🔐 PGP Pretty Good Privacy
Encryption software that scrambles a message or file so only the intended recipient can read it, and digitally signs it so anyone can confirm who sent it and that nothing was changed. First released in 1991 by Phil Zimmermann.
📮 The simple version — a mail slot anyone can use but only one key opens
Picture a mailbox with an open slot on the front. Anyone walking by can drop a locked box through the slot, but only the owner has the key that opens the mailbox to take it out. PGP works the same way. Your public key is the slot, and you hand it out freely. Your private key is the key to the mailbox — you keep it secret. People use your public key to lock a message for you, and only your private key can unlock it.
🧩 Why two kinds of encryption? (hybrid)
Public-key locking is clever but slow on large files, so PGP is a hybrid: it uses both kinds of encryption together to get speed and convenience at once.
| Step | What happens |
|---|---|
| 🗜️ Compress | The message is usually squeezed smaller first, which saves space and helps security |
| 🎲 Make a session key | A random one-time key locks the message fast (this is the quick, symmetric part) |
| 🔒 Lock the session key | That one-time key is itself locked with the recipient's public key |
| 🔑 Unlock both | The recipient's private key opens the session key, which then opens the message |
🎲 A fresh session key is created for every single message, so cracking one tells an attacker nothing about the next.
✍️ Digital signatures — proving who sent it
Encryption hides a message. A digital signature does the opposite job: it proves who wrote it and that nobody changed it. The sender takes a short fingerprint of the message (a hash) and locks that fingerprint with their own private key. Anyone can unlock it with the sender's public key and recompute the fingerprint — if the two match, the message is genuine and untouched.
🤝 The Web of Trust
One hard question remains: how do you know a public key really belongs to the person you think it does? On the web, browsers trust a handful of central authorities. PGP took a different path called the Web of Trust — instead of one central gatekeeper, users vouch for each other's keys by signing them. If people you already trust have signed a key, you can trust it too. It's decentralized confidence, built person to person.
🪙 Where you meet PGP in crypto
Most beginners run into PGP when checking that wallet or node software is the real thing. Projects publish their software along with a PGP signature and their public key. You verify the download against that signature to confirm it wasn't swapped out — even if the website hosting it was hacked. This is the same public-and-private key idea behind public-key cryptography that crypto wallets are built on.
- 📥 Verifying downloads — Electrum, Bitcoin Core, and Ledger Live releases ship with PGP signatures you're advised to check
- 🛠️ The tools — most people use GnuPG (GPG), often with a friendly front-end like Kleopatra
- 🚩 Get the key right — always grab the project's public key from its official channel and check the fingerprint, or the whole check is meaningless
❓ FAQ
- Does a valid PGP signature mean the software is safe to install?
- No. A valid signature only proves the file came from the holder of that key and was not changed on the way to you. It does not prove the software is bug-free or harmless. The check is also worthless if you got the public key from an untrusted source, so always get the key from the project's official channel and check its fingerprint.
- Is PGP only for email?
- No. It started with email, but the same tools now encrypt and sign files, and they sign software releases. In crypto, the most common use is verifying that wallet or node software you downloaded is genuine.
- What is the difference between PGP, OpenPGP, and GPG?
- PGP was the original software from 1991. OpenPGP is the open standard that grew out of it, describing the formats for keys and encrypted messages. GnuPG, or GPG, is the free open-source program that follows that standard and is what most people run today.