I'm trying to understand how pgp email encryption works. I thought that I create a key-pair and that the recipient needs to have both to view my message. However, when I send an encrypted message to myself, using 2 different email providers, all I need to know is the passphrase to decrypt the message.

How come I don't need to know the public & private keys of the sender? I'm assuming that when I put in the passphrase to decrypt the message, the correct passphrase automatically uses the private key that was, I'm guessing, sent with the email.

Using protonmail to send it.

Thank you.

Your question is essentially: “What is public-key encryption?”

This kind of basic knowledge is handled in many documents spread all over the Web and, AFAIS, in the documents shipped with PGP.

My question is essentially: “Which part of the explanation is not clear?”

2 members found this post helpful.

How come I don't need to know the public & private keys of the sender?

See this diagram from the wikipedia page.

It's about the receiver's key(s), and you do know those...you are the receiver. (If I grokked correctly)

(I found that picture by searching for "pgp encryption" (no quotes). Please do that and read the documentation, as Michael Uplawski suggested.

Thanks. Ok, yes, I'm confused. In the diagram, i'm assuming that the "random key" is the "session key". Either way, the random key encrypts the 'data'. But then it says that the 'random key' is encrypted using the "receivers" public key. But I don't know the receiver's public key, at least not when I am using email whereby I create a key-pair using key-gen. I just click the encryption icon after creating a key-pair, and the message is encrypted and then decrypted by receiver through using the correct passphrase answer.

I can see that if someone were sending an non-email encrypted message that, based on the wiki diagram, that they would exchange public keys. But I would have thought that the sender would have to send the recipient the sender's private key to unlock the message.

Is the "random key" = "session key"?

Even if you encrypt the random key with the recipient's public key, how is that safe since potentially 'everyone' could have that public key?

If I take the session key and encrypt it with recipient's public key, and recipient's private key opens gives access to the random key/session key, isn't the session key/random key protecting the data and you need another key to decrypt the session key/random key?

It seems apparent that using PGP with email is different from using PGP with another client or form. What other forms are there besides phone apps which, I'm guessing, don't require the recipients public key?

Very confused.

Sorry that you're confused.
Even if I knew the specific answer, I doubt I'd post it here, given that searching for it in your favorite search engine will give you the answer. You just need to read more. I thought the wikipedia page was a good start.

It doesn't make sense to expect us to type out what you can find on your own.

That said, are you having trouble finding the documentation?
I there something specific that you don't understand? (asked in #2)

Thanks. Yes, I need to read more, I'll agree with that. But I have to say that if understanding PGP encryption, key-pairs, etc, were not confusing, even given all the info about them online, millions more people would be using them.

I see there is symmetric encryption, which seems to relate to the email encryption, and also there is 'gpg' and 'pgp'. And there is 'ecrypt' and 'veracrypt'. Veracrypt would not download for some reason, server error.

I was able to encrypt a folder/ directory so that it can not be deleted. And I encrypted the file in the folder. But then I was able to delete the encrypted file in the encrypted folder, in which case, encrypting them was pointless b/c it did not save my file from being deleted.

To encrypt the folder, I used "sudo mount -t decryptfs ~/file ~/file". During the process it asked me if I wanted a clear text passthrough and if I wanted to encrypt the file (I think that's what it was), but the program would only work if I put yes for #1, and no for #2.

To encrypt the file I used "gpg -c filename".

There must be a way to prevent the file from being deleted, or, not even being able to get to the file since I would think an encrypted folder would protect the contents, otherwise, what's the point?

@linx9 and ttpp, and more towards ttpp since you seem to involve yourself as the first person, with discussions initiated by linx9:

This continued posting in the same thread with multiple accounts is not helping your fellow LQ members understand the problem flow correctly and tends to cause greater confusion.

Your fellow LQ members should not have to discern who is providing updates and feedback for a technical thread question.

Please refrain from this behavior moving forwards. Either always use a single account per problem, or do not post from two accounts as the originator/owner of a problem.

Yes - not intentional.

PGP/GnuPG e/mail is a question that is simple on its surface and complex in careful study.

PGP keys are generated in pairs: a "private" key ( which you keep ) -- and a "public" key -- which you post to the keyserver or provide to your correspondents

Once you have posted your public key to the keyservers I can encrypt a message for you -- using your public key. I could post this message on a public web page -- and still -- no one would be able to read it without your private key

that's the simple part

I could also sign the message for you, using my private key. And you could then download my public key from the keyservers, and with that -- your could verify my signature.

but this is where the subject gets deep: how do you satisfy yourself that you have MY public key -- rather than some sort of fake or error ?

you have to validate the digital fingerprint of the key:at this point the only information you have is: you got this key from someone who posts on the Linux Questions BBS

how are you going to validate my identity ?

phone call? meeting in the conference room? IT Security Officer checks it for you ?

you have to do something: no one is going to give you security.

once you have satisfied yourself that you have the correct key then: you sign my public key on your keyring. This will change its state to VALID -- indicating that you are satisfied that you know who the key belongs to.

do not confuse this with TRUST. Trust is another matter entirely, related to whether or not you trust me to validate other peoples keys for you. Be very careful at this point: it's here the entire x.509/SSL process breaks down.

a huge amount of computer hacking is facilitated by "phishing". The "phishers" compose and send e/mail messages that look official. These may even be spoofed to look like they are from your boss, or your insurance company, or your bank -- or even the IRS. In reality the "phish" contains HTML code with virus scripting, or documents containing bad scripts or vBasic or such that re-direct your browser to a criminal controlled source. You may not recognize that you have been re-directed to a criminal resource because unless you have proper authentication for sites that you should use. This can end up in bank fraud, or ransomware, black-mail or other crime, and, all too often, does.

and this is facilitated because e/Mail -- and too much of our electronic communication -- is NOT AUTHENTICATED

I'm a proponent of electronic authentication, and particularly, PGP/GnuPG -- which is why I'm writing this post.

Thanks. Interestingly, I have read all about everything above, truly. And I got to the point about authenticating the digital fingerprint. That's where I'm at now. I remember reading about "keyring", but have not delved deeply into it yet. I know nothing about it at this point.

So, if you send me a message with my public key to encrypt it, as it shows in wiki diagram, what is the "risk"for me to use my private key to unencrypt it? Thanks.

---
if you are interested in PGP/GnuPG you should start by carefully reading Phil Zimmerman's original work: PGP User's Guide, Volume I: Essential Topics

Pay careful attention to vulnerabilities. When ready, read Vol. II PGP User's Guide, Volume II: Special Topics

The interesting thing about PGP is that while it provides the basis for authentication, integrity, and security for messages, e/mail, and documents of any sort it is not an easy concept: each user must make the commitment to VALIDATE KEYS.

a word about Operating Software: use a secure O/S. If your O/S is compromised encryption software will not be able to provide you with any protection.

You asked In a secure environment this will be safe. If your O/S is running a root kit then you do not have complete knowledge regarding what you computer may be doing. A rootkit could steal your entire keyring, export your e/mail contacts list, steal your PGP password along with your other passwords along with the plain text of all the messages you have decrypted.

Thugs could break into your home and make off with your computer. Unless you are using whole disc encryption they can then easily steal most of the data on your machine. Your secret key would remain locked, and if you're using a good password manager such as Keepassx then you passwords file will also remain locked.

These are important things to think about in this "Digital Age".

Some operating software is reasonably well secured while some operating software is hopeless. Today we face questions regarding firmware. It is unclear as to the nature of the threats now presenting. Hopefully this will begin to clear up as more fines are levied against companies for lapses in security. These fines will, perforce, push responsibility onto the sources of insecure products.