This blog post summarises everything you need to know about PGP encryption, so you can make an informed decision about whether it is the right choice for your requirements.
PGP stands for ‘Pretty Good Privacy’. It is an asymmetric encryption, which means it uses public and private keys to encrypt and then decrypt cipher text. It requires more work than symmetric encryption, which uses a shared key, but is generally considered better security.
PGP provides end-to-end encryption, integrity checking and authentication. It is commonly used for encrypting and decrypting texts, files, directories and whole disk partitions.
PGP Encryption: How does it work?
Asymmetric encryption uses two different keys to encrypt and decrypt each file, then two more keys to sign and verify each file. Both parties – sender and recipient – need to exchange their public keys before any transfer can take place.
The sender encrypts the file using the recipient’s public key. The recipient decrypts the file using their private key.
For integrity checking – to make sure the content hasn’t been tampered with – the sender uses their private key to ‘sign’ the encrypted file. For authentication – to check the sender is the sender you think it is – the recipient uses the sender’s public key to verify/validate the sender.
PGP and your file transfer solution
PGP Clients will manage the encryption/decryption automatically and are often implemented in FTP servers or as email client add-ons to secure the communication. The exchange of the public keys, however, will always be a manual process.
Any security is only as strong as its weakest point. Security-conscious organisations will usually physically exchange keys via a courier service, and set keys to expire (this is a bit like a password which expires and needs to be reset by the security team). But – as you will have gathered – the process of exchanging keys is time consuming. Most applications provide advance notice about expiring keys, so administrators can plan for the exchange to take place in advance.
Some applications allow you to create sub-keys with pre-configured expiry dates, so that you can plan ahead and have several years of automatic key replacement, avoiding potential outages. We know of some Managed File Transfer solutions that manage this process very effectively.
When to use PGP
PGP provides encryption at rest or can be used to protect a file at a particular stage in an otherwise non-encrypted workflow.
Let’s look at a recent example we discussed with a customer who had a PGP requirement for an accounts process. They needed to put files into a specific folder, where they would be PGP encrypted, then moved to another folder to be collected by the bank. This would by-pass a charge that the bank would otherwise make for the processes.
This requirement was driven by the fact that the bank used PGP, and the businesses needed to comply in order to save money.
The advantages of PGP
- Security is the big plus. PGP is generally considered more secure than symmetric encryption.
- Even if the channel transmitting the files becomes compromised, the private keys and files remain safe. Similarly, they are safe if the channel used to share public keys is compromised.
- Signing files is a built-in procedure, automatically authenticating the sender’s identity.
- End-users need to exchange keys and use their encryption technology correctly. They often accidentally send their PRIVATE keys to each other.
- Slower performance than symmetric encryption.
PGP hacking fears
There’s been some publicity in recent years about Open PGP and hacking fears. In summary, malicious attackers can “spam” a public key sitting on a key server, adding these attestations over and over again until the key itself becomes too unwieldy to use by some software.
However, please be reassured this has no negative impact on your managed file transfer solution at all. When creating a transaction to move files between an MFT customer and an external customer, partner, supplier, or vendor it is always the two sides of the file transfer that coordinate the exchange of public keys, either through email or a file transfer protocol like SFTP. So since those public keys are not put onto a public Key Server, they will not have extraneous attestations attached to them, and both sides will be able to process the keys just fine.
If you need to know more about secure file transfer protocols, encryption, or any other aspects of working with a Managed File Transfer (MFT) solution, take the Certified File Transfer Professional (CFTP). It is the only vendor-independent file transfer certification, equipping you with the knowledge you need to implement secure file transfer in your organisation.
Alternatively, if you are investigating which solutions have PGP capabilities, opt for our free MFT Comparison Service. Answer a series of questions about your requirements and our experts will recommend the best solution.
Do you have a new team? Or are you working with a new file transfer solution?
Get product-specific or vendor-independent training from the file transfer experts with over 16+ years’ experience.