Home of internet privacy

PGP is still pretty good for privacy

Many privacy advocates use PGP (GNU Privacy Guard/GPG in its open source form) to encrypt, sign, and verify data and text of all sorts.

PGP is a relatively well audited and trusted privacy and security tool with a fascinating backstory. Recently, though, PGP is under fire after the revelation of a vulnerability that could decrypt messages automatically in a number email clients and PGP plug-ins.

For now, it may be better to temporarily turn off automatic decryption of emails (as explained here for Enigmail, GPGTools, and GPG4Win). However, this does not mean that PGP is fundamentally broken, or that we should stop using it altogether.

But in general, PGP is still useful for emails, especially for verification. Spoofed emails containing phishing links commonly get through spam filters, and signed PGP emails make it far easier to assess whether a recipient is who they say they are. That Facebook offers a PGP service, for example, is pretty cool!

It’s not just Facebook notifications, though. Here are some other ways PGP is still useful:

1. PGP can verify downloads

PGP makes it easy to verify the integrity of files, which is especially important for programs you wish to install on your machine. The ExpressVPN apps, for example, come with a signature file that you can verify with a few easy steps.

Verifying a file’s signature allows us to prove that software that we have obtained from untrusted sources, including BitTorrent, is legit. There is no practical  alternative to verifying PGP signatures, including checksums.’

2. Back up your sensitive files

You can use PGP to encrypt data with your own PGP public key. If you regularly create confidential records, such as passport scans or Bitcoin wallets that you want to backup on external hard drives or cloud storage, you risk your data falling into the wrong hands without PGP.

When using PGP, you only need to find a secure space to backup your PGP key once, such as a safety deposit box or your home. You can then make backups of your data and store it wherever and how often you want without worrying too much about the implications.

Software like Ubuntu’s Backups also relies on PGP.

3. Securely sign your git commits

ExpressVPN has recently released its open source leak testing tools, and to verify that the commit came from us we used PGP. Git had this option for a long time, but only for the past two years is it easily viewable on the web interface.

This is great and one more area in which PGP is unbeatable!

Unbeatable signatures

PGP may be getting a lot of heat for its imperfect email encryption standards, and many times you are better off using something like Signal or OTR, which both support perfect forward secrecy and may be more suitable for communications.

But for many things, like signing git commits, backing up sensitive files, or verifying software, there is no alternative to PGP.