GPG is great, and I use it all the time. I always think to myself that I do not use it enough. I refer to GPG instead of PGP since PGP is a paid for product, and GPG (or GnuPG) is the free open source equivalent. The main reasons I use GPG are:

Encryption

[caption id=”attachment_6107” align=”alignleft” width=”300”]Public key encryption Public key encryption[/caption]

Most of my files are GPG encrypted nowadays. For all my sins, I use Dropbox (Using SpiderOak is a no-go since their software is clunky and it has a tendency to get stuck, and unbeknownst to you, your backups do not work), and since I don’t really trust Dropbox, I make sure that all my files are encrypted (a combination of GPG and also efs4db, an encrypted filesystem written by me). My private key is kept safe with me, and Dropbox only have encrypted archives. If my Dropbox account gets compromised, then they will only have encrypted files, completely useless for them.

My password on my key is ridiculously long - 26 characters long and is completely unguessable.

Another great thing with GPG is that a file can be encrypted with multiple keys so that if you wanted to send a file to someone who also uses GPG, you can encrypt against their public key, and send them the encrypted file. Perfect!

I’m safe in the knowledge that a 768 bit RSA key took two years on a cluster having close to 100 computers to crack, and I am confident to say that it would take a couple hundred years to crack the 4096 bit RSA key on a large cluster and a couple million years on an average desktop system, so, in short, your average hacker will have turned back into carbon by the time they break the code.

Regardless of what you want to keep safe, GPG provides a free and safe way to do it, and is already trusted by millions of people.

Authenticity (Signing)

If you need someone to be sure you really sent something, you can digitally sign an email, a piece of software, source code, or anything else.

When you sign something, it will prove that it has not been modified between the time you signed it to the time they verified it. This is great for emails since it will prove whether or not the email was definitely sent from that person. If the signature is invalid or missing, then you know not to trust the message.

Some people take it further than just signing important emails - they sign all of them. This is a great idea, since if everyone used GPG and signed email as a matter of policy, then there would be no more phishing emails, no more fake emails with viruses in the attachments, since emails would be checked at the mail server level. Anything that did not have a valid signature would get discarded, or at the very least, alarm bells would ring with big red warnings in email clients. This would indeed reduce the number of times people click on links in these emails, thus preventing viruses or fraud. Also, if you were to sign all your emails, then by the time people get used to the weirdness in your email, they will know that if they get an email without the signature, then it would definitely not be from you, thus protecting your reputation, and the safety of your friends and family.