PGP vs GPG: The Key Differences Explained

Words By John Carl Villanueva
Last Updated:

PGP and GPG provide secure encryption and authentication, with PGP being proprietary and GPG open-source and free. Following Phil Zimmermann's PGP, GPG emerged as an OpenPGP-compliant free version. Your preference between PGP and GPG depends on your willingness to pay for licensing and support services.

  1. Blog

Pretty Good Privacy (PGP) and GNU Privacy Guard (GPG) are two cryptographic software tools that enable data encryption, authentication, and integrity. These tools primarily secure email communications and transfer files. In the case of the latter, PGP and GPG can be particularly useful in providing data-in-motion security for unencrypted file transfer protocols like FTP and HTTP. They also provide data-at-rest encryption for files stored in a file transfer server.

JSCAPE MFT Server supports both PGP and GPG, so knowing how one compares with the other would be beneficial. That way, you can pick the best tool for your business.

Note: PGP and GPG are for both files and email messages, so we’ll use the terms interchangeably throughout the article.

What is Pretty Good Privacy (PGP)?

PGP is a software tool that employs public-key cryptography to provide the following core functions to software applications like email and file transfer:

  • encrypt files to preserve data confidentiality
  • authenticate the origin of those files to ensure they come from the expected source
  • validate the integrity of the said files to ensure they weren’t tampered with along the way

PGP can run on Linux, Android, macOS, and Windows devices. Although generally associated with messages and files, PGP can encrypt directories and entire disks.

The traditional method of using PGP is through the command line. However, many modern apps incorporating PGP functionality now allow you to interact with it through a graphical user interface. When you set up and use PGP on JSCAPE MFT Server, you usually do so through a graphical administrative web interface.

History of PGP

Developed by Phil Zimmermann over three decades ago, PGP has come a long way. The following significant events in its history shaped PGP into the ubiquitous tool it is today:

1991 - Phil Zimmerman develops PGP, a public-key cryptography software to provide data confidentiality and authenticity.

1992 - PGP 2.0 is released and gains popularity as an email encryption tool.

1997 - PGP Inc., the company developing PGP, is acquired by Network Associates Inc (NAI).

1997-2007 - Zimmerman and company worked with the Internet Engineering Task Force (IETF) to develop an open standard based on PGP and named it OpenPGP. This eventually led to the OpenPGP standard specified in RFC 4880.

2002 - Ex-PGP developers form PGP Corporation, with Zimmerman as a consultant.

2010 - Symantec acquires PGP Corporation.

2019 - Broadcom acquires Symantec’s Enterprise Security software division, which includes PGP.

How does PGP encryption work?

PGP encryption uses a combination of symmetric and asymmetric encryption algorithms. Symmetric encryption is an encryption type wherein the encryption and decryption keys are the same. Examples of symmetric encryption algorithms include AES, Blowfish, 3DES, and IDEA.

On the other hand, asymmetric encryption encrypts using a key pair consisting of a public key and a private key. The public key is used for encrypting files, while its corresponding private key is used for decrypting them. The private key creates a digital signature, which can be validated using the corresponding public key. Examples of asymmetric encryption algorithms include Diffie-Hellman, RSA, ElGamal, and Elliptic Curve.

So, how exactly does PGP carry out encryption and decryption? Let’s discuss that next.

How to encrypt and decrypt data with PGP

A typical PGP encryption and decryption process follows these basic steps:

  1. Before any file transmission, the two parties that intend to exchange files must share each other’s public key. However, they should keep their respective private keys in their possession.
  2. Once one party is ready to send a file, the sender encrypts the file with a symmetric session key, a.k.a. symmetric one-time key. While it’s theoretically possible to encrypt the file with the recipient’s public key, asymmetric encryption is generally more computationally intensive than symmetric encryption.
  3. The sender then encrypts the symmetric key with the recipient’s public key. It’s alright to asymmetrically encrypt the symmetric key because the key will likely be much smaller than a file. But why use asymmetric encryption at all? Because it’s easier to share public keys than symmetric keys without compromising security.

    If you share symmetric keys, anyone who obtains those keys can decrypt your encrypted files, even files unintended for them. On the other hand, if you share public keys, only the party with the correct private key—i.e., the intended recipient—can decrypt a file encrypted with that private key’s corresponding public key.
  4. The sender sends the symmetrically encrypted file and the asymmetrically encrypted session key.
  5. Upon receiving the symmetrically encrypted file and the asymmetrically encrypted session key, the recipient first decrypts the asymmetrically encrypted session key with its private key. Once the session key is decrypted, the receiver uses that key to decrypt the file.

In most modern applications, like JSCAPE MFT Server, for instance, most of these processes happen behind the scenes. The application will perform most of these processes for you.

