PGP, which stands for Pretty Good Privacy, is a software program used to encrypt and decrypt email messages. It was developed by Philip Zimmermann in 1991. PGP is the most widely used privacy software used and has become the standard in email security. PGP is a variation of public key cryptography and is a highly effective method for ensuring the security and privacy of communication sentove the Internet.

How it Works

PGP uses a variation of the public key system. In this system, each user has a publicly known encryption key and a private key known only to that user. You encrypt a message you send to someone else using their public key. When they receive it, they decrypt it using their private key. Since encrypting an entire message can be time-consuming, PGP uses a faster encryption algorithm to encrypt the message and then uses the public key to encrypt the shorter key that was used to encrypt the entire message. Both the encrypted message and the short key are sent to the receiver who first uses the receiver's private key to decrypt the short key and then uses that key to decrypt the message.

How PGP encryption works

Image Courtesy of

How PGP decryption works
Image Courtesy of

Application in Health IT

The 1996 U.S. Health Insurance Portability and Accountability Act (HIPAA) mandated confidentiality of medical records transmitted over the Intenet. Many health organizations are turning to PGP encryption to protect these files while transmitting over the Internet or while existing on laptops filled with sensitive data. In contrast to security systems/protocols like SSL, which only protect data in transit over a network, PGP encryption can also be used to protect data in long-term data storage such as disk files.

The Health IT industry is beginning to catch on to the power of PGP encryption.For example, as more and more providers are using email as a means of communicating with patients, insurance companies and other providers, it has become a primary concern that these communications, which may contain protected personal health information, are secure and patient privacy is maintained.

Types of PGP

There are two main types of PGP:
  • Rivest-Shamir-Adleman (RSA) - This version, for which PGP must pay a license fee to RSA, uses the International Data Encryption Algorithm (IDEA) to generate a short key for the entire message and RSA to encrypt the short key
  • Diffie-Hellman - This version uses the CAST algorithm for the short key to encrypt the message and the Diffie-Hellman algorithm to encrypt the short key.

While PGP, Inc. sells and owns a PGP commerical venture - the software is available for non-commercial use (for students and non-profit organizations) from PGP, Inc. and other commercial and free 3rd party sources.


Below are links to case studies related to the application on PGP

Maimonides Medical Center

BAE Systems


Additional Resources

PGP: Pretty Good Privacy - A text by Simson Garfinkel and published by O'Reilly Media
Applied Cryptography - A text by Bruce Schneier
PGP Tutorial - An online tutorial that will show you how to download, install, set up, and use PGP encryption software

Related Terminology

public-key cryptography
web of trust
private key
Public Key Infrastructure (PKI)
Rivest-Shamir-Adleman (RSA)
International DAta Encryption Algoritm (IDEA)