Unlocking Security: A Step-by-Step Guide on How to Use a PGP Digital Signature

Jeff Russell

Last updated on June 14th, 2023 at 07:23 pm

The acronym PGP stands for Pretty Good Privacy. It is an app that utilizes mathematical algorithms to protect files from unauthorized access via encryption. Another use for PGP is for digital signatures you can use to sign documents and verify their authenticity.

In the modern age, secure communication over the Internet is more important than ever. We use electronic services for everything – from communicating with loved ones to online banking and signing documents related to our work lives, and dealing with the government. Having an understanding of PGP Digital Signatures and how to use them is of utmost importance.

What is Encryption and What Software to Use for PGP Digital Signatures?

The method of converting digital data into a secret code that hides the true content of the data package is called encryption. Cryptography is the science that deals with developing encryption methods and implementing them into software that we can then use for digitally signing documents and safely transferring information over the internet. Unencrypted digital data is usually referred to as plaintext, while encrypted data packages are called ciphertext. The four main methods used for computer encryption are:

  • Advanced Encryption Standard (AES)
  • Triple DES.
  • Blowfish.
  • Rivest-Shamir-Adleman (RSA)

Various pieces of software use encryption to deliver a digital signature service. Some of the most popular among them include GNUPG and Symantec. These implement PGP Digital Signature in their algorithm, which delivers some of the best results in terms of security currently available on the market. Other alternatives include pfPgpEncryptor, Kleopatra, Go Anywhere OpenPGP Studio, PGPTool, and VeraCrypt. Since they are all built on the PGP protocol, they should deliver roughly the same results. Most of the PGP Digital Signature apps are free, while others, such as the Symantec app, offer paid features as well. Which application you should choose depends on your needs. If you need to sign a single document every once in a while, you should be fine with some of the free versions. Consider a paid version in case you require more functionalities, such as signing multiple documents in a single day, preparing folders and catalogs, etc.

Installing the Application

Once you choose which PGP software you will use, go to the developer’s official website and look for the download link. When it comes to encryption software, always download it from the official vendor’s site. Never go for third-party links as they pose a serious security threat. After your download is complete, install the application on the system disk.

Generating Your PGP Key Pair

To start using PGP to digitally sign documents, you will need to create a pair of keys – a public key and a private one. Together they form the PGP key. The public key is the one you send to the person you want to receive your encrypted data. They use it to decipher the package and read the information. The private key is used to encrypt the data. It is called private because only the sender – in this case, you, knows it.

For Windows:

For Linux:

You can actually use the modern gpg2 package and the respective command:

gpg2 --generate-key

The PGP-compatible software you’ve just installed should have a built-in key generator that you can use to create the pair.

Exporting Your Public Key

Before you share your public key with the person you want to receive it, you must first export it. Under Linux, that happens with the –export command. If you are using Windows-based PGP software, you will see an export key in the menu.

Once the export is complete, you can send it to your contacts. Again, most PGP software will have the option to automatically send the key to a predefined set of contacts by pressing a button in the menu.

Similarly, if you receive a public key from someone else and want to use it to decrypt a message, you should import it into your PGP software. Use the –import command in Linux, or look for the Import option in the Windows menu.

Creating and Verifying your PGP Digital Signature

Most modern pieces of software have an automatic way to verify the signatures you’ve created.

If you have to do that manually in Linux, you need to make sure that you’ve downloaded both the signature file and the public key of the sender. Import the key with this command – gpg –import PUBLICKEY and verify the signature with the following command gpg – – verify [Signature File Name].SIG FILE. If you see the “Good Signature” message, the process was successful.

In Windows, download the public key. Right-click on it and open the command prompt. Type C:\Program Files (x86)\Gnu\GnuPg\gpg.exe –import [File Name]. Then navigate to the signature file and right-click on it. Click on Open command window here and type C:\Program Files (x86)\Gnu\GnuPg\gpg.exe —verify[Signature File Name]. Hit Enter and check if you get the “Good Signature” output.

Users on macOS can follow these steps to enable PGP digital signatures:

  1. Select a PGP Application
    Choose a PGP application suitable for macOS, such as GPG Suite or OpenPGP for macOS. Download and install the selected application from their official website.
  2. Generate Your Key Pair
    Launch the PGP application and generate your key pair, consisting of a public and a private key. Keep your private key secure and accessible only to you.
  3. Configure PGP Settings
    Access the PGP application’s settings and customize them to align with your preferences. Adjust options like key strength, expiration dates, and encryption algorithms, if required.
  4. Import and Verify Contacts’ Keys
    Import the public keys of your contacts into the PGP application. Ensure the authenticity of their keys through a trusted communication channel to establish a secure web of trust.
  5. Sign and Verify Messages
    Compose your message using the PGP application and sign it with your private key. When receiving a signed message, verify the signature using the sender’s public key to ensure its integrity and authenticity.

To Sum Up

Using PGP Digital Signature isn’t complicated. All you need to do is choose and install the right software, and learn how to import documents for signing and verifying public keys. At the end of the day, the process gives you a secure, fast way to digitally sign any document without hassle, and protects your sensitive personal information when it is being transferred across the Internet.

Photo of author

About the author