Important PGP Concepts

...or stuff you really ought to know.

This page aims to inform you about a few basic things you should know about email and what PGP protects, what it doesn't protect, and what terms like signed and encrypted mean in the context of PGP.

What PGP doesn't protect

PGP does not protect:

Who the message is from
Who the message is to
The subject
The names of or number of attachments (in most cases)
The relative size of your email and/or attachments
When the message was sent

If PGP doesn't protect all of that, you ask, why am I bothering with it?

The answer is it still protects a lot (see the next section) and there are steps you can take to mitigate some of the information that is leaked.

How to mitigate some of the information leaks:

When attaching files, first zip them and use an undescriptive filename like "pgpattachment.zip" or "file.zip"
Set the subject of your email to something generic like "your email", "email", or just leave it blank.
If size matters, just random amounts of junk to your email of in the zip file

For the actions above, bonus points if you keep them consistent. If you always use the same subject and/or attachment filenames then people won't be able to infer very much from them.

What PGP does protect

PGP does protect:

Message or file privacy (see encryption)
Message authenticity (see signing)
The exact length or size of the message or file (most of the time)

The things that PGP does protect, it does a very good job of protecting. It is likely that even a government can not break the underlying math that protects your PGP messages.

But, don't forget that your protection only extends as far as your private key. If you let anybody get ahold of that, then all bets are off!

Never give anyone your private key or passphrase!

What Terms like "signed" or "encrypted" mean

When people use and talk about PGP there are a lot of terms used that all have a distinct meaning.

Encrypted

Signed

Private Key

Public Key

Fingerprint

Encrypted:

Encrypted files or messages are only readable by their intended recipients. The power of math prevents anyone else from reading them.

Signed:

Signed means that the file or message came from the person who signed the message, and that it has not been tampered with or modified in any way.

Your Private Key is a small piece of data that identifies you, and you alone. Without your private key no one can decrypt files or messages intended only for you and no one can pretend to be you. That is, your private key is needed to decrypt things intended for you and sign things that purport to be from you. Never give your private key to anyone for any reason.

Your private key is protected with the passphrase that you entered when you generated it. Without the passphrase even someone who steals the file containing your key can't use it.

Even so, don't let anyone have it. Guessing or finding your passphrase is likely to many many times easier than guessing or finding your private key. The difference is likely to be days vs. centuries.

Public Key:

Your Public Key is just what it says in the name, public. You can give it to anyone you like, you can even publish it on a web page or a public PGP key server.

Your public key allows others to send messages or files that only you can read, as well as verify messages that you sent are really from you and haven't been modified or tampered with.

Fingerprint:

A key's Fingerprint uniquely identifies a particular key. The fingerprint is usually used to verify that the key you have is indeed the correct one. Anyone can generate a key which claims to be from anyone else. But no one can generate a key which claims to be someone else and has the same fingerprint as their real key. (once again, this is backed up by math!)

Usually you would send your public key by email, then communicate your key's fingerprint to the recipient by another means such as a phone call, a letter, or in person. This ensures that no one has intercepted the email with your key in it and replaced it with their own. (That is known as a man-in-the-middle attack)

mysteryvortex.com is part of the MysteryVortex family of websites.