Anyone who searches the web for the best way to secure their email will surely stumble upon some article about PGP encryption for email. Why? Because this is arguably the best way for secure email communication.

Pretty Good Privacy

"There are two kinds of cryptography in this world: cryptography that will stop your kid sister from reading your files, and cryptography that will stop major governments from reading your files. This book is about the latter."

--Bruce Schneier, Applied Cryptography: Protocols, Algorithms, and Source Code in C

PGP, or Pretty Good Privacy, is also about the latter kind of encryption. When Phil Zimmermann created the protocol in 1991, he really underrated it by calling it "pretty good". It's actually very good privacy.

In brief, what is PGP encryption?

If you only have a couple of minutes, here's what PGP basically is: an end-to-end encryption and decryption software that provides cryptographic privacy and authentication. It can protect the contents of messages and files from being understood even by well-funded organizations with vast computing resources.

Here's a great, simplified explanation of public-key cryptography by YouTuber Computerphile:

How does PGP work?

Having covered the basics, it's time to dive deeper.

First of all, PGP is often referred to as an example of public-key cryptography, but it isn't exactly that. It's actually a hybrid cryptosystem that combines the best features of both asymmetric and conventional (symmetric, a.k.a. private key) cryptography.

PGP doesn't only generate asymetric pairs of keys - public and private - it also compresses plaintext (the readable information) before encryption. Data compression saves improves transmission time, saves disk space and, more importantly, strengthens cryptographic security. Otherwise, cryptanalysts could exploit patterns found in the plaintext to crack the cipher.

After compression, PGP creates a session key, which is a one-time-only secret key. It works with a very secure, fast conventional encryption algorithm to encrypt the plaintext into ciphertext.

Then, the session key itself is encrypted with the recipient's public key. This public-key-encrypted session key is transmitted along with the ciphertext to the recipient.

Decryption works in the reverse. The recipient's copy of PGP uses his/her private key to recover the session key, which PGP then uses to decrypt the conventionally-encrypted ciphertext.

Stanford University provides a very good example of that:

"Suppose that Alice wishes to send Bob a confidential email using the PGP protocol. PGP first compresses Alice's plaintext document, thereby reducing its size and strengthening its cryptographic security (the reason for the security benefit is that compression reduces the occurrence of patterns in the document that cryptanalysts may exploit to crack its encryption). After the document is compressed, the PGP software generates a session-specific key for it by combining Alice's random mouse movements and keyboard strokes with a probabilistic primality tester. PGP then uses this session key to encrypt the document (the specific type of symmetric key encryption used by PGP in this step is called the International Data Encryption Algorithm (IDEA) and was invented by Xuejia Lai and James Massey in 1991).

Because PGP uses a private-key protocol (IDEA) to encrypt Alice's document, some form of public-key encryption must now be used to securely deliver the session key to Bob. PGP uses the RSA cryptosystem to deliver the session key; it simply encrypts the randomly-generated session key with Bob's public key and then appends the RSA-encrypted session key to the beginning of Alice's session-key-encrypted document. The document and session key are then sent together to Bob. To decrypt Alice's document, Bob first uses his private key to decrypt the session key and then uses the session key to decrypt the document itself."

This hybrid approach combines the convenience of asymmetric encryption with the speed of symmetric encryption. While public-key encryption provides a solution to key distribution and data transmission issues, private-key encryption is about 1,000 times faster. Together, they boost performance and facilitate key distribution without any sacrifice in security.

PGP also supports applying digital signatures to messages, so that the receiver can be sure that a specific message came from a specific person.

Is PGP the best for email encryption?

No one can really say that any encryption method is 100% secure. That's just because nothing made by humans so far is 100% secure. However, there are things which are pretty close. So close that no one would bother breaking them. PGP is a great example.

In general, encryption can be strong or weak. Its strength is measured in the time and resources it would require to recover the plaintext without the right key. And when encryption is really strong, like PGP can be, even today's most powerful supercomputers would need a ridiculous amount of years to turn ciphertext into plaintext.

Of course, no one can guarantee that the best encryption today will hold up under tomorrow's computing power. But talking about what you can get today, PGP is among the best options. It uses a two-key system with data compression, supports digital signatures and is open-source, which means it's been heavily vetted by the public.

According to Bruce Schneier, PGP is “the closest you’re likely to get to military-grade encryption”.

Need more proof? Well, Edward Snowden used PGP to send files to Glenn Greenwald when he broke the story that made encryption a mass-media topic.

Secure Email  PGP-shielded email off the shelf

We at Secure Group also consider PGP to be really, really secure. That's why we use it to protect our users' communication via Secure Email, one of our flagship apps for end-to-end encrypted communication.

With its familiar, intuitive user interface and rich options, Secure Email can be used for both encrypted and non-encrypted emails and is compatible with numerous other PGP-protected email apps.

Download Whitepaper