emails once they reach your email provider’s server rather than when they reach the receiver’s device. This allows such email providers to access all communications stored on their servers.
On the other hand, Emails that are secured with PGP are less vulnerable to being attacked. End-to-end encrypted email is unreadable to anyone except the intended receiver, making it far more secure. End-to-end encrypted email is encrypted on the sender’s device and decrypted only when it reaches the receiver’s device.
Can PGP encrypted emails be hacked?
While emails sent using PGP are far more secure than emails sent with TLS, no email can be claimed to be “unhackable.”
If you use the same password for multiple services, it’s likely that your password will be disclosed if one of them suffers a security breach. If you use a strong and unique password for every account and device, you can rest certain that even if one password is compromised, the rest of your online accounts will be safe. End-to-end email encryption is most effective when used along with other internet privacy safeguards such as using a VPN to hide your browser activities and enabling two-factor authentication wherever feasible, as well as using strong passwords.
How to encrypt your Emails with PGP and SecureSend?
The easiest way to encrypt your emails with PGP is using SecureSend by Canary Mail. Canary Mail offers provider-independent support for encryption on iOS, macOS, Android and Windows.
Canary supports standard PGP that is compatible with all leading tools, apps, and services that support PGP, such as GPGTools, ProtonMail, Tutanota, K-9 Mail, Enigmail, Posteo, etc. Canary’s key search is tied into SKS, Keybase, OpenPGP.org & ProtonMail keyservers.
With Canary you can create new PGP keys right on your device, as well as use and manage all your existing encryption keys. Secret keys are stored securely in encrypted form on your device, and are never sent to the server. You can choose to save your key passphrase on the device for a limited time, or enter it as needed. In addition, Canary allows you to secure the app with FaceID or TouchID.
Canary uses the open source Bouncy Castle encryption library, which supports all modern encryption algorithms.
What sets Canary Mail’s PGP apart?
Our wide range of support for all your encryption needs. Our services are as simple or as customizable as you feel comfortable with. Besides that, our apps have other tools built in for inbox management and overall productivity.
Is PGP encryption HIPAA compliant?
Yes, TLS encryption doesn’t quite make your email HIPAA compliant on its own. TLS can fail, leaving your personal information vulnerable to eavesdroppers. As a result, Pretty Good Privacy data encryption is the most prevalent method of encrypting HIPAA-compliant messages.
How secure is PGP encryption?
PGP encryption has the advantage of being virtually indestructible. Because of this, media and activists still use it and is frequently thought to be the ideal method for enhancing cybersecurity. In summary, breaking this encryption is practically hard for anyone, even cyber criminals, and the NSA.
How do I choose a passphrase?
A secure passphrase is the next generation in passwords that consists of several phrases that may create a sentence as well as other sequences of words in a particular context that are simple for the user to remember.
Passphrases tend to be longer in comparison to passwords, which makes them more secure. The most important thing here is the length and not complexity.
Avoid using a password that is simple for someone else to decipher; i.e., your favorite quotation. Additionally, refrain from using frequent phrases seen in children’s literature and hit song lyrics.
What if I forget my passphrase?
Unfortunately, PGP does not have a “recover my password” option. If you can’t figure it out, your only remaining option is to generate new keys. You can follow the below mentioned steps:
- Identify where the public key is available.
- Create a revocation certificate for the keys.
- Generate new key pair
- Generate revocation certificate
- Export private key
- Save both private key & revocation certificate
- Upload again my new public key to a public keyserver
If my secret key ring is stolen, can my messages be read?
No, not until your secret passphrase has also been hacked or if an exhaustive search attack can be used to crack your passphrase. Without the other, neither is valuable. Nevertheless, you must deactivate that key and create a new key pair with a new passphrase. You might want to add a new user ID with the information of your new key ID before deactivating your old key so that others are aware of your change of address.
How do I remember my passphrase?
This may be a real issue, especially if you need to use a couple of dozen passwords on a daily basis. The entire point of passphrases would be compromised if you had to write them down somewhere so you could remember them. Unfortunately, there is no viable way to avoid this. Either you can recall it, or you can write it down and run the danger of having it compromised.
Encrypt Your Emails with Canary Mail Today
The whole Canary Mail team is dedicated to building the best email encryption services of 2022 and beyond. SecureSend’s user-friendly interface will give you complete control of your data and documents in just a few clicks. Canary Mail is available as a native app on iOS, macOS, Android, and Windows.
So, let us take care of all your encryption programming needs so that you can focus on doing what you love