How to Encrypt Email with PGP: A Realistic Beginner Guide

What PGP Does

PGP (Pretty Good Privacy) and its open-source equivalent GPG (GNU Privacy Guard) are tools for encrypting and digitally signing email messages, files, and other data. Encrypted email can only be read by the intended recipient (not your email provider, not the recipient's email provider, not anyone tapping the wire). Digital signatures prove the message came from the claimed sender and wasn't altered.

The conceptual model: every user generates a key pair (public + private). You share your public key freely. Anyone wanting to send you an encrypted message uses your public key to encrypt it; only your private key can decrypt it. For signing, the reverse: you sign with your private key, anyone with your public key can verify the signature.

Why It's Still Relevant

• Email is unencrypted by default between mail servers (TLS in transit is common but not guaranteed) and at rest on the recipient's server. Your email provider can read your email; their employees with sufficient access can too; subpoenas can compel disclosure
• For journalists, lawyers, activists, and anyone communicating sensitive material, end-to-end encryption is the only way to guarantee confidentiality
• Code-signing for software releases, Git commits, package distribution all rely on PGP signatures

Why It Isn't Popular

• Key management is genuinely hard for non-technical users
• If you lose your private key (lost laptop, forgotten passphrase) you cannot decrypt your old encrypted email — ever
• Mobile support is patchy
• Web mail interfaces (Gmail, Outlook web) don't support PGP natively; you need browser extensions or external apps
• Both sender and recipient must use PGP for it to work; a one-way relationship doesn't
• Subject lines are NOT encrypted by PGP — only the body. Sensitive details in subject lines leak.

How to Get Started

1. Pick a PGP tool. Recommended: GPG Suite (macOS), Gpg4win (Windows), or gnupg via your package manager (Linux). Mobile: OpenKeychain (Android), PGPro (iOS).
2. Generate a key pair. One command: gpg --full-generate-key. Pick RSA 4096, set an expiry (1-2 years is conventional), pick a strong passphrase you'll remember.
3. Publish your public key. Upload to keys.openpgp.org or include it on your personal website. People who want to send you encrypted mail look it up here.
4. Configure your mail client. Thunderbird has PGP built-in (Account Settings → End-to-End Encryption). Apple Mail uses GPG Suite. Outlook needs the GpgOL plug-in.
5. Back up the private key. Export it to an encrypted USB drive in a safe location. Without it you cannot read your encrypted mail.

The Web of Trust

PGP's original trust model was the Web of Trust: users sign each other's keys after verifying identity in person (or via voice + visual confirmation). The collected signatures form a graph; you trust keys that are signed by people you already trust.

The Web of Trust never scaled and is mostly a historical curiosity today. Modern users rely on key servers (download a key, verify the fingerprint via another channel) or in-person key exchange for high-stakes communication.

Alternatives Worth Knowing

• Signal: end-to-end encrypted messaging that's drastically easier than PGP. Not email, but covers most use cases people want PGP for.
• ProtonMail / Tutanota: end-to-end encrypted email between users of the same service, with automatic key management. Less universal than PGP but vastly easier.
• S/MIME: certificate-based email encryption, mostly used in enterprise environments. Different ecosystem from PGP.

When to Actually Use PGP

• Communicating with sources as a journalist
• Discussing legal matters with a client who insists on encryption
• Signing your Git commits and software releases (the most common modern use)
• Sending sensitive documents to a recipient who has a PGP key and prefers it

For day-to-day email, Signal or ProtonMail is dramatically easier and covers 90% of the use case.

Related Guides

See also: how to verify a sender, how DKIM signing works (a different cryptographic email mechanism), and our VPN/Tor/temp mail comparison.