I’ve evaluated PGP/GPG for my personal use and I’ve decided to avoid it completely. I’m sharing my reasoning in this blog post.

Best practice

I dove into this subject believing that PGP was best practice. It is prominent in the Codeberg / GitHub interfaces. Every email client supports it. Security focused organisations put their PGP keys close to their email addresses on their websites.

It’s easy to believe that PGP is still a good thing. But, as always with cryptography, things are complicated.

Storytime

I started to read a lot about PGP. I’ve read about how it organises keys. How you can do key rollovers. Revocation certificates. How you construct your digital identity around a primary key and subkeys. This doesn’t only sound complicated, it is!

I bought Yubikeys instead of FIDO only keys so that I could use PGP with hardware keys. I’ve spent at least one day full of frustrations to automate key generation and backup. GPG is horrible for scripting by the way. Like, I’ve never had a worse time automating a CLI. I set up a web key directory (WKD) for my custom domain. Feel free to use my code if you really want to use PGP.

To be clear, all of this works. Kind of at least. It’s just really awkward and complicated. And the shortcomings I learned about started to accumulate. Here’s a non-exhaustive list:

1. If you add an email to your PGP identity, it becomes public.
2. If you’re using a keyserver, your credentials are an easy target for spammers.
3. If you’re using a web key directory instead (like I tried to), most PGP software will not find your key by default.
4. The Yubikey can only handle one PGP identity, forcing you to use the same keys everywhere.
5. Client software only encrypts for the latest key, which means that you need to use the same key on all devices. If one is compromised, all are.
6. Many clients, like my web mail client, don’t support Yubikeys.

I became suspicious. I was “discussing” the details of my setup with an LLM. It was of course telling me how great my ideas are and how awesome my setup was. I had the impression of having a critical brainstorm, while the model was blindly re-enforcing my (bad) ideas. This is a systematic problem with LLMs.

I eventually understood that something was off. I did a proper research. With real sources. It nearly hurt to learn how far off I had wandered.

PGP considered dangerous

Experts on applied cryptography have given up on PGP a long time ago. They consider it so fundamentally broken, that using it is seen as dangerous, because it gives a false sense of security. There are still some who do cryptoanalysis on it and their findings are horrible.

PGP tries to do everything and does so poorly. There’s always a better tool for the job.

Email encryption

So how should I do my end-to-end email encryption? The answer is frankly: Don’t even bother. Email privacy is so fundamentally broken that using PGP or some other e2e scheme is a lost cause. The system is so easy to misuse that you can’t be sure that your messages stay private.

The alternatives are just too good. Use Signal. Or Matrix. Signal is a good case to show the difference. It is dead simple. Not a single moment you care about keys, certificates and all this crap that’s only interesting to CS majors. My grandma uses Signal. It took her one minute to figure it out. Why would anyone ever go back to something as user-hostile as PGP?

Signal is centralized

Signal is considered the gold standard in private communication. I believe rightfully so. Yet, there’s a problem with it: Signal is a centralized service. If political actors in the United States decide to pull the plug the light goes out. Or when AWS is having reliability issues.

There are people that consider the centralized nature of Signal a no-go. This is a question of ideology and I understand and respect this position. I too share it partly. Yet, I feel like Signal has its place and I’m nudging my peers to use it.

Why is Signal not distributed?

I can only speculate of course. I think that Signal made a trade-off. They’ve built the best secure messenger they could. Their resources are not unlimited and they’ve chosen a centralized architecture because it simplifies certain things considerably. For example usernames, spam protection, key distribution, ..

A decentralized alternative: Matrix

Matrix is a distributed chat protocol. Your username contains your server, like email addresses. I see it as the successor of email: It is distributed, end-to-end encrypted and realtime capable.

The apps implementing it seem to focus on group chats. But you can totally have private messages. There is criticism on security. I feel like it is still in a good shape and recommendable. Signal has better usability though.

Wrap-up

I’m not using PGP and you probably shouldn’t either. It doesn’t follow cryptographic best practices and is considered obsolete today. If you want to encrypt your email you’re in trouble. Use a safe alternative.

Alternatives to PGP

You can find a more exhaustive list of alternatives here. Here’s my personal choice:

• Communication: Signal. Matrix for public group chats.
• Backups: LUKS + FIDO key.
• Web Authentication: FIDO key and Password manager.
• SSH authentication: FIDO key.
• Commit signing: SSH with FIDO key.
• Offline file encryption: My drive is encrypted with LUKS + FIDO key.
• Individual file encryption: I don’t need that.