PGP Tool

Learn · 8 min read · 2026-01-12

How PGP works — a plain-English explainer

PGP combines asymmetric and symmetric encryption to send private messages without ever sharing a secret. Here is what actually happens under the hood.

PGP — Pretty Good Privacy — is the encryption protocol that lets two people exchange private messages without first meeting to share a password. It has been the workhorse of email encryption since 1991 and underpins most of what this site does.

Beneath the friendly name is a clever sandwich of two different kinds of cryptography. Each one solves a problem the other cannot, and PGP combines them into a single workflow.

The two halves: asymmetric and symmetric

Symmetric encryption (think AES) is fast and uses a single shared key — the same key locks and unlocks the message. The catch: both parties must already have the key. If you can email it, an attacker can intercept it.

Asymmetric encryption (RSA, ECC) uses a key pair: a public key anyone can have, and a private key only you have. Anyone can encrypt to your public key, but only you can decrypt with the private one. The catch: it is slow and limited to small inputs.

How PGP combines them

  1. You generate a fresh, random "session key" — a one-shot AES key just for this message.
  2. You encrypt the actual message body with the session key (fast, symmetric).
  3. You encrypt the session key itself with the recipient's PGP public key (slow, but small payload).
  4. You bundle the two ciphertexts together and send.

On the other end, the recipient uses their private key to unlock the session key, then uses the session key to unlock the message. The session key is discarded. Each new message gets a new session key.

Signing is the mirror image

A signature is the same idea in reverse. You hash your message (SHA-256 or stronger) and then encrypt the hash with your private key. Anyone with your public key can decrypt the hash and check it matches — proving (a) the message has not been altered and (b) it was signed by someone holding your private key.

Why this is hard to break

Breaking PGP means either guessing the recipient's private key (computationally infeasible for RSA-3072+ or any modern ECC curve) or finding a flaw in the underlying algorithms. Decades of public scrutiny on RSA, AES, and Curve25519 have not turned up such a flaw.

The realistic attacks are not on the math — they are on the user. A weak passphrase on the private key file, a compromised computer, social engineering to get you to encrypt to a wrong key. PGP makes the channel private; everything else is up to you.

Where to start

Generate a key pair on the Generate Keys tool, share the public key with anyone who wants to write to you, and keep the private key on a device only you control. That is the entire baseline.