Pretty Good Privacy (PGP) and GNU Privacy Guard (GPG) are two cryptographic software tools that enable data encryption, authentication, and integrity. These tools primarily secure email communications and transfer files. In the case of the latter, PGP and GPG can be particularly useful in providing data-in-motion security for unencrypted file transfer protocols like FTP and HTTP. They also provide data-at-rest encryption for files stored in a file transfer server.
JSCAPE MFT Server supports both PGP and GPG, so knowing how one compares with the other would be beneficial. That way, you can pick the best tool for your business.
Note: PGP and GPG are for both files and email messages, so we’ll use the terms interchangeably throughout the article.
PGP is a software tool that employs public-key cryptography to provide the following core functions to software applications like email and file transfer:
PGP can run on Linux, Android, macOS, and Windows devices. Although generally associated with messages and files, PGP can encrypt directories and entire disks.
The traditional method of using PGP is through the command line. However, many modern apps incorporating PGP functionality now allow you to interact with it through a graphical user interface. When you set up and use PGP on JSCAPE MFT Server, you usually do so through a graphical administrative web interface.
Developed by Phil Zimmermann over three decades ago, PGP has come a long way. The following significant events in its history shaped PGP into the ubiquitous tool it is today:
1991 - Phil Zimmerman develops PGP, a public-key cryptography software to provide data confidentiality and authenticity.
1992 - PGP 2.0 is released and gains popularity as an email encryption tool.
1997 - PGP Inc., the company developing PGP, is acquired by Network Associates Inc (NAI).
1997-2007 - Zimmerman and company worked with the Internet Engineering Task Force (IETF) to develop an open standard based on PGP and named it OpenPGP. This eventually led to the OpenPGP standard specified in RFC 4880.
2002 - Ex-PGP developers form PGP Corporation, with Zimmerman as a consultant.
2010 - Symantec acquires PGP Corporation.
2019 - Broadcom acquires Symantec’s Enterprise Security software division, which includes PGP.
PGP encryption uses a combination of symmetric and asymmetric encryption algorithms. Symmetric encryption is an encryption type wherein the encryption and decryption keys are the same. Examples of symmetric encryption algorithms include AES, Blowfish, 3DES, and IDEA.
On the other hand, asymmetric encryption encrypts using a key pair consisting of a public key and a private key. The public key is used for encrypting files, while its corresponding private key is used for decrypting them. The private key creates a digital signature, which can be validated using the corresponding public key. Examples of asymmetric encryption algorithms include Diffie-Hellman, RSA, ElGamal, and Elliptic Curve.
So, how exactly does PGP carry out encryption and decryption? Let’s discuss that next.
A typical PGP encryption and decryption process follows these basic steps:
In most modern applications, like JSCAPE MFT Server, for instance, most of these processes happen behind the scenes. The application will perform most of these processes for you.
PGP encryption is mainly known for the following use cases:
Not all email clients provide encryption. Also, not all email servers encrypt messages stored in their hard drives. These security gaps provide threat actors opportunities to eavesdrop on email communication. PGP offers end-to-end encryption, encrypting messages from the sending email client to the receiving email client through the email server. Copies of the messages stay encrypted even while stored on the email server.
PGP encryption can provide the much-needed protection absent in unencrypted file transfer protocols like FTP and HTTP. Moreover, it can add another layer of security when used alongside encrypted protocols like FTPS, HTTPS, and SFTP. Lastly, PGP can provide data-at-rest encryption to files stored in file transfer server hard drives.
OpenPGP refers to the open standard based on PGP. The OpenPGP standard, developed by the IETF and specified in RFC 4880, is meant to help developers and organizations create interoperable software that aligns with the principles of PGP. The GNU Privacy Guard (GPG) is a notable example of software developed following the OpenPGP standard. We’ll talk about GPG next.
GPG, a.k.a. GnuPG, is a free, open-source alternative to Symantec’s proprietary PGP. Developed by the Free Software Foundation, GPG is compliant with RFC 4880. Meaning it adheres to the OpenPGP standard and hence possesses the core functionality of PGP. It supports message encryption, authentication, and integrity verification. Like PGP, GPG can run on Windows, macOS, Linux and Android.
Werner Koch initially developed GPG. Koch got the idea after attending a talk by Richard Stallman, founder of the GNU Project. The following events outline the key milestones of GPG’s history:
1997 - Werner Koch attends a lecture by Richard Stallman, who urges the audience to write a free, open-source version of PGP. Koch started developing GPG and released a beta version.
1999 - Koch releases GPG version 1.0.0, the first production version. The German government awarded Koch a grant to make GPG run on Windows, among other objectives.
2014 - Koch receives additional funding for GPG from a crowdsourcing initiative.
Today, the GPG encryption software is continuously developed by Werner Koch, with the help of a handful of other developers. As of this writing, the current version of GPG is 2.4.3.
Discover how to implement robust encryption solutions like PGP and GPG in your business. Book a demo with us to see how JSCAPE MFT Server can secure your data transfers and communications.
Since GPG is patterned after PGP and follows the OpenPGP standard, its encryption method is similar to PGP. Meaning it uses a combination of symmetric and asymmetric encryption. Symmetric encryption is used to encrypt and decrypt the files or messages, while asymmetric encryption distributes the symmetric keys.
As expected, GPG’s encryption and decryption process is similar to PGP's. Please review the steps outlined above for PGP. Again, you don’t have to perform those steps manually. More often than not, whatever software application you use will perform these steps automatically.
In most cases, the most you’ll have to do is:
The application will do the rest when it’s time to encrypt or decrypt.
Here’s a blog post detailing three options for generating PGP keys: Three Ways To Generate OpenPGP Keys.
One of the options uses GPG4Win, a software suite that includes GPG for Windows. That post also briefly covers importing your generated keys into the JSCAPE MFT Server.
GPG has the same use cases as PGP, so we encourage you to review the similar section for PGP above.
Despite their striking similarities, PGP and GPG have two key differences: licensing and support.
PGP is closed-source and proprietary, while GPG is open-source and free software. Meaning the former typically requires licensing fees, while the latter doesn’t. You’re free to view and modify the GPG source code.
PGP offers customer support through an official support portal like other proprietary software solutions. With GPG, however, support isn’t as straightforward. You can get help from the GPG community or third-party service providers.
Since PGP and GPG are interoperable, especially for the most recent versions, you can use them side by side. However, if pressed to choose one, your choice will mostly depend on how you view the licensing and support aspects. If the availability and reliability of customer support are a big deal to you and you don’t mind paying a license fee, then PGP would be a better choice.
On the other hand, if you’re confident you can find answers or resolve GPG-related issues on your own or through a third party, then GPG would be the better one. Besides, it’s free.
Here are some tips for using PGP or GPG effectively: