← BACK TO BLOG

PGP: How to Make Any Messaging App Actually Secure

encryptionsecuritychat-controlprivacy

I’ve been thinking about this for a while. Everyone argues about which messaging app is the most secure Signal, Matrix, Telegram, whatever. But what if the app didn’t matter at all?

That’s what PGP taught me. Once you understand it, you realize you can have end-to-end encryption in literally any app even email, even a Discord DM, even a plain text file sitting on a shared drive. The encryption lives in the message, not the platform.

Here’s what PGP is, why it works, and how to actually start using it today.

What PGP Actually Does

PGP (Pretty Good Privacy) is a system built around a simple idea: you have two keys.

  • A public key you share with everyone it’s how people encrypt messages to you
  • A private key you keep secret it’s how you decrypt messages from others

When someone wants to send you a secure message, they encrypt it with your public key. Once encrypted, only your private key can decrypt it. Not the app. Not the server. Nobody in the middle.

The beauty of it: the encrypted output is just text. A blob of characters that looks like random noise. You can paste it anywhere a forum post, a tweet, an iMessage and only the intended recipient can read it.

This is what makes it platform-agnostic. The security doesn’t depend on the app trusting you, or the server being honest, or the company not getting hacked. It depends on math.

A Quick Note on Trust

PGP also handles signatures a way to prove a message actually came from you.

When you sign a message with your private key, anyone with your public key can verify that:

  • The message came from you (or whoever holds your private key)
  • The message wasn’t modified in transit

This is how you can send a message through the least secure channel imaginable and still guarantee its authenticity. The signature travels with the content.

Getting Set Up

Windows Gpg4win

Download Gpg4win from gpg4win.org. It includes Kleopatra, a clean GUI for managing keys, encrypting, decrypting, and signing. Install it, open Kleopatra, and you’re most of the way there.

macOS GPG Suite

Download GPG Suite from gpgtools.org. It integrates directly into macOS Mail if you use it, but works just as well for manual copy-paste encryption with any other app.

Linux GPGFrontend (or CLI)

On most distros you already have gpg installed. For a GUI, I personally use GPGFrontend on Arch it’s in the AUR:

yay -S gpgfrontend

It’s minimal, fast, and doesn’t try to do too much. You get key management, a text editor for encrypting/decrypting, and signature tools. That’s all you need.

If you prefer the terminal, everything below has a CLI equivalent gpg is actually very ergonomic once you know the handful of commands that matter.

Generating Your Key Pair

In any of the tools above, look for “New Key” or “Generate Key”. You’ll be asked for:

  • Your name and email (this is just metadata use whatever you want)
  • Key type stick with Ed25519 or RSA 4096 if given the choice
  • An expiry date optional, but good practice (1-2 years is reasonable)
  • A passphrase this protects your private key on disk, make it strong

Once generated, you’ll have a key pair. Export your public key it’ll look something like this:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEZ... (long block of characters)
-----END PGP PUBLIC KEY BLOCK-----

Share this freely. Post it on your website, send it to friends, upload it to a keyserver like keys.openpgp.org. The more people have it, the more people can reach you securely.

Encrypting a Message

Say you want to send a secure message to a friend. You need their public key first ask them to send it to you, or find it on a keyserver.

Import their key into your tool, then:

  1. Write your message in plain text
  2. Select their key as the recipient
  3. Hit Encrypt (optionally Sign with your own key too)

You get back something like:

-----BEGIN PGP MESSAGE-----

hQIMA7k3... (encrypted blob)
-----END PGP MESSAGE-----

Copy that. Paste it anywhere an email, a Telegram message, a GitHub comment. Send it. Your friend imports it into their tool, hits Decrypt, and reads it. Nobody else can.

Decrypting a Message

When you receive an encrypted message, copy the entire block including the -----BEGIN and -----END lines. Paste it into your tool and hit Decrypt. It’ll ask for your passphrase if your private key is protected (it should be), and out comes the plain text.

In GPGFrontend on Arch this is literally a paste and one click. I use it occasionally for sending sensitive notes to people config files, credentials, anything I wouldn’t want sitting in plaintext in a chat log.

Signing Without Encrypting

Sometimes you don’t need to hide the content you just want to prove it came from you.

Write your message, then choose Sign only (not encrypt). You get a signed message block that anyone can verify using your public key. Useful for announcements, release notes, or any situation where authenticity matters more than secrecy.

The Real Takeaway

PGP isn’t perfect. Key management is a real friction point if you lose your private key, you lose access. If someone else gets it, your security is gone. And getting non-technical friends to use it is an uphill battle.

But the underlying principle is powerful: encryption that belongs to you, not to a platform. Signal can shut down tomorrow. Your PGP key still works. The app gets hacked? Doesn’t matter the attacker just gets ciphertext.

In a world where we’re constantly trusting third parties with our communications, PGP is a reminder that you don’t have to. The math works whether the company does or not.