WHERE TO GET PGP and GPG

WHERE TO GET THE PRETTY GOOD PRIVACY PROGRAM (PGP) FAQ

Revised 17 June 2014

This FAQ applies to Pretty Good Privacy (PGP), Gnu Privacy Guard (GPG), and some other OpenPGP implementations.

Disclaimer: some of this information may be outdated or otherwise inaccurate. I don't update it very often, but you should by all means be able to find an appropriate copy of PGP and its documentation using the information contained herein. Use it at your own risk.

The master copies of this FAQ is at http://cryptography.org/getpgp.htm.

The official (much more complete) PGP FAQ is available at: http://www.pgp.net/pgpnet/pgp-faq/


WHERE ARE SOME OF THE BEST PLACES TO GET PGP ON THE WEB?

PGPmail commercial version

PGP Mail is now published and supported by PGP Corporation. See http://www.pgp.com for information on their current prices, versions, and support. For commercial applications where having a corporation to back up a product with support is important, or where maximum integration with Windows is also important, this is the preferable option. For commercial applications where low cost is the primary option and you want to use a command line interface, Gnu Privacy Guard (http://www.gnupg.org) is better.

[Top]

WHERE CAN I GET MORE PGP INFORMATION?

The best source of PGP information is in the PGP documentation that comes with PGP. For additional information, you may want to read:

[Top]

WHAT COMPATIBILITY ISSUES EXIST BETWEEN PGP AND GPG VERSIONS

PGP 5.0 introduces some new algorithms for both public key and conventional encryption. These changes are good from both technical (security & efficiency) and political (patent) standpoints. With the death of the Diffie-Hellman key exchange patent, the freeware PGP new algorithms are 100% free of patent problems, and free of legalese such as come with the RSAREF toolkit. The Diffie-Hellman key exchange key size limit is also larger than the old RSA limit, so PGP encryption is actually more secure, now.

The new SHA1 hash function is better than MD5, so signatures are more secure, now, too. The conventional encryption used is all sound, and definitely not the weak link in the chain. This much is good news.

The bad news, of course, is that there will be some interoperability problems, since no earlier versions of PGP can handle these algorithm, and some PGP freeware issued before the RSA algorithm math patent expired doesn't support RSA signatures and encryption.

Gnu Privacy Guard was written from the ground up to be free software under the Gnu Public License. That means that it cannot use the IDEA symmetric key algorithm, and also that some versions were issued before the RSA patent expired in the USA, and therefore some older versions of GPG didn't support RSA signatures or encryption.

For more information on PGP and GPG compatibility, please see http://www.openpgp.org.

[Top]

WHAT ARE SOME GOOD PGP BOOKS?

 Protect Your Privacy: A Guide for PGP Users
 by William Stallings
 Prentice Hall PTR
 ISBN 0-13-185596-4
 US $19.95

 PGP: Pretty Good Privacy
 by Simson Garfinkel
 O'Reilly & Associates, Inc.
 ISBN 1-56592-098-8
 US $24.95

 E-Mail_Security,
 How To Keep Your Electronic Messages Private (covers PGP & PEM)
 by Bruce Schneier
 365 pages
 1995
 pub: John Wiley & Sons, Inc.
 ISBN 0-471-05318-X
 $24.95 US

 The Computer Privacy Handbook: A Practical Guide to E-Mail Encryption, Data
 Protection, and PGP PRivacy Software
 by André Bacard
 Peachpit Press
 ISBN 1-56609-171-3
 US $24.95
 800-283-9444 or 510-548-4393

 THE OFFICIAL PGP USER'S GUIDE
 by Philip R. Zimmermann
 MIT Press
 April 1995 - 216 pp. - paper - US $14.95 - ISBN 0-262-74017-6 ZIMPP
 Standard PGP documentation neatly typeset and bound.

