A: PGP is a program that gives your electronic mail something that it otherwise doesn't have: Privacy. It does this by encrypting your mail so that nobody but the intended person can read it. When encrypted, the message looks like a meaningless jumble of random characters. PGP has proven itself quite capable of resisting even the most sophisticated forms of analysis aimed at reading the encrypted text.
PGP can also be used to apply a digital signature to a message without encrypting it. This is normally used in public postings where you don't want to hide what you are saying, but rather want to allow others to verify that the message actually came from you. Once a digital signature is created, it is impossible for anyone to modify either the message or the signature without the modification being detected by PGP.
While PGP seems (and according to many of its users is) easy to use, it does give you enough rope so that you can hang yourself. You should become thoroughly familiar with the various options in PGP before using it to send serious messages. For example, giving the command pgp -sat <filename> will only sign and ASCII armor a message, it will not encrypt it. Even though the output looks like it is encrypted, it really isn't (it is the ASCII armor that looks so though). Anybody in the world would be able to recover the original text with a simple pgp <encryptedfilename>.
The graphical userinterface of PGP 5.x and higher also has its pittfalls, as Alma Whitten describes in Why Johnny Can't Encrypt - A Usability Evaluation of PGP 5.0: even with manuals and an introduction, three of the twelve participants accidently sent "secret" information unencrypted.
Make sure you thoroughly understand how to operate PGP prior to using it for confidential information.
A: You should encrypt your e-mail for the same reason that you don't write all of your correspondence on the back of a post card. E-mail is actually far less secure than the postal system. With the post office, your mail is handled by postal workers. Take a look at the header area of any e-mail message that you receive and you will see that it has passed through a number of nodes on its way to you. Every one of these nodes presents the opportunity for snooping, as do all systems that can listen in on the communication between these nodes. Encryption in no way implies illegal activity. It is simply intended to keep personal thoughts personal.
Crime? If you are not a politician, research scientist, investor, CEO, lawyer, celebrity, libertarian in a repressive society, investor, or person having too much fun, and you do not send e-mail about your private sex life, financial/political/legal/scientific plans, or gossip then maybe you don't need PGP, but at least realize that privacy has nothing to do with crime and is in fact what keeps the world from falling apart. Besides, PGP is FUN. You never had a secret decoder ring? Boo!
A: There are three different "product-lines" for PGP: PGP 2.x, PGP 5.x and higher, and GNU Privacy Guard.
A: All the 2.x versions are derived, more or less, from a common source base: PGP 2.3a, the last "guerillaware" version of PGP. Negotiations to make PGP legal and "legitimate" have resulted in the differing versions available; all of them, for the most part, are approximately equivalent in functionality, and they can all work with each other in most respects.
All versions of PGP after 2.3 produce messages that cannot be read by 2.3 or earlier (for patent-legal purposes, see Why can't a person using version 2.3 read my version 2.6 message?), although the "international" versions have a switch to enable the creation of messages in a compatible format. This is the legal_kludge=on option in the configuration file.
PGP 2.6.3i ("international") is a version of PGP developed from the source code of MIT PGP, which was exported illegally from the United States at some point. Basically, it is MIT PGP 2.6.2, but it uses the old encryption routines from PGP 2.3a; these routines perform better than RSAREF and in addition do not have the usage restrictions in the RSAREF copyright license. It also contains some fixes for bugs discovered since the release of MIT PGP 2.6.2, as well as several small enhancements. For more information, see the International PGP homepage
PGP 2.6ui ("unofficial international") is PGP 2.3a with minor modifications made so it can decrypt files encrypted with MIT PGP. It does not contain any of the MIT fixes and improvements; it does, however, have other improvements, most notably in the Macintosh version.
The 2.6.3(i)n version was developed to fullfill the policy of the Individual Network e.V. Certification Hierarchy.
A: The PGP 5.x and higher series include OpenPGP compatibility. Most versions include both a command line version (for all platforms) and one with a graphical user interface (for the Microsoft Windowses and Mac OS 8.x and 9.x). The most recent version is 7.1.2 .
A: GNU Privacy Guard is an OpenPGP compatible program, written from scratch and not based on the 2.x sources. For normal uses it is compatible with both the PGP 2.x and the PGP 5.x and higher versions. It mostly targets UNIX-like systems. The most recent version is 1.0.4.
A: The PGP 2.x series are freely available as open source software under the GNU General Public License, with no real limits on its use, at no cost (except the IDEA patent should you opt to include support for it, see What's with the patent on IDEA?).
A: GNU Privacy Guard is freely available as open source software, with no real limits on its use, at no cost (except the IDEA patent should you opt to include support for it, see What's with the patent on IDEA?). The website of the GNU Privacy Guard Project is the primary distribution point.
A: PGP 5.x and higher are commercial products. Network Associates bought PGP Inc., a company founded by Phil Zimmerman, and sells a whole range of products under the brand "PGP". The "original" email and file encryption PGP are called PGPmail and PGPfile respectively. See NAI for pricing and availability. There is a version available at no cost for strictly non-commercial use on http://www.pgp.com/products/freeware/.
Note that the free versions of PGP are free only for noncommercial use. If you need to use PGP in a commercial setting you should buy a copy of PGP from NAI. This version of PGP has other advantages as well, most notably its integration with common MS Windows and Mac OS applications, a limited license to export it to foreign branch offices and a license for IDEA. See below, under question Where can I obtain PGP?, for information on how to contact them.
A: In much of the civilized world, the use of encryption is either legal or at least tolerated. However, there are a some countries where such activities could put you in front of a firing squad! Check with the laws in your own country before using PGP or any other encryption product. A couple of the countries where the use of encryption is illegal are France, Iran, Russia and Iraq.
