- Joined
- Feb 21, 2018
The messages always come decrypted whenever I spot a PGP key in the wild. Is this all just a larp?
What are PGP keys even for?
- Thread starter Kiwi & Cow
- Start date
-
Want to keep track of this thread?
Accounts can bookmark posts, watch threads for updates, and jump back to where you stopped reading.
Create account
- Joined
- Jun 1, 2020
What? People share their PGP key, so that you can encrypt a message you're sending to them.
And only niggers uses PGP, real men use GPG.
- Joined
- Sep 28, 2022
they attach their public keys so you can use it to encrypt a message that only they can decrypt and read (with their private keys)
also you can attach a signature to a message, if the signature decrypts correctly with the persons public key then that implies that it was signed with the persons private key, which guarantees that the message is actually coming from that person, and not from some random imposter running a man in the middle attack or whatever. but to do this verification you need to know the persons public key, hence people tend to publish and spread their public keys far and wide
also you can attach a signature to a message, if the signature decrypts correctly with the persons public key then that implies that it was signed with the persons private key, which guarantees that the message is actually coming from that person, and not from some random imposter running a man in the middle attack or whatever. but to do this verification you need to know the persons public key, hence people tend to publish and spread their public keys far and wide
- Joined
- Sep 9, 2025
A public PGP key is saying 'Anything you encrypt with this key can only be read by me'. It's a way of proving identity. If you send a message to someone encrypted with their public key, they are the only party that can read it.
- Joined
- Dec 12, 2022
That would be a signature, then. The keys can be used for secrecy, but also authenticity. It's been a while since I internalized the cryptography involved, but it's nothing particularly complicated.
- Joined
- Jul 8, 2020
The easiest way I know to think about or explain it is: you can probably multiply 13 x 17 in your head, but factoring 221 is a good bit harder. Scale those up to 128 or 1024 bits, and the same holds for every computer in the universe.
So you "multiply" (a bit more complicated than that, but for the metaphor) your message by that composite number 221, and someone else can use your public key to prove that you needed your private key to generate it, without actually being able to factor back down to your private key.
- Joined
- Nov 14, 2012
All email is plain text. Absolutely nothing stops your landlord/corporate/university (local network operator), your ISP, any ISP along the way, the government, the destination's local network, or any malware from reading your email. It is a plain document. It is http without the s.
pgp and https work similarly but one is more cumbersome. When you go to an https:// site you actually do a handshake to check the security key, however it has to be "signed" by a Certificate Authority to be valid. if you ever get a "self-signed" certificate error, that just means it's valid SSL but it's not signed by an authority (an important distinction because it means it could be an attacker).
When you want to encrypt email so only the recipient can read it, you have to do this authentication manually. This usually means you request their pgp key. Then, you upload this key to your email provider. You say you trust it. To respond, the recipient also needs to know your public key. So you usually have to send it. If you are contacting someone for the first time it is common practice, if you know they are a privacy-conscious person, to send them your public key so they can write you back without asking for it. It is normal to do this any time you email with encryption.
This is a big pain in the ass specifically because there is no certificate authority for pgp keys. There's a few open repositories, called key servers, which allow you to publish your pgp keys so people can look them up first without having to ask. Proton manages keys for you and any emails between two Proton customers is automatically encrypted this way because it maintains its own keyserver (sort of like how you don't have to ask for keys to handshake an https certificate that's not self-signed).
pgp and https work similarly but one is more cumbersome. When you go to an https:// site you actually do a handshake to check the security key, however it has to be "signed" by a Certificate Authority to be valid. if you ever get a "self-signed" certificate error, that just means it's valid SSL but it's not signed by an authority (an important distinction because it means it could be an attacker).
When you want to encrypt email so only the recipient can read it, you have to do this authentication manually. This usually means you request their pgp key. Then, you upload this key to your email provider. You say you trust it. To respond, the recipient also needs to know your public key. So you usually have to send it. If you are contacting someone for the first time it is common practice, if you know they are a privacy-conscious person, to send them your public key so they can write you back without asking for it. It is normal to do this any time you email with encryption.
This is a big pain in the ass specifically because there is no certificate authority for pgp keys. There's a few open repositories, called key servers, which allow you to publish your pgp keys so people can look them up first without having to ask. Proton manages keys for you and any emails between two Proton customers is automatically encrypted this way because it maintains its own keyserver (sort of like how you don't have to ask for keys to handshake an https certificate that's not self-signed).
- Joined
- Aug 21, 2018
Are you sure you're looking at an encrypted mail and not just a signed one?
PGP keys serve a dual propose as both creating confidentiality (public keyholder -> private keyholder) as well as authenticity (private keyholder -> public keyholder).
- Joined
- Jul 27, 2020
Or as I've recently taken to calling it, GPLPG (GNU Plus Linux Privacy Guard).
- Joined
- Dec 16, 2019
There's a third way - you can have email that is signed/encrypted by p12 keys issued by a CA. It's a pain in the ass, but somewhat supported by the big mail clients (outlook, apple mail, gmail, etc).
it's kinda bullshit but it's also something a company can just enable for all their faggots
on the Internet at large the main thing GPG/PGP keys do is verify linux updates and suchwith.
an example: https://www.digitalocean.com/commun...-to-add-external-repositories-on-ubuntu-22-04
it's kinda bullshit but it's also something a company can just enable for all their faggots
on the Internet at large the main thing GPG/PGP keys do is verify linux updates and suchwith.
an example: https://www.digitalocean.com/commun...-to-add-external-repositories-on-ubuntu-22-04