Here is a small tutorial for getting started with this protocol named Pretty Good Privacy (PGP), an asymmetric cryptographic tool that allows to have end to end encrypted mails despite using very mainstream services like gmail, outlook, etc. You will find several names around, like GPG, PGP, OpenPGP. I will use them interchangeably as they basically refer to the same thing.

end to end encryption means that you communicate with someone in the following way:

1. you encrypt the message on your local machine (phone or laptop for example)
2. you send it to a server (for example Gmail, discord, a SMS service, etc.) that will send it to the person you want to communicate with.
3. the person you want to communicate to decrypt the message on their local machine

Doing this allows to use a server that you do not trust without risking the information you send to be seen by anyone who administrate this server

The principle is the following: each user generates a pair of key:

1. A private key, that they will keep for themselves and share with NO ONE ELSE. This is used to decrypt files
2. A public key, that they will share to the people they want to communicate to. This is used to encrypt files.

The keys have the following properties:

1. you can generate the public key from the private one very easily
2. you cannot generate the private key knowing the public key
3. you can encrypt a file with one of them and decrypt it with the other, but not with itself

Encryption protocols that use key pairs are called asymmetric cryptographic protocols, as opposed to symmetric cryptographic protocols, which are using the same key to encrypt and decrypt.

Encrypting the content of the message does not mean that you hide everything. In principle, for a mail encrypted with PGP, the following informations are still unencrypted:

1. The “From” and “To” field
2. the subject of the mail (try to use vague subjects or no subject at all)
3. the server knows at least which IP address is contacting them, and which account they host is used

Let us start straigtaway with a common usecase of this tool: you want to send a mail to someone without your mail server to know about its content.

The first thing you want to do is to set up a web client if you have not done it. Whatever your platform is, you can use Mozilla Thunderbird, which is open source, free and includes PGP, with a key manager, by default. Alternatively, if you are using Windows and Microsoft Outlook, you can install a free an open source gpg plugin called GPG4Win. This will add a plugin to Outlook to use PGP, install a key manager called Kleopatra, and install the gpg command line tool. For MacOs, there exists a software called GPGTools that you can download, but it is not free (it costs 24 euros). So I would suggest you then use Thunderbird and (although not usually necessary for all applications) the command line tool that you can install using Homebrew with the command:

 brew install gnupg 

Before, you might need to install Homebrew, if you have not already, entering this command in a terminal:

 /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh) 

Once you have a functional web client, the various way of setting up PGP are now going to be described:

Start by downloading it:

Clik on download, and you can choose how much you would like to donate, including 0$, then install the program with the default options:

This will open the PGP key manager Kleopatra.

Click on “New key pair”

Enter a name and your email, then tick the “passphrase” option

Click on “Settings”

Then on “Configure Kleopatra”

Set the keyserver “hkps://keys.openpgp.org”, then click on “OK”

Right click on your key and click on “Publish on Server” if you want anyone to find your public key, or alternatively export it to a file to give it only to a selected few people.

Click on “Lookup on server” to find keys uploaded on public servers. In the search field enter the full mail address of the person you are looking for

After importing the key, certify it by right click→certify. Verify the fingerprint with the person you are talking to, either physically or with secure channels, for example using Signal.

Open a new mail, and write the mail address of the person you want to write to in the “To” field. Click on the GpgOL option “Secure” and you should see the two options “Sign” and “Encrypt” squared in black, meaning that they are activated. Write your mail (remember to use a vague subject or no subject at all) and then hit “send”. That's it ! You can then check on your webmail to see what the server actually receives, which should be only encrypted data. Attachments are also encrypted, if you used any.

Once you have a set up thunderbird installation with your mail server, open it and do the following:

Right click on your mail address on the left, then click on “Settings”

In the “End to End encryption” section, click on “OpenPGP Key Manager”

Click on Generate→New Key Pair

After the key generation, click on Keyserver→Publish if you want anyone to be able to find your public key. Then you can find enother person public key with Keyserver-Discover Keys Online. Remember to enter the full mail address associated with the key you are looking for in the search field. Alternatively, you can use File→Import Public Key from File and File→Export Public Key to File functions to share your public key to a smaller audience.

