Last updated: March 15, 2026

PGP (Pretty Good Privacy) remains the gold standard for end-to-end email encryption in 2026. While newer protocols like Autocrypt have emerged, GPG (GNU Privacy Guard) provides the most mature, open-source implementation with broad client support. This guide walks through setting up PGP encryption for developers and power users who want complete control over their email security.

Table of Contents

Why PGP Still Matters in 2026

Email remains one of the weakest links in digital communication. Standard SMTP transmits messages in plaintext, leaving them vulnerable to interception at multiple points. PGP provides end-to-end encryption that ensures only the intended recipient can read your messages, even if someone intercepts the transmission or compromises mail servers.

The key advantage for developers is verification. PGP signatures allow you to verify that messages actually came from claimed senders and haven’t been tampered with. This matters for sensitive communications, code reviews, or any scenario where message integrity is critical.

Prerequisites

Before you begin, make sure you have the following ready:

Step 1 - Install GPG

Most Linux distributions include GPG by default. On macOS, install via Homebrew:

brew install gnupg

On Windows, download Gpg4win from the official website or use WSL for an Unix-like environment.

Verify your installation:

gpg --version

You should see output indicating GPG version 2.4 or higher.

Step 2 - Generate Your PGP Key Pair

Create a new key pair with a 4096-bit RSA key:

gpg --full-generate-key

Follow the prompts:

  1. Key type: RSA and RSA (default)
  2. Key size: 4096 bits
  3. Key validity: Set to 2 years (you can extend later)
  4. Real name: Use your full name or a pseudonym
  5. Email address: Your primary email
  6. Passphrase: Choose a strong, unique passphrase

The key generation process may take several minutes as GPG generates entropy. For faster results on servers, install haveged to provide additional entropy.

Step 3 - Manage Your Keys

Listing Keys

View your secret keys:

gpg --list-secret-keys

The output shows your key ID (a hex string like ABCDEF1234567890), which you’ll use for most operations.

Exporting Your Public Key

Share your public key so others can encrypt messages to you:

gpg --armor --export your-key-id > yourname-public.asc

The --armor flag produces ASCII-armored output suitable for pasting in emails or on websites.

Backing Up Your Keys

Export your private key (keep this secure and never share):

gpg --armor --export-secret-keys your-key-id > yourname-private.asc

Store backups on encrypted media in secure locations. Without your private key, you cannot decrypt messages encrypted to your public key.

Revocation Certificate

Generate a revocation certificate immediately:

gpg --armor --gen-revoke your-key-id > revocation.asc

If your key is compromised, this certificate tells others your key is no longer valid.

Step 4 - Configure Your Email Client

Thunderbird (Enigmail/Built-in)

Thunderbird 115+ includes native OpenPGP support. To configure:

  1. Open Settings → End-to-End Encryption
  2. Click “Add Key” and select your GPG key
  3. Set your default encryption preference
  4. Configure key servers if you want automatic key discovery

Apple Mail (GPGTools)

Install GPGTools to add PGP support to Apple Mail:

  1. Download from https://gpgtools.org
  2. Import your keys into the GPG Keychain
  3. In Mail, compose new messages with encryption enabled

Command-Line with Neomutt

For terminal enthusiasts, configure Neomutt with GPG integration:

In ~/.muttrc
set crypt_use_gpgme = yes
set pgp_default_key = "your-key-id"
set crypt_autosign = yes
set crypt_autoencrypt = yes

Step 5 - Practical Usage Examples

Encrypting a Message

Create an encrypted message for a recipient:

echo "Your secure message" | gpg --encrypt --armor \
  --recipient recipient@example.com --output message.asc

The output file contains the encrypted message that only the recipient can decrypt.

Signing a Message

Prove a message came from you:

echo "Important document" | gpg --sign --armor --output signed.asc

Recipients can verify the signature using your public key.

Encrypting to Multiple Recipients

Send the same message to multiple people:

gpg --encrypt --armor \
  --recipient alice@example.com \
  --recipient bob@example.com \
  --output encrypted-multiple.asc \
  message.txt

Decrypting Messages

Decrypt a received message:

gpg --decrypt encrypted-message.asc

GPG prompts for your passphrase and outputs the plaintext.

