When “pretty good” is good enough
PGP stands for “Pretty Good Privacy”. It’s a set of algorithms for encrypting, compressing, and signing data so that a specific person can open and read that data, without a third party being able to also do so. They call it “pretty good” because when you talk about encryption, one of the first things you have to assume is that it’s going to be broken, or is already broken and no one knows. It’s important to know that given enough time, money, and computing power; every encryption can be broken. You also have to realize, There are people in this world who have a much simpler method of breaking encryption and it’s usually called the 5$ wrench attack.

For the most part. Your data is not something that someone is going to spend billions of dollars trying to get at. So long as you’re not in a country that routinely violates human rights, you might also not be susceptible to the 5$ wrench attack. I should note however that it seems people in the United States have been held in prison on contempt of court charges for not giving up decryption keys to encrypted data. It could very well be that you forget passwords to encrypted data and end up languishing in jail. A truly cruel punishment.
More acronyms
So PGP is the standard however it is owned by Symantec and considered proprietary. An open, non proprietary version of this standard is called OpenPGP. OpenPGP is just a concept, a piece data outlining how OpenPGP works. GPG is actual code that does the things outlined in the OpenPGP standard.
All this lingo and stuff can be confusing so from now on I’ll just be talking about how to use GPG. All you need to take away from that is GPG is a program that let you use the stuff thats outlined in OpenPGP
A word on why
When you talk about securing yourself on the web you have to realize that it’s not just about securing you. Your life might not be at risk because of your views, your government, your ideals, or your beliefs. The thing is there are many people in this world who aren’t so lucky. Whistleblowers, Journalists, political dissidents opposed to fascist regimes all have to worry about whether or not they are going to be found out by someone who may not like what they have to say.
The truth is that using GPG, and encryption in general, normalizes the use of encryption. Imagine if you would, that nobody had locks on their front doors. When walking down the street, you would assume that the only door in the neighborhood with a deadbolt would be hiding something. This is a perfect analogy because it’s also a great response to people who say “Well I have nothing to hide why should I encrypt things”. You’re not hiding anything in your house, why have a lock on the door? Why have a door at all? The answer is that A: You don’t want people wandering in. B: You want to keep bad people out.
The same thing goes for encryption. Your identity is something that you need to protect. Identity theft occurs every day and it has far reaching implications. On top of that. As a society, we need Whistleblowers, Journalists, and yes, sometimes dissidents.
How does encryption work?
In order to talk about encryption, you usually have to talk about math. Lots of fairly complicated math. People write thesis’s on encryption algorithms and base their eitire mathematical careers off them. I’ve always found it to be a very intimidating way to approach the concept.
Basically, in order to encrypt something, you need a secret password that both you and the person you’re trying to contact know. This “shared secret” is then used to take your input data (your secret message) and transform it into something that is unrecognizable to an outside observer. Throughout history, this has taken many forms. One-time pads are very tight encryption, the enigma machine was famous for needing the first Turing machine to be built to crack it. If you want explanations as to how the math works for these, this isn’t the right blog.
Let me take you through a quick example using a One-time Pad. A One-time pad is called as such because in order for it to be secure, you can only use it once to encrypt data. Each successive use weakens it’s encryption strength. They’re basically two paper booklets that are identical to each other with random letters on them. Those random letters are identical in each pad as well. The two people wanting to send messages to one another should each have one.
When people talk about encryption they also always seem to use “Alice” and “Bob” as the people wanting to send messages. “Eve” is always the nefarious third party trying to spy on the communication. I don’t know why but make your own story up.
One-time pad encryption example
So let’s make our super secret one time pad. First we’re going to agree on a key. We’ll go elementary school style with just listing the numbers of the letters in the alphabet.
| A | B | C | D | E | F | G | H | I | J | K | L | M |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 01 | 02 | 03 | 04 | 05 | 06 | 07 | 08 | 09 | 10 | 11 | 12 | 13 |
| N | O | P | Q | R | S | T | U | V | W | X | Y | X |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 |
Next we’ll make our one time pad by generating a bunch of random letters. Important to note here that randomness is important to this whole thing. Most of the things you think are random are not. Truly random things are difficult, but we’re not dealing with life or death info.
I went to random.org/strings and got 20 random 2 character strings.
IM OT WM GU BY SH EB JR PU YC PV LW ZI CZ DB DM RU BH TY FV
I’ve arranged them in 2 letter groups because this next part is how we’ll encode/decode our message. Lets convert these to numbers. I’m just going to grab a couple to use as we won’t need all of them.
| IM | OT | WM | GU | BY | SH | EB | JR | PU |
|---|---|---|---|---|---|---|---|---|
| 0913 | 1520 | 2313 | 0721 | 0225 | 1908 | 0502 | 1018 | 1621 |
Circling back to GPG
Luckily though, I’ve found this

https://alexcabal.com/creating-the-perfect-gpg-keypair/
http://biglumber.com/index.html
https://www.linode.com/docs/security/authentication/gpg-key-for-ssh-authentication/
https://disjoint.ca/til/2017/10/05/a-guide-to-setting-up--managing-gpg-keys-on-a-yubikey-4/
https://github.com/drduh/YubiKey-Guide#22-install---macos
https://medium.com/@ahawkins/securing-my-digital-life-gpg-yubikey-ssh-on-macos-5f115cb01266
https://eklitzke.org/using-gpg-agent-effectively
https://superuser.com/questions/879977/how-to-have-a-different-pass-phrase-for-a-gpg-subkey