PGP encryption
This blog post summarises everything you need to know about PGP encryption, so you can make an informed decision about whether it is the right choice for your requirements.
PGP stands for ‘Pretty Good Privacy’. It is an asymmetric encryption, which means it uses public and private keys to encrypt and then decrypt cipher text. It requires more work than symmetric encryption, which uses a shared key, but is generally considered better security.
PGP provides end-to-end encryption, integrity checking and authentication. It is commonly used for encrypting and decrypting texts, files, directories and whole disk partitions.
PGP Encryption: How does it work?
Asymmetric encryption uses two different keys to encrypt and decrypt each file, then two more keys to sign and verify each file. Both parties – sender and recipient – need to exchange their public keys before any transfer can take place.
The sender encrypts the file using the recipient’s public key. The recipient decrypts the file using their private key.
For integrity checking – to make sure the content hasn’t been tampered with – the sender uses their private key to ‘sign’ the encrypted file. For authentication – to check the sender is the sender you think it is – the recipient uses the sender’s public key to verify/validate the sender.
PGP and your file transfer solution
PGP Clients will manage the encryption/decryption automatically and are often implemented in FTP servers or as email client add-ons to secure the communication. The exchange of the public keys, however, will always be a manual process.
Any security is only as strong as its weakest point. Security-conscious organisations will usually physically exchange keys via a courier service, and set keys to expire (this is a bit like a password which expires and needs to be reset by the security team). But – as you will have gathered – the process of exchanging keys is time consuming. Most applications provide advance notice about expiring keys, so administrators can plan for the exchange to take place in advance.
Some applications allow you to create sub-keys with pre-configured expiry dates, so that you can plan ahead and have several years of automatic key replacement, avoiding potential outages. We know of some Managed File Transfer solutions that manage this process very effectively.
When to use PGP
PGP provides encryption at rest or can be used to protect a file at a particular stage in an otherwise non-encrypted workflow.
Let’s look at a recent example we discussed with a customer who had a PGP requirement for an accounts process. They needed to put files into a specific folder, where they would be PGP encrypted, then moved to another folder to be collected by the bank. This would by-pass a charge that the bank would otherwise make for the processes.
This requirement was driven by the fact that the bank used PGP, and the businesses needed to comply in order to save money.
The advantages of PGP
- Security is the big plus. PGP is generally considered more secure than symmetric encryption.
- Even if the channel transmitting the files becomes compromised, the private keys and files remain safe. Similarly, they are safe if the channel used to share public keys is compromised.
- Signing files is a built-in procedure, automatically authenticating the sender’s identity.
Disadvantages
- End-users need to exchange keys and use their encryption technology correctly. They often accidentally send their PRIVATE keys to each other.
- Slower performance than symmetric encryption.
PGP hacking fears
There’s been some publicity in recent years about Open PGP and hacking fears. In summary, malicious attackers can “spam” a public key sitting on a key server, adding these attestations over and over again until the key itself becomes too unwieldy to use by some software.
However, please be reassured this has no negative impact on your managed file transfer solution at all. When creating a transaction to move files between an MFT customer and an external customer, partner, supplier, or vendor it is always the two sides of the file transfer that coordinate the exchange of public keys, either through email or a file transfer protocol like SFTP. So since those public keys are not put onto a public Key Server, they will not have extraneous attestations attached to them, and both sides will be able to process the keys just fine.
Next steps
If you need to know more about secure file transfer protocols, encryption, or any other aspects of working with a Managed File Transfer (MFT) solution, take the Certified File Transfer Professional (CFTP). It is the only vendor-independent file transfer certification, equipping you with the knowledge you need to implement secure file transfer in your organisation.
Alternatively, if you are investigating which solutions have PGP capabilities, opt for our free MFT Comparison Service. Answer a series of questions about your requirements and our experts will recommend the best solution.
FAQs
What is PGP Encryption?
PGP or Pretty Good Privacy is an encryption program which can be used to encrypt emails, files or storage mediums. Originally created by Phil Zimmerman in 1991, PGP remains in strong use today due its strength and resilience against exploitation. PGP uses a mixture of compression, hashing, symmetric and asymmetric encryption to secure its target.
What are the benefits of using PGP Encryption?
Some of the benefits of using PGP for encryption include:
- Protection of files, irrespective of whether the communication channel used to send them is protected.
- When used for email encryption, it includes additional benefits such as sender verification to limit spoofing attempts.
- Its use in file transfer solutions is ubiquitous, meaning you can confidently share encrypted files with third parties who use different tools and ensure they are able to perform decryption.
- It has tenure of over twenty years. Being such a veteran of the IT industry means PGP is a mature solution which doesn’t suffer the bugs and frequent patching cycles which are characteristic of newer more bleeding-edge tools and solutions.
- It is simple to use and well documented. No one needs a training course in PGP.
What are some best practices for using PGP Encryption?
PGP has been deliberately crafted to be very easy to use, even for administrators who are new to it. However, there are a couple of recommendations which help to strengthen its usage:
- Where possible, do not reuse keys. PGP is well-known for its strength, however should a key be compromised, it would be wise to restrict its impact by limiting the reuse of keys. Create a new key-pair for each use case or trading partner.
- When creating a key-pair, try to use the strongest key length, key format and signing algorithms to ensure maximum protection. Also keep in mind that if sending encrypted content to a third-party, they may not support some of the selections and you may need to compromise.
- Set an expiration on your key-pairs of between one and two years. This forces the recreation of a key-pair which again limits exposure if an incumbent key-pair is compromised and serves as a point in time in which security and strength can be reviewed.
- If prompted for a passphrase on creation of a key-pair, ensure it is a strong passphrase. Passphrases are typically used to protect key-pairs in storage of MFT solutions. Without this, an exploit in the MFT solution could lead to compromised keys.
- Never share your private key with any third-parties.
Does MFT Software include PGP Encryption capabilities as standard?
All of the MFT solutions which Pro2col works with offers some PGP capability, whether that is encrypting files stored on disk or as a step for encrypting/decrypting files while moving them from source to destination.
However, in some cases PGP is an additional bolt-on or module which must be purchased for an additional fee. It is important to speak with your Account Manager to understand whether PGP is available out-of-the-box or as an additional module and whether it is something which your organisation could benefit from.
Which MFT Software includes easy-to-use PGP Encryption?
This largely depends on the solutions you are using or interested in. Some MFT solutions utilise PGP for disk encryption of file encryption when files are stored on-disk. In these cases, encryption using PGP is transparent to users and administrators, providing immediate benefits usually without any configuration requirements.
MFT solutions which use PGP as a step in automated workflows during sending or receiving of files will require some level of configuration. This may include the creation of a public and private key; or the import of either. In all cases, PGP has been designed to be very user friendly and while end users themselves would unlikely be exposed to such configuration, administrators will be untaxed by its requirements.
How can pro2col help a business with implementing PGP encryption for their file transfers?
With two-decades of experience as a company and over 65 in individual MFT expertise, there is nobody better placed to assist you with the implementation and use of PGP encryption in MFT solutions. We have assisted well over 1000 organisations in more than 35 countries with their file transfer and automation solutions, many of which employ the use of PGP.
Start your MFT journey today by taking our free file transfer comparison quiz, and our experts will match you to your ideal solution.
Do you have a new team? Or are you working with a new file transfer solution?
Get product-specific or vendor-independent training from the file transfer experts with over 16+ years’ experience.