PGP is a type of encryption that is used for keeping messages secure all over the internet. The mathematics behind how it works are fairly complicated, but its use is not once you know the basics. This page is taken from a Melonland forum post in which one user needed a primer on how the system works, and another user stepped up and offered a wonderful explanation with instructions on how to use it for various things.
Most encryption is symmetric. That means that both parties - let's call them Alice and Bob - share the same key. Like: if Alice wants to send a ZIP file to Bob, but doesn't want Eve to be able to intercept it… then Alice creates the ZIP file and chooses a password for it, then sends it to Bob. Bob enters the same password, and he's decrypted it. Brilliant!
Symmetric encryption is pretty easy to understand: you probably played about with it when you were a young child! If you have a substitution cipher (swapping letters for symbols) that you shared with a friend, or if you agreed to “rotate” the letters 6 spaces through the alphabet to encode and then wind then 6 spaces back to decode… that was symmetric encryption. Humans have been doing it for millennia.
The big problem with symmetric encryption is that we have to agree on the key, without it being intercepted. Like: Alice and Bob probably want to get together in the same room to agree what their ZIP file password will be, right? If Alice phones Bob to tell him the password, there's a chance that Eve is listening on the line. If Alice emails Bob the password, there's a chance that Eve intercepts the email. This means that traditional symmetric encryption isn't so good to use on the Internet: you don't want to have to go and visit every company in-person to agree on an encryption key before you can talk to them securely online, do you?
The solution to this is asymmetric encryption, also known as split-key or public-key encryption. There are several different kinds, and you use them every day (that padlock in the address bar? that relates to a kind of asymmetric encryption being in use right here on Melonland!).
Asymmetric encryption exploits one of several mathematical phenomena that mean that some mathematical operations are easy to prove, but hard to do. For example, prime factorisation: the prime factors of a number are the lowest prime numbers that you can multiply together to get that number (if there are none except 1 and the number itself, you're looking at a prime). If I give you a large number and ask you to find the prime factors of it… that's a hard job. But if I tell you the prime factors of it, that's really easy for you to check. Hard to do, easy to verify.
Prime factorisation is a classic example, but much asymmetric encryption nowadays uses elliptic curves instead (not least because prime factorisation might turn out to be something that quantum computers will be amazingly good at, thereby breaking the encryption much faster, assuming anybody ever manages to build a big one). Imagine you have a formula which draws an ellipse on a piece of graph paper. I choose a secret point on the ellipse and perform an operation that draws a line from it at a particular angle, so that my line hits another point on the ellipse. Then I do it again, and again, and again, hundreds of times. When I tell you the point that I ended up, it's insanely difficult for you to work out where I started, because you have to try many different points on the ellipse to work out where I was last move, and then work it back again and again. But if I tell you where I started, it's very easy for you to check that, yes, running the operation 100 times would have got me to where I finished. Hard to do, easy to prove.
If you didn't understand all of that, that's fine. Just trust me when I say that there are mathematical operations that are easy to do one way, but hard to work backwards from. And those are the basis of split-key encryption.
All split-key encryption works basically the same way, but you asked about PGP:
Anybody can make a “keypair”: that is - two keys that together make a cryptographic pair, following the principles described above. If the algorithm uses prime factorisation, the two parts of the keypair will be (extremely large) semiprimes. Generating a key takes a few minutes, because the maths is hard (but still many orders of magnitude easier than working out what one half of the keypair is if you've only got the other).
One of these two keys is called the “private key”, and one is called the “public key”. Mathematically, they're interchangable, but the standards dictate how you decide which is which and that's fine. The private one needs to be kept super-secret, so you keep it somewhere safe and it usually gets encrypted with a password too. The public one can be shared: put it in your signature, put it on your website (here's mine!), put it in a public keyserver “directory”; it's fine.
The magic with split-key encryption is this: a message encrypted with one half of a keypair can only be decrypted with the other. And that means you can do two very, very clever things with it:
Incidentally: this is exactly what happens when you connect to a HTTPS website too. The server sends you its “certificate” (which is just a fancy word for a “public key”), and then your computer comes up with a symmetric encryption key (symmetric encryption is much faster!), encrypts it with the server's public key, and sends it back to the server… and then your computer and the server talk to each using the key your computer came up with… which can't have been intercepted because you sent it encrypted with the server's public key! (There's actually a lot more that goes on here: the certificate will have one or more “signatures” of exactly the type I described above, but made by companies that you or your web browser have said that they trust, and that helps your browser know that you're really speaking to Melonland and not to some trap website… so long as the companies you trust - your Certificate Authorities - are actually trustworthy… that's another story…)
(PGP users can also “sign” each others public keys to say “this person really is who they say they are” to establish a “web of trust” too, but that's another story.)
Want to try PGP. Cool!
The most popular implementation of PGP is, confusingly (but for hilarious and amazing reasons) called GPG. You can install command-line tools or graphical tools for a variety of operating systems).