 PGP SOURCE CODE AND INTERNALS
 by Philip R. Zimmermann
 April 1995 - 804 pp. -
 US $55.00 - 0-262-24039-4 ZIMPH

 How to Use PGP, 61 pages,  (Pub #121) from the Superior Broadcasting
 Company, Box 1533-N, Oil City, PA 16301, phone: (814) 678-8801
 (about US $10-$13). 

[Top]

IS PGP LEGAL?

Using and distributing Pretty Good Privacy is legal if you are careful to obey the intellectual property and export rules, as well as any local rules that may apply in the nation you are in.

U. S. export regulations are not as bad as they were, but you may be required to give a notice to the U. S. Government to export or publicly post source code (and the executable compiled from it) under license exception TSU. You can't intentionally export PGP or GPG from the USA to certain forbidden destination (state sponsors of terrorism, etc.) Check the Department of Commerce web site at http://www.bxa.doc.gov/Encryption/Default.htm for current rules.

The RSA patent caused considerable expense in the USA for PGP users, until the Diffie-Hellman patent expired and DSA was offered by the U. S. Government as not infringing. Some people still like to use older versions of PGP that use RSA, especially outside of the USA. Fortunately, the RSA patent is dead and anyone in the USA may use RSA for either business or personal use without restrictions, just like people in the rest of the world have been able to do for many years.

If you want to use PGP for commercial use, the most legal approach is to use Gnu Privacy Guard (http://www.gnupg.org) for free, but you may also be able to buy a license for the commercial version of PGP.

If you are in a country where the IDEA cipher patent holds in software (including the USA and some countries in Europe), make sure you are licensed to use the IDEA cipher commercially before using PGP commercially, or avoid it by using Gnu Privacy Guard or a version of PGP that allows the use of alternate algorithms like CAST, instead. (No separate license is required to use the freeware PGP for personal, noncommercial use). For direct IDEA licensing, contact Ascom Systec:

Erhard Widmer, Ascom Systec AG, Dep't. CMVV
Phone +41 64 56 59 83
Peter Hartmann, Ascom Systec AG, Dep't. CMN
Phone +41 64 56 59 45
Fax: +41 64 56 59 90
e-mail: IDEA@ascom.ch
Mail address: Gewerbepark, CH-5506 Maegenwil (Switzerland)

Network Associates, Inc., has an exclusive marketing agreement for commercial distribution of Philip Zimmermann's copyrighted code. (Selling shareware/freeware disks or connect time is OK, as is building on older GPL versions of PGP or the new GPG.)

If you modify PGP (other than porting it to another platform, fixing a bug, or adapting it to another compiler), don't call it PGP (TM) or Pretty Good Privacy (TM) without Philip Zimmermann's permission.

Within the U.S. there is no legal obstacle for use of strong encryption. Export regulations used to be quite draconian in the USA, and are still partially irrational, but they have greatly improved to the point where U. S. Citizens no longer need to hesitate to publish (even on the Internet) and use strong cryptography, as long as they send the required notices of export and/or posting on the Internet described by http://www.bxa.doc.gov/Encryption/Default.htm.

In an ideal world every honest person would have the right to use encryption. Unfortunately, this isn't an ideal world.

France used to be quite restrictive, but now that nation allows its citizens to use strong cryptography, recognizing its value in preventing some crimes and strengthening electronic commerce.

Germany once considered banning the use and distribution of strong cryptographic software in the name of "national security," but now the German government has actually endorsed and helped fund the development of Gnu Privacy Guard.

In Russia, you can be arrested for using cryptography and even be put in jail for using a GPS receiver.

U. S. Citizens may want to view travel advisories at http://travel.state.gov before visiting another country.

For information on the legal situation see The Crypto Law
Survey http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm

[Top]

WHAT IS PHILIP ZIMMERMANN'S LEGAL STATUS?

Philip Zimmermann was under investigation for alleged violation of export regulations, with a grand jury hearing evidence for about 28 months, ending 11 January 1996. The Federal Government chose not to comment on why it decided to not prosecute, nor is it likely to. The Commerce Secretary stated that he would seek relaxed export controls for cryptographic products, since studies show that U. S. industry is being harmed by current regulations. Philip endured some serious threats to his livelihood and freedom, as well as some very real legal expenses, for the sake of your right to electronic privacy.

