What are PGP Public and Private Keys?

This article details what Pretty Good Privacy (PGP), PGP Keys, and PGP Whole Disk Encryption work.

PGP, Pretty Good Privacy, is a "public key cryptosystem." (Also known as PKC.) In PGP, each person has two "keys": a "public key" that you give to other people, and a "private key" that only you know. You use public keys to encrypt messages and files for others or to add users to PGP Virtual Disk volumes. You use your private key to decrypt files and messages that are encrypted with your public key. 

The good news is that you don't have to know anything about how PGP, PGP Keys, or even PGP Whole Disk Encryption works to use PGP Desktop. The ACCC's PGP Universal Server will even keep your PGP Universal keys for you.

You might need to have other people's PGP public keys, though, if you want to encrypt a PGP Zip archive for someone else or use PGP Viewer to encrypt or decrypt files. Using PGP Whole Disk Encryption explains how to search for and save other people's public keys.

Physical Key Security

Your private key must be kept private. It's also rather big; too long, certainly, for you to remember and type every time you need it. So you have to keep it in a file on your personal computer. What's to keep someone from stealing it? Nothing, really. Which is why PKC software like PGP Freeware associate private keys with password -- PGP Freeware calls it a passphrase -- and won't do anything with your private key until you enter that passphrase.

This is a good thing. It means that physical access to your personal computer and/or to your private key isn't enough to decrypt PGP-encrypted files/email, even those stored on your personal computer.It's a bad thing too though, there is absolutely nothing that can be done if you forget your passphrase. Forget your passphrase, and you lose access everything that that's encrypted for you with PGP.

Stolen Private Key

They've stolen your signature. Worse, actually; handwriting analysis should be able to give you plausible denial for a forgery of your handwritten signature. No such luck with digital signatures. What do you do if your private key is compromised? Your only option is to cancel your current key pair -- as of a certain date if you don't want to invalidate your previous digital signatures. After you create a new key pair, how do you tell everyone who has your old public key what's happened? You don't want anyone else to be allowed to cancel your keys, but if you've forgotten your password, how can you prove you're really you? You do this by designating a revoker, which is detailed in Chapter 3 of the PGP User's Guide.

Departmental Use of Private Keys

What if a colleague encrypts important work-related files and then quits without leaving the key? What if he just forgets his password? One answer to work-related encryption is to have key escrows that allow supervisors to obtain copies subordinate's keys. That, of course, brings up even more questions! The simple answer to this question, at least at UIC, is don't use your own private PGP key to encrypt departmental files. (It's not legal, anyway.). But your department could purchase a copy of the commercial version of PGP or some other similar software package, select a departmental key, and use that to encrypt sensitive files.