Step 6 - Key Servers and Key Management

Publishing Your Public Key

Upload to keys.openpgp.org:

gpg --keyserver keys.openpgp.org --send-keys your-key-id

Others can now retrieve your key by email address or key ID.

Importing Someone’s Key

Find and import a recipient’s key:

gpg --keyserver keys.openpgp.org --search-keys recipient@example.com
gpg --import their-key.asc

Verifying Key Fingerprints

Always verify key fingerprints in person or via a secure channel:

gpg --fingerprint your-key-id

Security Best Practices

  1. Use strong passphrases: Minimum 20 characters with entropy
  2. Rotate keys periodically: Generate new keys every 2-3 years
  3. Never share private keys: Treat like passwords
  4. Verify before encrypting: Confirm key ownership
  5. Use subkeys: Separate encryption and signing keys for daily use
  6. Keep software updated: GPG updates fix security vulnerabilities

Advanced - Subkeys and Hardware Security

For maximum security, use subkeys stored on YubiKey or similar hardware tokens. This keeps your master key offline in secure storage while using a derived key for daily operations.

Configure subkeys with:

gpg --edit-key your-key-id
addkey
Select RSA, 4096 bits, expiration
save

The master signing key stays in cold storage; the encryption subkey goes on your device.

Moving a Subkey to YubiKey

Once you have created a subkey, move it to a YubiKey for hardware-backed protection:

gpg --edit-key your-key-id
key 1          # select the subkey
keytocard      # move to smartcard/YubiKey
Choose slot 2 (encryption) or slot 3 (authentication)
save

After transferring, the private subkey material exists only on the hardware token. GPG operations will prompt for a YubiKey PIN rather than a passphrase typed at the keyboard. eliminating keylogger risk for private key access.

Troubleshooting Common PGP Problems

No Public Key Error When Encrypting

This error means you have not imported the recipient’s public key. Search for it on a key server:

gpg --keyserver keys.openpgp.org --search-keys recipient@example.com

If the key is not on a key server, ask the recipient to send their public key file directly and import it:

gpg --import received-key.asc

Passphrase Prompt on Every Operation

GPG caches passphrases through the gpg-agent daemon. If you are prompted on every operation, the agent may not be running. Start it manually:

gpg-agent --daemon

On modern Linux systems with systemd, the agent typically starts automatically. Verify it is active with:

gpgconf --list-dirs agent-socket

Expired Key Handling

When a recipient’s key has expired, GPG refuses to encrypt to it. You have two options: ask the recipient to extend their key expiry and re-publish it, or extend it locally only when you can verify the key is still valid through a trusted channel:

gpg --edit-key recipient-key-id
expire
save

Note that you can only extend expiry on keys you own. For others’ keys, the extension must come from the key owner.

Step 7 - PGP for Git Commit Signing

Beyond email, PGP is widely used to sign Git commits, providing cryptographic proof that commits came from a specific key holder. Configure Git to sign commits automatically:

git config --global user.signingkey your-key-id
git config --global commit.gpgsign true

Verify a signed commit with:

git log --show-signature -1

Platforms like GitHub, GitLab, and Sourcehut display a verified badge next to commits signed with a registered GPG key, giving collaborators confidence in commit authenticity even across public repositories.

Frequently Asked Questions

How long does it take to guide?

For a straightforward setup, expect 30 minutes to 2 hours depending on your familiarity with the tools involved. Complex configurations with custom requirements may take longer. Having your credentials and environment ready before starting saves significant time.

What are the most common mistakes to avoid?

The most frequent issues are skipping prerequisite steps, using outdated package versions, and not reading error messages carefully. Follow the steps in order, verify each one works before moving on, and check the official documentation if something behaves unexpectedly.

Do I need prior experience to follow this guide?

Basic familiarity with the relevant tools and command line is helpful but not strictly required. Each step is explained with context. If you get stuck, the official documentation for each tool covers fundamentals that may fill in knowledge gaps.

Is this approach secure enough for production?

The patterns shown here follow standard practices, but production deployments need additional hardening. Add rate limiting, input validation, proper secret management, and monitoring before going live. Consider a security review if your application handles sensitive user data.

Where can I get help if I run into issues?

Start with the official documentation for each tool mentioned. Stack Overflow and GitHub Issues are good next steps for specific error messages. Community forums and Discord servers for the relevant tools often have active members who can help with setup problems.

Related Articles