Go back to Settings, then select your key as the default key for your mail address

Open a new mail, and write the mail address of the person you want to write to in the “To” field. You should see appearing the mention “OpenPGP end-to-end-encryption is possible”, and you can then click on “Encrypt”. You can also click on the Encrypt button next to send to have the same effect. Write your mail (remember to use a vague subject or no subject at all) and then hit “send”. That's it ! You can then check on your webmail to see what the server actually receives, which should be only encrypted data. Attachments are also encrypted, if you used any.

We need now to activate a master password to encrypt the keys (and also the mails on your computer at rest) by going to Settings→Thunderbird Settings

Then click on “Privacy and Security”→“Use a primary password” and set up a strong passphrase

If you are on Windows and have installed GNU4WIN (see above), then you can simply open the file explorer, right click on a file and see the options “sign and encrypt” and “More GpgEx options” to generate an encrypted file with a public key you previously stored with Kleopatra, or to decrypt it with your private key.

This command line tool is already installed natively in many Linux distribution. Otherwise you can install it with the command, for example on Debian based distributions like Debian, Ubuntu or Linux Mint:

sudo apt-get install gnupg

On Windows, it is installed with the installation of Gnu4Win. On MacOS, it can be installed with homebrew (see above). You can use it to bypass any of the mail system assumption, and therefore transfer things via not only any mail systems, but also other messaging apps, while being certain that it is end to end encrypted.

Here is a cheat sheet for the commands you can enter with it:

gpg full-generate-key

gpg --list-keys

gpg --list-secret-keys

gpg --send-keys [key_id]

[key_id]

gpg --fingerprint [mail]

 [mail]

gpg --search-keys [mail]

[mail]

gpg --receive-keys [key_id]

[key_id]

gpg --search-keys [mail]

gpg --import [key_file]

 [key_file]

gpg --export [mail] > [filename]

[mail]

[filename]

gpg --encrypt --recipient [mail] --sign --armor [filename]

[mail]

 [filename]

filename.asc

gpg [filename]

[filename]

--output [filename]

PGP is not only used to encrypt, but also to make “signatures” and to verify them, to check that:

1. the sender of the message is the person you think they are, or
2. that the file you downloaded has not been tampered with while being sent to you

The signature mechanism works in the opposite way as the encryption:

1. Your private key is used to sign
2. Your public key is used by the person receiving the message to verify the signature

The way it is done is the following:

1. The file is hashed (see the paragraph below).
2. This hashed file is encrypted with your private key
3. The result is added at the end of your file, giving a signed file.

Actually, in most case you will do both: signing (with your private key) then encrypting (with the public key of someone else). The person receiving the message will decrypt it with their private key, and then extract the signature and verify it with your public key.

If you were on Windows and set up your keys with Kleopatra, the command line gpg tool will already know those keys. However, if you used the PGP key manager from thunderbird, it is different. You will therefore have to copy all your keys from the thunderbird key manager to the keys that are known by the gpg command line tool.

This is how to do it. First, go to the key manager, select your own key, that you will use to sign things with, and click on File→Backup Secret Key to File, then find a location on your computer (you will be asked for a passphrase for this, please use a good one)

Then, open a command line, navigate to the directory where your secret key file is located and enter:

gpg --import [filename]

where [filename] is the name of this secret key file. you then need to tell the gpg command tool to use this key as a default signing key. This is done by the command:

echo 'default-key:0:"[fingerprint]' | gpgconf --change-options gpg

where [fingerprint] is the fingerprint of your key. You can find it with the command:

gpg --fingerprint [NAME]

where [NAME] can be a small part of your mail address: gpg is cleaver enough to do a search among your keys and guess which one is the closest.

You are then ready to sign files and keys !

In some case you will download something from a website and there will be a signature associated with it, like in this example from the software veracrypt:

You can download the file, the associated signature and the public key. In the veracrypt example, the public key can be found here. You can import it with:

wget https://www.idrix.fr/VeraCrypt/VeraCrypt_PGP_public_key.asc && gpg --import VeraCrypt_PGP_public_key.asc

