Skip to content
Public Security Fundamentals & Governance

PGP Key

This knowledge base entry explains what PGP/OpenPGP is and how public/private keys, fingerprints, signing, and encryption work together to protect confidentiality and verify authenticity. It also clarifies the difference between PGP, OpenPGP, and GPG, and gives practical guidance for safer key management and common usage patterns (including Tails 5.0+).

Updated Dec 24, 2025 18 views

PGP Keys (OpenPGP)

Note on Tails: Starting with Tails 5.0, the workflow for PGP/OpenPGP changed compared to older releases. If you’re on an older version, upgrade to the newest Tails version so your UI and steps match current tooling. This entry focuses on Tails 5.0+ concepts and modern OpenPGP usage.

What PGP Is

Pretty Good Privacy (PGP) is a system for encryption and digital signatures used to protect data and prove authenticity during communication. In practice today, most tools implement the OpenPGP standard.

PGP/OpenPGP is commonly used to:

  • Encrypt messages and files so only intended recipients can read them.
  • Decrypt content that was encrypted to you.
  • Sign messages/files so others can verify they came from you and weren’t altered.
  • Verify signatures and confirm fingerprints to prevent impersonation and phishing.

Key Concepts

Public Key vs Private Key

OpenPGP uses asymmetric cryptography, which means you have a key pair:

  • Public key: shared with others. People use it to encrypt to you and verify your signatures.
  • Private key: kept secret. You use it to decrypt messages sent to you and create signatures.

If someone gets your private key (or your private key passphrase), they can impersonate you and decrypt messages intended for you.

Fingerprints

A fingerprint is a short, unique identifier derived from the public key (usually shown as a long hex string). Fingerprints are used to confirm you have the right key for the right person—especially important when keys could be swapped or spoofed.

Key Expiration and Revocation

  • Expiration: A planned “best-by date” for a key/subkey. You can extend it later.
  • Revocation: A way to mark a key as no longer trustworthy (e.g., lost device, compromise). Creating a revocation certificate early and storing it safely is a best practice.

Keyrings and Trust

Your system maintains a keyring (a store of public and private keys). Many OpenPGP tools also track trust: whether you’ve verified that a key truly belongs to the person it claims to represent.

Typical Workflows

Encrypting

You encrypt using the recipient’s public key so only their private key can decrypt it.

Common uses:
- Protecting sensitive personal details (addresses, account identifiers, private documents)
- Sending confidential attachments
- Encrypting notes/files before storing or sharing

Decrypting

You decrypt using your private key (and usually your passphrase).

Signing and Verifying

  • Signing proves authenticity and integrity (“this came from me and wasn’t modified”).
  • Verification confirms a signed message/file matches the signer’s public key and hasn’t been altered.

Best Practices for Managing PGP Keys

  • Protect your private key with a strong passphrase.
  • Back up your keys securely (and separately from your laptop if possible).
  • Create and store a revocation certificate somewhere safe (offline is ideal).
  • Verify fingerprints out-of-band (e.g., a trusted website you already know, in-person, or a previously verified channel).
  • Prefer end-to-end encryption you control (encrypt on your device before sending).

Using OpenPGP on Tails 5.0+

Tails typically supports OpenPGP through:
- Email tooling (modern email clients often have built-in OpenPGP support), and/or
- A key management app (to import/export keys, view fingerprints, and manage passphrases)

High-level tasks you should be able to do in Tails 5.0+:

  1. Generate a key pair
    - Choose a strong passphrase
    - Set an expiration date (recommended)
  2. Export your public key
    - Share it with people who need to encrypt to you
  3. Import someone else’s public key
    - Verify fingerprint before trusting it
  4. Encrypt / decrypt
    - Select the correct recipient public key when encrypting
  5. Sign / verify
    - Sign important messages/files you want others to trust

If your UI differs, use the above as the “what,” and follow Tails’ built-in help/docs for the exact “where to click.”

FAQ

What if I sent sensitive information without encrypting it?

Assume it may be exposed to anyone who can access the message in transit, on a server, or on endpoints (including compromised accounts/devices). Practical steps:

  • Stop sending additional sensitive details through that channel until secured.
  • Notify the recipient (if appropriate) and switch to an encrypted method.
  • Rotate affected information where possible (passwords, access links, identifiers).
  • Treat it like a small incident: document what was sent and when, and reduce further exposure.

Can I rely on a service’s “built-in encryption” instead of doing it myself?

Be cautious. If encryption happens server-side, the service may still handle your content in plaintext at some point. For sensitive content, prefer end-to-end encryption where you encrypt on your device using the recipient’s public key.

Do I need to encrypt every message?

Not necessarily. Encrypt messages that contain sensitive content. Routine, non-sensitive messages may not require encryption, but signing them can still provide authenticity.

Can I decrypt a PGP message I sent?

Usually no—if you encrypted only to the recipient, only their private key can decrypt.
If you want to be able to read what you sent later, you can encrypt to both:
- the recipient’s public key, and
- your own public key
That way, either you or the recipient can decrypt.

What is the difference between PGP and GPG?

PGP can refer to two related things:

  1. The original “Pretty Good Privacy” software written by Phil Zimmermann (later commercialized and now owned by Symantec).
  2. The file/message formats and signature/encryption conventions established by that software, which have since been formalized as the OpenPGP standard.

GPG (GNU Privacy Guard) is a separate, open-source program that implements the OpenPGP standard. Because it follows the same standard, GPG can exchange encrypted messages and verify signatures with other OpenPGP-compatible tools (including commercial PGP implementations).

Common terminology confusion

Because GPG is widely used on Linux, people sometimes say “GPG” when they really mean the broader OpenPGP system (e.g., “GPG keys” or “GPG signatures”). In most cases, the intended meaning is clear from context.

Practical takeaway: OpenPGP is the standard, and PGP/GPG are implementations that speak it.

Quick Glossary

  • OpenPGP: The standard defining how PGP-style encryption/signatures work today.
  • Key pair: Your public + private keys.
  • Fingerprint: Unique identifier used to confirm a key is the correct one.
  • Revocation certificate: File used to revoke a key if it’s lost/compromised.
  • Keyring: Your stored keys and trust metadata