I'm using a Linux command line right now, so I'm going to create a keypair. I type:
gpg --gen-key
It asks for some metadata (name, email etc., all of which is optional) and for a password to protect the key, and then soon it exists. If I run:
gpg --list-secret-keys
I can see my keyring; here's what mine looks like right now:
gpg --list-secret-keys
sec rsa3072 2025-11-20 [SC] [expires: 2027-11-20]
B52B7F1159ECF9FD20482D32D9CC360817CAC036
uid [ultimate] Tetsy McTester
ssb rsa3072 2025-11-20 [E] [expires: 2027-11-20]
I can get a copy of my public key, to share with the world, like this (note the “–armor” switch, which says “export it in ASCII”, which is much more-readable that the binary version, I promise):
gpg --armor --export B52B7F1159ECF9FD20482D32D9CC360817CAC036 -----BEGIN PGP PUBLIC KEY BLOCK----- mQGNBGkfWbwBDADZD0+efWXyREGSM8yDbXGx0ObZTNsZdPBsewiI891kYVkZE4Vt jqzBa4eZ7QNL9lH/zh89tm8LNBjM9l63FESIh8RnSjwXROLbRc/BssaqIa+VO90n 68PRkyI20NFBm0PdmkIbdoKxWeUn3r5azhCtqhJY9dDGcpr1+XbxM74TGbT0MKXU 3oEZrGzW4A/FIvJKISJOfEzCBmI4KpDEh59lWVSoR3n1A6yZvEMl6ZKetHb+CJ3x uADXJixz8XtsaGy9es2iaxovM+ej+BUqwWYWXzAPspCqhq1Uq0VrnV8jre9VwROk ej1Itgt3Y5KT8CCFsVC0GO0GsCJp07XRX8Bje+PfYtlydE5HXJmEOk5FasDwI9Tp 2sQWscSQMIXIOIsp89K3c+5Xe2i3TwMdsVsMSzAvrUJOTw0CvEp11KFokUfCpfjb jxsLrXmzvBr8H23IxhQN7HEPUGL4Ky3xwN2qifw2BDy1Kg1jkisBBFayouRfQwy/ oVuimn3HxegCEQsAEQEAAbQOVGV0c3kgTWNUZXN0ZXKJAdQEEwEKAD4WIQS1K38R Wez5/SBILTLZzDYIF8rANgUCaR9ZvAIbAwUJA8JnAAULCQgHAgYVCgkICwIEFgID AQIeAQIXgAAKCRDZzDYIF8rANsjoC/4kIqMPDBTZSa9jMItkvPVv6gqx/bOkUOrO Jx8sxXrwUpptCePXv1aJn7rlwfpsrW3Q3hPkKnXNVCmHYqVsD5aWaIIt25ygpf+G nFOKCmU4yGRCCVtCmc0GTVSXD1Ut0xdABkb0rGc8pYmvMN10UDPJL7ua8Z2KK/Eg LtFslrav7ZLsa2qunLUhXdgoUb4fAs4BulMYdksUCvdAHbTD09+sxTVfJy5M50wp pohUSsmJL9YywFMoy8MueJ0iL4bksVIpOhp15Ye5nK+ME4asVZ2FPq1dKHgr9f47 eC8OBcKQmSPWbnKxZkOKQwCW9NGPRaZkMEEinonEtsnCCgAvL1vE0yuskFkWjTLH MtL0dLNTEnf5f940YEq07mxnFEVeNHTKvs/Pg4Dkzwws9P6TXCxdDMkvrDpOIAY2 pGDnKUW5VXUiPjmDwJsHzEHenyCPceCbEwREHcibGvU44HLcs/4YRQbwCARmGicn ZkCn2ezo8hkhJ+zxqMYv1Ee42h1sfZa5AY0EaR9ZvAEMAMZdsk1jlZY9MeCJzdfu Jno5AwAsVh6DHptlZLjnnw6fWiqimu0k37MZUCAEgGTla7KaitIz4H/SpFVM+KFR BllFk9FTmHmP4hTwQWs8+8i8sdazRctO+OmV7jQ+Rzvo5Wnza7+ZjlXeqqjRaHhz 74Z9tvE3yFGvgABLbYsOn0gvuBU7hwMv5eY9X2G6/PU2ASdZwk6N1QO1tnRGbkvA ddSvrHWfZsV+iRfElG02oYpuFMHADboDHUeqlrwSqcrE9UJWHSjYaqDPpxYJYZv4 L7570ewXF9NTSarL82Uz74p1Qvb02oy8YT9XIpjpcXM2ivesPADS6iFML8JXBVKO x7LNM/y0tcMY0VAMw0Rwe6c4tRkZMDZ2D81iFsPpZy9N1X9av2rCbBTISKnKybNa WHWczZYIaWjwqxlxMQvD4B75XKYq/Qaw7kd9WzVkM0hRiaM0CzMtCpP+jPSxrR6v dWgG8c9m++1IhKry1RWAKxiMG0wK/hL0F7iOpDEIBiJViwARAQABiQG8BBgBCgAm FiEEtSt/EVns+f0gSC0y2cw2CBfKwDYFAmkfWbwCGwwFCQPCZwAACgkQ2cw2CBfK wDa0fwv+PmDUvCl1g+duLs0HBXSLL/on945wt0BYTj7iRqcgP4chc0BAQLUBgmyh +EKjkA5fc4f/7XXxOBNJL2OnKd7wIct8KVHIRXRDSHw5lVFXMQibmpMobsy4/8eA bJwVsGpzN5MHk3qrmwbzizIz7QlgX4gMdoG1SiIWoLkxWNhx6fO/NTdy7eQLyITB pQm0KA9PwwWOapuBpXy5+adkkgZ09tJf/GE8uLAQp3rJtAmfAXuo+q1U4eT7Y0TN 7MgdNuN9SGuG+t4wD2rNB0LbXTlOxM+HmwmTktaLljJisKoDfgOjbpWmevco2huJ SXeA/ffQsJKioS4bAcrlqbso77hRh+Fx6sJgMxuPPh/x2uGtYbR74UwSzqpkTJn6 tHYoL12ZhlIEyhHqky17N9+ePGnXMIKXT0Du9C8Z97avQy1iJPEPbIzi99Moj2sj knBg6I7/haWceOqBpTaNTj8c/0qtKftw21JzA72pCYesLCtO9VbEAMNGGZbtXzUS Wtom7Lcm =8NCK -----END PGP PUBLIC KEY BLOCK-----
B52B7F1159ECF9FD20482D32D9CC360817CAC036, by the way, is my key's signature. If I'd added an email address into my metadata I could use that as an alias, but I didn't bother.
