PGP for Email: A Beginner's Guide to Public-Key Encryption

PGP (Pretty Good Privacy) is the encryption standard behind most private email. If you use ProtonMail, PGP is running under the hood — you just don’t see it. If you want more control, you can use PGP directly with any email client.

This guide explains how it works and when it makes sense to use it manually.

The Basic Idea

PGP uses public-key cryptography. Every user has two mathematically linked keys:

Public key: You share this with everyone. Post it on your website, email it to people, publish it on a keyserver. Anyone who wants to send you an encrypted message uses your public key to encrypt it.

Private key: You keep this secret. It’s protected by a passphrase you choose. Only your private key can decrypt messages encrypted with your public key. Never share it, never upload it anywhere.

The encryption works one way: public key encrypts, private key decrypts. You can freely share your public key because knowing it doesn’t let anyone decrypt your messages — only your private key can do that.

Key Generation with GPG

GPG (GNU Privacy Guard) is the open-source implementation of PGP. It’s available on every major platform.

macOS: Install via Homebrew (brew install gnupg) or use GPG Suite (gpgtools.org), which adds a GUI.

Windows: Use Gpg4win, which includes GPG, Kleopatra (key manager), and GpgOL (Outlook integration).

Linux: Usually pre-installed. Install via package manager if not (apt install gnupg).

To generate a key:

gpg --full-generate-key

You’ll choose the key type (RSA, default is fine), key size (4096 bits for stronger security), expiration date (set one — a key with no expiration can’t be expired if your private key is compromised), and a passphrase.

The passphrase is important. Choose something long and memorable. It’s the last line of defense protecting your private key.

Key Management Basics

After generating:

Export your public key:

gpg --export --armor your@email.com > pubkey.asc

Share this file with anyone who wants to send you encrypted email.

Export a backup of your private key (keep this very secure):

gpg --export-secret-keys --armor your@email.com > private-key.asc

Store this encrypted backup somewhere safe — offline if possible. If your computer dies and you don’t have a backup, your private key is gone and you can’t decrypt old email.

Import someone else’s public key:

gpg --import theirpubkey.asc

Or search key servers:

gpg --keyserver keys.openpgp.org --search-keys their@email.com

Using PGP with Thunderbird

Thunderbird has native OpenPGP support as of version 78, so you don’t need an extension.

1. Set up your email account in Thunderbird
2. Go to Account Settings → End-To-End Encryption
3. Click “Add Key” and import your existing GPG key, or generate a new one through Thunderbird

Once set up, Thunderbird will show an encryption icon when you compose to a contact whose public key you have. Click it to encrypt the message.

Key discovery: Thunderbird can look up keys from key servers automatically. If a contact has published their key on keys.openpgp.org, Thunderbird may find it automatically.

Using PGP with ProtonMail

If you use ProtonMail, you have two options:

Built-in (automated): ProtonMail manages PGP transparently. When you email another ProtonMail user, encryption is automatic. You don’t need to think about keys.

External keys: ProtonMail allows you to upload external contacts’ PGP keys and will use them for encryption when emailing those contacts. So if your contact uses Thunderbird with PGP and gives you their public key, you can import it into ProtonMail and your messages to them will be PGP-encrypted. Go to Contacts in ProtonMail, find the contact, and add their PGP public key.

The Trust Problem

PGP encryption is only as good as the certainty that the public key you’re using actually belongs to the intended recipient.

If someone publishes a fake public key claiming to be your colleague, and you encrypt mail to that fake key, they can read it. This is the “web of trust” problem.

Key verification approaches:

• In person: The most secure. Meet the person, exchange key fingerprints in person. A fingerprint is a short hex string uniquely identifying a key. Compare them manually.
• Phone verification: Call the person and read them your key fingerprint. They verify it matches what they have. Protects against passive interception but not against someone who can also intercept your phone calls.
• Trusted keyservers: Keys.openpgp.org requires email verification, providing some confidence that a key owner controls the email address. It doesn’t prove identity beyond that.
• Proton/Tuta key attestation: These providers attest that keys belong to their account holders. If you’re communicating within the same provider, you’re trusting the provider’s key management. For most users, this is fine.

Do You Actually Need Manual PGP?

For most people: no. Using ProtonMail or Tuta handles PGP transparently and the security properties are good enough for nearly all use cases.

Manual PGP makes sense if:

• You need E2EE with contacts who use arbitrary email clients and have PGP keys
• You want key portability — your keys live on your hardware, not held by any provider
• You need to verify key fingerprints in-person (high-security use cases)
• You want to encrypt files and documents, not just email

The downside of manual PGP: it’s friction. Key management is genuinely complex. Getting it wrong — losing your private key, failing to verify a key, using a weak passphrase — creates real problems. Services like ProtonMail exist partly because the usability of raw PGP kept most people from using encryption at all.

Start with a provider like ProtonMail that automates this. If you hit a specific need that requires manual key control, layer in GPG at that point.

A Practical Starting Point

If you want to try PGP yourself:

1. Install GPG or GPG Suite
2. Generate a key pair
3. Export your public key and share it with one trusted contact
4. Have them encrypt a test message to you and try to decrypt it
5. Encrypt a message to them using their public key

That exercise makes the concepts concrete in a way reading about it doesn’t.