In the download page, they tell you to check that the fingerprint is correct:

foo@bar:~ gpg --fingerprint veracrypt@idrix.fr
pub   rsa4096 2018-09-11 [SC]
      5069 A233 D55A 0EEB 174A  5FC3 821A CD02 680D 16DE
uid           [ unknown] VeraCrypt Team (2018 - Supersedes Key ID=0x54DDD393) <veracrypt@idrix.fr>
sub   rsa4096 2018-09-11 [E]
sub   rsa4096 2018-09-11 [A]

and that it should be 5069 A233 D55A 0EEB 174A 5FC3 821A CD02 680D 16DE. Once you checked the fingerprint the public key, you can sign it with your private key to indicate that you trust it:

foo@bar:~ gpg --sign-key veracrypt@idrix.fr
pub  rsa4096/821ACD02680D16DE
     created: 2018-09-11  expires: never       usage: SC
     trust: unknown       validity: unknown
sub  rsa4096/200B5A9D26878A32
     created: 2018-09-11  expires: never       usage: E
sub  rsa4096/0F5AACD65483D029
     created: 2018-09-11  expires: never       usage: A
[ unknown] (1). VeraCrypt Team (2018 - Supersedes Key ID=0x54DDD393) <veracrypt@idrix.fr>


pub  rsa4096/821ACD02680D16DE
     created: 2018-09-11  expires: never       usage: SC
     trust: unknown       validity: unknown
 Primary key fingerprint: 5069 A233 D55A 0EEB 174A  5FC3 821A CD02 680D 16DE

     VeraCrypt Team (2018 - Supersedes Key ID=0x54DDD393) <veracrypt@idrix.fr>

Are you sure that you want to sign this key with your
key "my Name <my@mail.net>" (my_key_id)

Really sign? (y/N) y

you can then check that you have the correct file by entering:

foo@bar:~ gpg --verify "VeraCrypt Setup 1.26.20.exe.sig" "VeraCrypt Setup 1.26.20.exe"
gpg: Signature made Tue 04 Feb 2025 15:53:43 CET
gpg:                using RSA key 5069A233D55A0EEB174A5FC3821ACD02680D16DE
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   3  signed:   1  trust: 0-, 0q, 0n, 0m, 0f, 3u
gpg: depth: 1  valid:   1  signed:   0  trust: 1-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2025-11-29
gpg: Good signature from "VeraCrypt Team (2018 - Supersedes Key ID=0x54DDD393) <veracrypt@idrix.fr>" [full]

This Good signature indication tells you that you have downloaded a file that was certified as genuine by the owner of the private key associated with veracrypt, and that it has not been tampered with.

With the command line, you can sign a document with

 gpg --sign [filename] 

to output a signed document or

 gpg --detach-sign [filename] 

to output only the signature.

GPG is a lot based on the trust that you are talking to the right person. Therefore, to tell to the whole world that you trust some public key, you should sign the public keys of other people.

To sign a key, you need to use the command line gpg, so as said before, if you used Kleopatra to generate your keys, you are good to go, as the gpg tool will already know your keys. However, if you used Thunderbird, you need to copy the keys you want to sign. This is how you do it.

1. First, go to the PGP key manager in Thunderbird
2. Select the public key you want to sign, then right click and click on Export public key to file and select a location on your computer
3. Open a command line, navigate to the folder where your file is and enter gpg --import [FILENAME], where [FILENAME] is the file you exported the public key to
4. repeat the operaton for each key you want to sign

This is how to do it (as recommended here):

1. Alice (you) get the public key of Bob
2. Alice sign it with her private key:

   gpg --sign-key [key_id]

   where

   [key_id]

   is the fingerprint of the Bob public key. In the process you will be asked to check that the fingerprint match with the key of the other person, which you should do in a secure channel, or in person, with the person owning the key. Note: you can at every time look at all signatures on a key with the command: gpg --list-sig [NAME], with [NAME] being for example part of the mail address associated with the key.

3. Alice exports, then encrypts the signed key with Bob public key, with the following command:

   gpg --armor --export [key_id] | gpg --sign --encrypt -r [key_id] > [filename]

   , where

   [key_id]

   is the fingerprint of Bob public key and

   [filename]

   is the output filename. Note: you can alternatively, since you already configured your mails for this, just export the key with

   gpg --armor --export [key_id] > [filename] 

   , and attach it to a mail encrypted with your mail client.

4. Alice emails the key to Bob using the mail address associated with the key
5. Bob receives it, then decrypt it with his private key and import it:

   gpg --decrypt [filename]

   and then

   gpg --import [filename_decrypted]

6. He can then send it to a keyserver, containing Alice signature:

   gpg --send_keys [key_id]