Anybody can import that into their own keyring with “gpg –import” (or whatever their graphical program calls it). Then they can encrypt a message to me. I'll try that now:
gpg --armor --encrypt You did not specify a user ID. (you may use "-r") Current recipients: Enter the user ID. End with an empty line: B52B7F1159ECF9FD20482D32D9CC360817CAC036 Current recipients: rsa3072/DFB6EA08D1E54F1C 2025-11-20 "Tetsy McTester" Enter the user ID. End with an empty line: This is my secret message! When I'm done typing it I'll press CTRL+D! -----BEGIN PGP MESSAGE----- hQGMA9+26gjR5U8cAQwAmHkUhdvE5GbbzbS4F3gPq61fU8F9xb8eTQ4LocYo9tn4 r/dahkNdmUSw3MdoJ1DVoCNqUFhjO1QOqWdzwQgYclJJ2fCE7xrV4ChfRGbTqF3n Cnu9xFiKk2NXWAQ9B/NksFzU92oRhNTD2mb/EyvGGheQPnSlcsNN4ghnnLI5g8HJ u7KhdO4S+Nyhe5q7eYYnWNGCrhOGxmRt7DwdlRZkBCAyUx0BI2TN5jZSD3pEycGw TQ56TijZuP2510ybJ8X8wosj1Jhb+AnGm7SQwLX4xDHKrlVtI7U71SpS1daEtCz+ uj23SXZkB0tjoXpLd4s8lqiTSgTQsJD1z+12+FsR6O/dzHFPfAUQenY45SldqS5n Kvk+t7UBVdRii5zuBxp9HD2hihQPO6fx5ya/KhZ2JVaEgZ2OYGw/mZXWPwdOFpc5 Z7kht0EUeiDfOE0xSEEW8ON2pyOwWWxdKUg4goiXSqUwy+h/yXp0eNp5Pf1tJyJZ gPm0LNrUEZHYoBbmEvvU0n8BdFuMN8NZeWzYM53Omjdefgn4jPiCH6o/18J/5v+0 hk4xpeFBOF2KJK3ak2KBBpwXMBQaL3h1xo5uHIXgS09fgarRl/KlJhOlQ2Kcw1y4 A123sHeI+pqazjndF9uDWlQT7LRQ3iuxmFMlcWj6d5AlQ7e+/TO6wKuas3ylknO2 =0jDF -----END PGP MESSAGE-----
There we have it! A secret message that can only be decoded using Testy McTester's secret key!
To try it, I put it into a file called “encrypted.txt” and then ran: gpg –decrypt encrypted.txt # (it prompted me for my private key's password at this point!)
gpg: encrypted with 3072-bit RSA key, ID DFB6EA08D1E54F1C, created 2025-11-20
"Tetsy McTester"
This is my secret message!
When I'm done typing it I'll press CTRL+D!
If I delete my new secret key:
gpg --delete-secret-keys B52B7F1159ECF9FD20482D32D9CC360817CAC036 gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. sec rsa3072/D9CC360817CAC036 2025-11-20 Tetsy McTester Delete this key from the keyring? (y/N) y This is a secret key! - really delete? (y/N) y
Then there's no absolutely no way to decrypt that message any more; no way on Earth! (Good job I already read it!)
gpg --decrypt encrypted.txt
gpg: encrypted with 3072-bit RSA key, ID DFB6EA08D1E54F1C, created 2025-11-20
"Tetsy McTester"
gpg: decryption failed: No secret key
That was a whirlwind tour of PGP/GPG, done in just about the hardest possible way. Most people using PGP for email use a plugin for their email software to do it for them, which does most of the heavy lifting. You can even use an email provider like ProtonMail who do it for you in your browser, which is pretty cool.