PGP Encryption use cases

PGP encryption is mainly known for the following use cases:

End-to-end encryption for email

Not all email clients provide encryption. Also, not all email servers encrypt messages stored in their hard drives. These security gaps provide threat actors opportunities to eavesdrop on email communication. PGP offers end-to-end encryption, encrypting messages from the sending email client to the receiving email client through the email server. Copies of the messages stay encrypted even while stored on the email server.

Secure file transfers

PGP encryption can provide the much-needed protection absent in unencrypted file transfer protocols like FTP and HTTP. Moreover, it can add another layer of security when used alongside encrypted protocols like FTPS, HTTPS, and SFTP. Lastly, PGP can provide data-at-rest encryption to files stored in file transfer server hard drives.

What is Open PGP?

OpenPGP refers to the open standard based on PGP. The OpenPGP standard, developed by the IETF and specified in RFC 4880, is meant to help developers and organizations create interoperable software that aligns with the principles of PGP. The GNU Privacy Guard (GPG) is a notable example of software developed following the OpenPGP standard. We’ll talk about GPG next.

What is GNU Privacy Guard (GPG)?

GPG, a.k.a. GnuPG, is a free, open-source alternative to Symantec’s proprietary PGP. Developed by the Free Software Foundation, GPG is compliant with RFC 4880. Meaning it adheres to the OpenPGP standard and hence possesses the core functionality of PGP. It supports message encryption, authentication, and integrity verification. Like PGP, GPG can run on Windows, macOS, Linux and Android.

History of GnuPG

Werner Koch initially developed GPG. Koch got the idea after attending a talk by Richard Stallman, founder of the GNU Project. The following events outline the key milestones of GPG’s history:

1997 - Werner Koch attends a lecture by Richard Stallman, who urges the audience to write a free, open-source version of PGP. Koch started developing GPG and released a beta version.

1999 - Koch releases GPG version 1.0.0, the first production version. The German government awarded Koch a grant to make GPG run on Windows, among other objectives.

2014 - Koch receives additional funding for GPG from a crowdsourcing initiative.

Today, the GPG encryption software is continuously developed by Werner Koch, with the help of a handful of other developers. As of this writing, the current version of GPG is 2.4.3. 

Discover how to implement robust encryption solutions like PGP and GPG in your business. Book a demo with us to see how JSCAPE MFT Server can secure your data transfers and communications.

How does GPG encryption work?

Since GPG is patterned after PGP and follows the OpenPGP standard, its encryption method is similar to PGP. Meaning it uses a combination of symmetric and asymmetric encryption. Symmetric encryption is used to encrypt and decrypt the files or messages, while asymmetric encryption distributes the symmetric keys.

How to encrypt and decrypt data with GPG

As expected, GPG’s encryption and decryption process is similar to PGP's. Please review the steps outlined above for PGP. Again, you don’t have to perform those steps manually. More often than not, whatever software application you use will perform these steps automatically.

In most cases, the most you’ll have to do is:

  1. Generate your keys.
  2. Import your keys to the application.
  3. Point to the relevant key (e.g., public key for encryption) in a graphical user interface.

The application will do the rest when it’s time to encrypt or decrypt.

Here’s a blog post detailing three options for generating PGP keys: Three Ways To Generate OpenPGP Keys.

One of the options uses GPG4Win, a software suite that includes GPG for Windows. That post also briefly covers importing your generated keys into the JSCAPE MFT Server.

GPG Encryption use cases

GPG has the same use cases as PGP, so we encourage you to review the similar section for PGP above.

The key differences between PGP and GPG

Despite their striking similarities, PGP and GPG have two key differences: licensing and support.

Licensing

PGP is closed-source and proprietary, while GPG is open-source and free software. Meaning the former typically requires licensing fees, while the latter doesn’t. You’re free to view and modify the GPG source code.

Support

PGP offers customer support through an official support portal like other proprietary software solutions. With GPG, however, support isn’t as straightforward. You can get help from the GPG community or third-party service providers.

Which is better for your business?

Since PGP and GPG are interoperable, especially for the most recent versions, you can use them side by side. However, if pressed to choose one, your choice will mostly depend on how you view the licensing and support aspects. If the availability and reliability of customer support are a big deal to you and you don’t mind paying a license fee, then PGP would be a better choice.

On the other hand, if you’re confident you can find answers or resolve GPG-related issues on your own or through a third party, then GPG would be the better one. Besides, it’s free.

Tips for using PGP or GPG

Here are some tips for using PGP or GPG effectively:

  1. Never share your PGP private key, and store it in a safe place. This will ensure only you can decrypt files meant for you.
  2. Update your software regularly. This practice isn’t only meant to mitigate PGP/GPG-related threats and other cyber threats.
  3. Verify the authenticity of the other party’s public key. Every public key has a fingerprint. In a secure channel, ask the other party what their public key’s fingerprint is and then compare that with what you have.
  4. Use a strong and unique passphrase to protect your PGP key.