See:

>[Top]

HOW DO I SELECT A GOOD SECURE PASSPHRASE?

See:

[Top]

WHAT OTHER FILE ENCRYPTION (DOS, MAC) TOOLS ARE THERE?

PGP can do conventional encryption only of a file (-c) option, but you might want to investigate some of the other alternatives if you do this a lot.

Alternatives include Atbash2 for DOS, DLOCK2 for DOS & UNIX, Curve Encrypt (for the Mac), HPACK (many platforms), and a few others.

Atbash2 is interesting in that it generates ciphertext that can be read over the telephone or sent by Morse code. DLOCK2 is a no-frills strong encryption program with complete source code. Curve Encrypt has certain user-friendliness advantages. HPACK is an archiver (like ZIP or ARC), but with strong encryption. A couple of starting points for your search are:

[Top]

HOW DO I SECURELY DELETE FILES?

If you have the Norton Utilities, Norton WipeInfo is pretty good. I use DELETE.EXE in del210.zip, which is really good at deleting existing files, but doesn't wipe "unused" space.

[Top]

WHERE DO I GET PGPfone(tm)?

PGPfone is for private telephone calls over a modem or the Internet.

[Top]

WHERE DO I GET NAUTILUS?

Bill Dorsey, Pat Mullarky, and Paul Rubin have come out with a program called Nautilus that enables you to engage in secure voice conversations between people with multimedia PCs and modems capable of at least 7200 bps (but 14.4 kbps is better). See:

[Top]

WHERE IS PGP'S COMPETITION?

Gnu Privacy Guard (GPG) is a serious OpenPGP standard competitor to PGP, but really it is more of a growth from the initial Gnu Public License versions of PGP itself, with some independently-written code added where necessary. It is a serious alternative, and quite secure.

S/MIME is gaining a foothold on the secure email market, but my experience with it has been rather negative. Current implementations of S/MIME (1) don't always use secure key lengths, (2) often require payment of an annual fee to a central key certification authority, (3) have much more limited key management facilities than PGP, and (4) usually don't have source code open to inspection like GPG and most versions of PGP. On the positive side, S/MIME is integrated into email packages like Microsoft Outlook and Netscape Messenger.

[Top]

HOW DO I PUBLISH MY PGP PUBLIC KEY?

The latest PGP and GPG versions will interact with key servers automatically if you are connected to the Internet and if you configure them to. For manual key publication, send mail to one of these addresses with the single word "help" in the subject line to find out how to use them. These servers synchronize keys with each other. There are other key servers, too.

[Top]

IS PGP REALLY SECURE?

Yes and no. Yes, it is secure against most attackers when used on a physically secure system in accordance with its instructions. This includes using a good passphrase to protect your private keys and keeping your passphrase and private keys truly private. You must also never run or allow to be run any rogue software (including viruses, worms, and Trojan horses) that might send your passphrase keystrokes and your PGP key file back to some spy.

If an adversary of yours has physical access to the computer that you use with PGP, it is not hard to install a hardware or software keystroke logger that can capture your passphrase, and to copy your private keyring. With that combination, any of your PGP-encrypted messages can be read. PGP is not secure if you don't understand what you are doing. It is also true that God knows your thoughts even before you encrypt them, so you can't hide anything from Him. http://ebible.org/bible/web/Psalms.htm#C139V1

MAY I COPY AND REDISTRIBUTE THIS FAQ?

Yes. Please only do so in appropriate forums, and provide pointers to the home location of this FAQ.

[Top]

WHO MAINTAINS THIS FAQ?

Michael Paul Johnson maintains this FAQ from time to time. My PGP and Gnu Privacy Guard public keys are available on MLJohnson.org.


[North American Cryptographic Archives]  [Gnu Privacy Guard[International PGP]