Export, import or sale of products that contain strong encryption is usually also subject to restrictions. These laws are usual implementations of the Wassenaar Arrangement, for example the International Traffic in Arms Regulation (ITAR). Check the laws of the relevant countries for more details.
The legal status of encryption in many countries has been gathered by Bert-Jaap Koops in the Crypto Law Survey.
A: In addition to the comments about encryption listed above (Is encryption legal?) and the licence on the PGP software package you are using, the major point of importance is the status of the patents on technologies used in PGP. The patent on IDEA is still valid, see What's with the patent on IDEA?. The patent on RSA has expired, but had a significant impact on the development and distribution of PGP, see What's with the patent on RSA?. For more information on patents in general, see the patent section of Ius Mentis.
A: IDEA is patented in the USA (US 5,214,703), Europe (EP-B-0482154)and Japan (JP 3225440) by Ascom Systec AG. This patent expires 25 May 2010 (USA) or 16 May 2011 (Europe and Japan). For strictly non-commercial use, the licence fee is waved by MediaCrypt AG.
If you need to use PGP 2.x or GPG with IDEA (i.e. for compatibility with the 2.x versions) for commercial use, you should contact MediaCrypt AG who are the distributor for the IDEA algorithm license for Ascom Systec AG, the patent holders for IDEA. They sell individual and site licenses for using IDEA in PGP. Contact:
Tel ++41 1 445 3070
Fax ++41 1 445 3071
For more information on patents in general, see the patent section of Ius Mentis.
A: Older versions of PGP (up to 2.3a) were thought to be violating the patent on the RSA encryption algorithm held by Public Key Partners (PKP), a patent that was only valid in the United States. This was never tested in court, however, and later versions of PGP have been made with various agreements and licenses in force which effectively settle the patent issue. So-called "international" versions and older versions (previous to ViaCrypt PGP 2.4), however, were still considered in violation by PKP. If you were in the USA, you used them at your own risk!
However, the patent has since expired, so there are no known patent issues with RSA now. For more information on patents in general, see the patent section of Ius Mentis.
A: Not really.
Of course, you can try using Google Groups if you are looking for articles about specific topics.
A: The GNU Privacy Guard project has a C-library for integrating GnuPG in applications called GPGME (GnuPG Made Easy). This is mostly targetted at UNIX-like platforms.
There is an older PGP 2.x-compatible C-library that can be used in programs called PGPlib.
NAI has a PGPsdk. available, but this not a software developer kit! The license explicitly restricts the use of the sourcecode to peer review only, development of programs with this source is not allowed. As a side note, also note that the license forbids you to make public bugs, errors, architecture issues and/or other problems with the source or compiled program without prior written permission of NAI.
Alternatively, you could write your programs to call the PGP program when necessary. In C, for example, you would use the system() or spawn...() functions to do this. This is fairly complex to do securely, so make sure you know what you are doing.
A: PGP 2.x in its many versions has been ported successfully to many different platforms, including the various Microsoft Windows versions, DOS, Mac OS, OS/2, Unix (just about all flavors), VMS, Atari ST, Acorn RISC OS (Archimedes), Commodore Amiga, EPOC and Palm OS. Most are listed on the International PGP product page.
For Mac OS 8.x and 9.x there is a freeware PGP-interoperable program called MacCTC.
For the EPOC operating system (as run by the Psion 5/5mx/Revo/S7/netBook and Nokia 9210) there is a port of PGP 2.6.3ia for EPOC.
If you don't see your favorite platform above, don't despair! It's likely that porting PGP 2.x to your platform won't be terribly difficult, considering all the platforms it has been ported to. Just ask around to see if there might in fact be a port to your system, and if not, try to port it yourself!
A: PGP 5.x and later is available for the various Microsoft Windows versions and the Mac OS 8.x/9.x. It is commercially available from NAI.
Note that PGP 7.x does not support Microsoft Windows XP (yet).
A: GNU Privacy Guard mostly targets UNIX-like systems and is known to work on GNU/Linux, GNU/Hurd, FreeBSD, OpenBSD, NetBSD and various commercial UNIX-like systems. There is also a commandline version for the various Microsoft Windows versions.
A: PGP is very widely available, so much so that a separate FAQ has been written by Micheal Paul Johnson for answering this question. It is called, Where to get the Pretty Good privacy program (PGP); it is posted in alt.security.pgp regularly, is in the various FAQ archive sites, and is also available online.
In short however:
The PGP 5.x and later versions are available for download and purchase via NAI.
The GNU Privacy Guard can be found from the GNU Privacy Guard project page.
Many of the previously mentioned versions, as well as older versions, are widely mirrored, for example at Zedz.net.
A: If this FAQ doesn't answer your question, there are several places for finding out information about PGP. Above all, the accompanying documentation of PGP and GPG should not be missed.
World Wide Web
http://www.stack.nl/~galactus/remailers/bg2pgp.txt: Although the documentation that comes with PGP is very complete, you might also want to read this guide. It covers all the basic steps needed to install and use PGP, and also gives you tips on how to use it more effectively.
http://www.stack.nl/~galactus/remailers/passphrase-faq.html: Your pass phrase is used to protect your PGP secret key. Here's how to generate and manage strong pass phrases. This may also be useful for creating passwords for other purposes.
PGP-related resources: A large collection of PGP-related Web sites, links to front-ends, and more.
http://www.stack.nl/~galactus/remailers/attack-faq.html: A very detailed analysis on the security of PGP and possible attacks.