Setting up PGP for journalists: a practical 30-minute guide

A reporter's email gets subpoenaed and the prosecutor reads every message in plaintext. A reporter with PGP gets the same subpoena and the prosecutor sees ciphertext they cannot decrypt without compelling the reporter to hand over the key (which is its own legal fight, with stronger protections in most jurisdictions).

PGP is not the only tool in the box — Signal, SecureDrop, encrypted email providers all have a place. But PGP is uniquely durable: it works across every email client, leaves no metadata at a third-party operator, and has a 30-year track record of resisting government attacks. Every journalist on a security or political beat should have one.

The 30-minute setup

1. Go to /generate. Pick ECC Curve25519 (modern default). Use your real name (or a pseudonym you publish under).
2. Set a strong passphrase — 5+ random words from a wordlist, not a common phrase. Write it on paper, not in a password manager that lives on the same device.
3. Download both keys. The private key file (.asc) goes in a place only you can reach: a hardware token, an encrypted USB stick in a safe, or a passphrase-protected backup.
4. Publish the public key. Add the .asc to your bio on the news organisation's website, your social profiles, and a keyserver (keys.openpgp.org).
5. Print the fingerprint on your business card. Sources who meet you in person can verify they have the right key.

The day-to-day workflow

• A source pastes their message into /encrypt with your public key. They send the ciphertext through any channel — even Twitter DMs are fine.
• You receive the ciphertext, paste into /decrypt, type your passphrase, read the message.
• You reply by pasting the source's public key (which they sent you in plaintext) into /encrypt with your reply.
• For attachments, use /files. For long-form documents, /vault. For self-destructing announcements, /paste with an expiry.

Operational hygiene

• Generate keys on a clean device. A compromised laptop generates a compromised key.
• Use air-gap mode in this app for sensitive operations.
• Set a 2-year expiry on your key. If you stop using it, it expires automatically and sources stop encrypting to it.
• Maintain a revocation certificate — generated by Generate Keys and stored separately. If your key is compromised, publishing the revocation tells the world to stop trusting it.
• Never share the same passphrase between PGP, your laptop login, and your password manager.

For sources reading this

Find a journalist who publishes their PGP fingerprint. Confirm the fingerprint on a second channel (their work email, a printed business card, a verified social profile). Use /encrypt with their public key. Send the ciphertext through any path that does not link your identity to theirs — a public Wi-Fi, a Tor browser, a burner email. The journalist decrypts on their end. The chain holds.