Many will be shocked to become cognizant that emails, even when using traditional means of encryption, are not encrypted once the email reaches the email providers servers. Since emails often travel across the world before they reach their final destination, your unencrypted emails will have likely been intercepted and stored in a government database.

The aptly named Pretty Good Privacy (PGP) encryption standard is one of the most (if not the most) secure ways to encrypt a email, End-to-End. Ever since whistle blower Edward Snowden used PGP to email Glenn Greenwald about the revelations about NSA spying in 2013, many journalists now put their public key in plain view on social media. Presumably, hoping that they will be the ones to leak classified information from their source. It's not only journalists that use PGP. Anyone who wants to encrypt emails End-to-End rather than by conventional (and inferior) Link Encryption methods such as SSL and TLS, will have found what they are looking for in PGP. For more information on End-to-End Encryption and how it compares to traditional Link Encryption, see my article: How to Send Secure Encrypted Instant Messages & Calls.

PGP works on the basics of Public Key Cryptography. To understand how to use PGP and why it functions as it does, you'll definitely need a basic knowledge of the topic. Learn about the basics at my article: What is Encryption & How is it Useful? Basics of Public Key Encryption. Consider this a prerequisite.

With the basics out of the way, lets discuss how we can use PGP to secure our email communications.

How to Setup PGP

In order to use PGP, you'll need a compatible mail client like Mozilla Thunderbird and a software package that incorporates PGP into your respective mail client. In this case, we will be incorporating MacOS's built in Mail client with GPGTools. Follow the link and install the package. Once you run GPGTools you should find yourself finding yourself needing to generate your very own key pair (your private and public key):

Generate Key Pairs in GPGTools for Mac

Type your name and your email address. The first consider you may want to make is, do you want to put your real name in the name field? After all, you are using PGP to encrypt traffic, using a fake name may ensure you additional anonymity. You will probably want to Upload your public key to the key servers so others can find,  verify and sign your key later. You can upload your key at anytime. However, you can't delete your key off the key servers. You ca only revoke the key. More on this later.

Although email addresses are usually not case sensitive, it is in GPGTools. So if your contact lists you as having uppercase letters, you'll want to type with uppercase letters here. Do keep in mind your contacts will also need to type in your email address with the correct upper/lowercase letters in order to send you an email. You'll be able to add more email addresses to your private key later, including the same email address using uppercase and lowercase letters. The advanced options can be left as is. You may want to disable the "Key expires" checkbox (you can also change this later if you so wish). Lastly, enter a secure passphrase. Information on passphrases at my article: Passphrases, Password Managers & Multi Factor Authentication. This passphrase will be your last line of defense if your private key is acquired by a hacker. Click "Generate Key."


Add Email Addresses to Your Private Key

You will only be able to send encrypted emails if your using an email address that has been entered under the "User IDs" of GPGTools. Once again, you must type your email case sensitive for this to work. If your having problems, add the same email addresses with uppercase letters if commonly used.

Double click your key in the GPG Keychain menu to access this window:

Add Email Addresses to GPGTools

Press the "+" icon to add an email address:

What Happens if I Want to Delete My Private Key?

If someone has acquired your private key or you delete your last copy of your private key, you'll want to revoke it from the key servers. You cannot delete a key from the key servers. Hence, PGP public keys are still out there from the 1990s readily accessible from the key servers. Click "Key" and then "Revoke:"

This will show other users

Backup Yours Keys

If you somehow loose your private key, you will no longer be able to decrypt messages. On top of that, you'll have to generate a new key, and revoke your key from the key server. It is therefore imperative that you keep an offline and preferably offsite backup of your private and public keys as well as the aforementioned Revoke Certificate. Be sure if you backup the keys that you encrypt the disk with a strong password. Do note, USB flash drives have a terrible shelf life for archiving.

Sending Encrypted Emails

You'll notice a OpenPGP button on the top right. To encrypt the email, click the padlock. If you want to sign, click the tick. Usually, you'll want to do both. More on signing keys and key verification in the next section.

Sending mail Using GPGTools in MacOS

These options will be greyed out unless you satisfy two conditions. First, your email address you are sending from must have been added to GPGTools. Second, you must have added your recipients public key to GPGTools. Usually, you will attain your recipients public key in the form of a ".asc" file. Open the file using GPGTools by clicking the import button on the top left.

Why Sign an Email? Key Verification

Signing an email may not encrypt the email, but it sends a copy of your private key in the form of an ".asc" file. This allows others to encrypt emails to you in future. In addition, a recipient will be able to verify the email was sent using your private key (assuming they already have your public key). Presumably, confirming the email was sent by you. If they suddenly notice your public key changes, that may be a sign of a man in the middle attack. More information on key verification at my article: How to Send Secure Encrypted Instant Messages & Calls. Keep in mind you can verify an email even if the email is encrypted.

What Does PGP Encrypt?

GPG encrypts email contents. This includes text in the body, subject line and attachments. This does not include your email address or recipient of the email. Email encryption also doesn't hide your metadata such as your IP address and hence, your location unless you are using a proxy/Tor/VPN/Tails OS etc.

Signing Friends Keys

PGP has a ingenious way of building reputations of the legitimacy of a persons public key. As you may have noticed, GPGTools has a column on the far right called "Validity." You can boost a persons public key's "Validity" by signing it with your own. Click their public key, then click "Key" on the top toolbar and then "Sign."

You'll be greeted with a brief synopsis of what your doing. Choose your private/secret key that you will be using to sign (likely, you will only have one private key). Then, choose how certain you are the person's public key you are signing actually belongs to whomever it states it does.

Facebook PGP Email Encryption

To begin with, you may have very little use for PGP. However, Facebook can encrypt all emails to you using PGP. So as a bonus to this guide, lets discuss how we can setup Facebook to send all emails to you encrypted using PGP. Do note, this includes account recovery emails, and if you loose your private key, you will not be able to decrypt these emails. This can both be an advantage or a disadvantage, as even if a hacker gains access to your emails, they won't be able to decrypt the password recovery emails anyway.

First, go to your Facebook Security Settings:

Facebook Settings Screen

Download Facebook's public key and place your public key in the textbox. Generate your public key by exporting your key using GPGTools and then opening the the file in TextEdit (Mac).

Public Key for Facebook PGP

Email Sent by Facebook Confirming You Can Decrypt Their Message


In conclusion, PGP may seem irritating to setup, but it really gives you a comprehensive understanding of Public Key Cryptography. If you truly value the contents of your emails, PGP may be one of the best methods of ensuring the contents of your emails are only read by the intended recipient.

This guide was a part of my Ultimate Information Security & Privacy Guide. Be sure to check out any related content: