Not every piece of information is meant for every pair of eyes. That’s why organizations count on encryption technology – to lock down their sensitive data from malicious acquisition or even human error. And, when it comes to those encryption protocols, you’ve got options. One choice you or your IT team might need to make is whether to use PGP or GPG for your encryption standard.
What is PGP?
Pretty Good Privacy, that’s what PGP stands for. It’s a pretty basic description for an encryption standard that’s been in place since the 1990s and one that’s been steadily improved upon over the years to remain the most widely used encryption standard.
PGP is a workhorse, used to encrypt emailed sensitive data or files before they leave on their way to your trading partners or remote locales. It uses a variety of encryption technologies including public/private PGP keys, data compression, hashing, and more. It also is the backbone of offshoots such as Open PGP and GPG.
Related Reading: Everything You Need to Know About PGP Encryption
What is GPG?
GNU Privacy Guard (GPG), sometimes referred to as GnuPG, is simply a different implementation of the Open PGP encryption standard as defined by RFC 4880, the official name of the Open PGP standard.
GPG allows users to interface with a GUI or command line which can integrate encryption with emails and operating systems like Linux. It integrates well with other solutions, opening and decrypting files encrypted by PGP or Open PGP. GPG was released as an alternative to Symantec's encryption tools. GPG, like Open PGP, is available as a free software download and is based on the Open PGP encryption standards established by the IETF.
How PGP and GPG Differ
Let's take a brief look at the key differences between PGP and GPG Encryption:
| PGP | GPG | |
|---|---|---|
| What does the acronym stand for? | "Pretty Good Privacy" | "GNU Privacy Guard" |
| What is it? | An encryption program that applies encryption and authentication to file or documents | A free, or open-source software replacement for Symantec’s PGP cryptographic software suite. It was developed following the OpenPGP Standard, developed for the IETF-approved standard, compliant with RFC 4880. It may also be referred to as GnuPG. |
| How is it used? | Users gain end to end encryption on data over popular protocols of communication like Email, FTP, or HTTP. PGP can be layered with secure popular protocols such as HTTPS, SFTP, or FTPS, in addition to encrypting data at rest. | GPG functions much the same as PGP but on an open-source basis, following the OpenPGP Standard, compliant with RFC 4880. It can be used to support more encryption tools that also adhere to the OpenPGP Standard. |
| Platform support | Offers an official support platform, common with proprietary software tools. | Support is typically provided from 3rd-party service providers, or the open source GPG community. |
| What types of keys does it support? | Both private-key and public-key cryptography. | Both private-key and public-key cryptography. |
| What types of encryption algorithms does it support? | Traditionally uses the RSA algorithm for public-key cryptography. For symmetric key encryption, PGP uses CAST-128, IDEA, or 3DES. Additionally, PGP uses 256+bit SHA-2 as a hashing algorithm. | Supports a broader range of algorithms including RSA, EIGamal, DSA, and ECDH, ECDSA, EDDSA for public-key cryptography. For symmetric key encryption, GPG uses IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256. GPG also uses 256+bit SHA-2 as a hashing algorithm. |
| Interoperability* | Messages encrypted with PGP can usually be decrypted using GPG | Messages encrypted with GPG can usually be decrypted using PGP |
*This is due to the mutual adherence to the OpenPGP Standard
Is Open PGP the Same as PGP or GPG?
Not quite. PGP is the basis or structure that stands behind Open PGP. Open PGP is a non-proprietary protocol, whereas PGP is a proprietary solution owned by Symantec. Open PGP uses public key or asymmetric cryptography and can be applied to features, tools, or more fleshed out solutions that support open-source PGP encryption technology. Open PGP also addresses the issues of data authentication and non-repudiation with the ability to "sign" files via embedded digital signatures.
See More Terminology: GoAnywhere Glossary
How to Decide Between Using PGP or GPG
At first glance, there is not a great deal of difference. Functionally, each format is virtually identical. However, while PGP is a proprietary solution owned by Symantec, GPG is an open-source encryption standard.
When deciding which encryption standard to put in place at your organizations, ask yourself the following questions:
- How sensitive is the data being exchanged?
- How will the data be transmitted (FTP, email, HTTP, etc.)?
- Are large files, which should be compressed, being exchanged?
- Should the actual files be encrypted (before being transmitted) or should the connection itself be encrypted?
- What encryption standard do your trading partners support?
- How much technical support do you want or need?
Ultimately, it may very well be your trading partner that determines which encryption standard you choose. For example, many financial institutions require their customers to encrypt files using the Open PGP encryption standard.
MFT Can Support and Enhance Your Encryption Strategy
If you need basic encryption, decryption, file signing, and document verification, GoAnywhere Open PGP Studio is a free desktop solution that gives users full control over PGP keys and lets you quickly and easily choose which algorithms you want to support with your keys.
If your organization needs your PGP encryption and decryption processes integrated into a solution that supports enterprise-level compliance, automation, auditing, reporting, and more, GoAnywhere Managed File Transfer supports Open PGP encryption alongside industry-standard file transfer protocols, internal collaboration features, and robust security settings.
Automate Your Encryption
Adding the power of automation to your encryption implementation takes your cybersecurity stance to a higher level. Check out this guide, Why Automating Encryption and Decryption Makes Good Cybersecurity Sense, for complete details and suggestions for encryption strategies based on your unique business needs.
