What's a PGP key?

PGP stands for Pretty Good Privacy, originally invented by Phil Zimmerman. It's a package of tools that allows you to send me mail (or files) encrypted so that only I can read them. Without encryption, anyone who has access to one of the many computers that the mail passes through on its way to me can read the content. Some governments with little respect for their citizens' privacy, such as the US and Chinese governments, routinely record personal communications. Unencrypted mail is like an open postcard, except that there are lots of mailmen on the way...

Many mailers now support PGP natively, or simple plugins or add-ons, that make encryption as easy as pressing a button. Also, PGP is not the only encryption package, GPG (Gnu Privacy Guard) has very similar features and is fully compatible.

But your mailer must know the recipient to know how to encrypt the mail. It knows that by importing my personal public PGP key. Usually you just click on that link, save it on disk, and then tell your mailer about the file. The mailer will put the key into its ``keyring'', and you can then send me secure mail.

If you are curious, this is what a PGP key looks like:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)

mQGiBEWIOSwRBADEt0TkgxPHJkypdDHbZ4KxDVKMYfSpxzGV8qoOw7PrJXlvK8DU
IyC4YXTBCJQLUeLGkpJQBidB6JHtfobuxFjnHIKf6Z/Zl1C1MhH39XYrDwc0+Tnv
2RPmZs7qPMBtc14WwlN6yfe5BRGg22SgxWDLE1Y8rc+bSgFnB9n7RjinAwCghtvz
tuUUG4COtPU678i25EmcsScEAKtnAImMZQNQpHtMdZ4HxH4Ox/rJ+kv1NS9Pudy6
nXhpZN+NLkEZY5Bl6oAuvUOhnAozKNIHbIYdtwGwvUY34TZryQwkdSAM5GgoHuNL
2SuTOR6ka3sv/3jsYhjKELYWG85LU895y03u42B1IW4wICxtZJf0AJuXCiQ69lKh
OnyTA/9OhT0GJYc/nNn0/2MEJZm1yWQqi2BrVOHS6F6JbyrQeWrU6lKokgr5oFt7
7DJp7sar0e/hh6noZqlX3w3wVc3UAdg0Xp/sjD/Gv57dfJ9BYBFeSc0bOhqCWxK0
xwy5wZP0KFPKnZvW1v2OFzDnD86Sz84TwL3M198klxV16Fhx6bQqVGhvbWFzIERy
aWVtZXllciAobWFpbCkgPHRob21hc0BiaXRyb3QuZGU+iF0EExECAB4FAkWIOtkC
GwMGCwkIBwMCAxUCAwMWAgECHgECF4AACgkQW/erc6/zWSvkmwCbBnWjdWEZzEDo
cPkwTA+15l2JaZcAmMA19ucz8QIc9svPV32BGAJbROG5AQ0ERYg5MhAEAIXFe4X2
3XIaJKHX19I+09Xmwz3Xi4RXcnCN4w8VHTJMJd6A+klz3iXJCmrve7e2pkEvrTvV
cZHZu1zuC7arg5fruW3VaF/Ip2ZW1sQ8CV/NRnavXnnWCtPzKkN6sW/EXwOj2mXY
IDqp4Jod7OLaXWnLYq/ktpi+UVoaiGOxWQ9HAAMFA/9IgFxmxmNd6YN3ri/E2LmW
PascPflXMfjYuHPuz4hmzNQq9M2r3a6gy8js9xz1PhxHIXtZ+kP0R2S21+AuJbgb
QVT0A66IQ6ynOSauIlZH7h0ghPdmXIJPEgKVz716+qfZp2yAQr5aojah2eWliIz/
y71EZFG6DyFR66vL/edXiYhJBBgRAgAJBQJFiDkyAhsMAAoJEFv3q3Ov81krH6wA
oIapd1YxP3iouv6EntAxcr8LwQp2AJsHFspJMv9ijP34MJ13zVifbM9bng==
=DtjK
-----END PGP PUBLIC KEY BLOCK-----

And if you are wondering why I can publish this key without allowing everyone to read my secure mail: the neat thing about PGP is that there is one key for encrypting (the one you see here) and another key for decrypting it again (I keep that one secret). That's called an asymmetric cipher.

Paranoid people now wonder if the page you are looking at has been tampered with, and you are seeing a forged key. That's called a man-in-the-middle attack. To get around this, you can ask your mailer to tell you the key's fingerprint, a short string that uniquely identifies the key so you don't have to call me and verify the huge text block you see above. My key's fingerprint is

E843 B2A6 2AC3 629C 2CBB  1816 5BF7 AB73 AFF3 592B

Now you may wonder how you can be sure that the fingerprint isn't forged too. Well, you can call me up and ask me to verify it, but usually it's considered sufficient to scatter the fingerprint widely. I put it in every mail I send. An attacker would have a very hard time intercepting and forging them all.

In this day and age many people feel it's a good idea to routinely encrypt all mail. Would you send all your personal letters on open postcards? You can consider encryption as the electronic equivalent of putting your letter into a sealed enevlope, except it's much more difficult to ``open'' an encrypted mail than steaming open an envelope. So, go ahead, send me secure mail!