Encryptions in transit/between sender and recipient, how safe, please?

mark's Avatar


17 Jun, 2020 02:03 AM

I think I understand the basics of PGP.

But if I share my Public Key with an honest recipient and/or publish my Public Key, what is to stop anyone (else) from INTERCEPTING that key and using it to decrypt my encrypted messages (from Apple Mail) en route, as it passes from one server to another across the Internet?

As if that snooper/intercepter were the intended recipient?

  1. 1 Posted by grail on 19 Jun, 2020 06:01 AM

    grail's Avatar

    You public key can not be used to decode a message unless the recipient has the private key required to decrypt it.

    Both parties have their own private key and public key. Both parties are happy to share their public key with anyone.

    Encryption uses your private key and the recipient's public key.

    Decryption uses your public key and the recipient's private key.

    Unless the snooper/interceptor has access to one of the private keys, they can't decrypt the message (for suitable definitions of "can't", mainly being that current computers would take months or years to decrypt a PGP message by brute force)

  2. 2 Posted by mark on 19 Jun, 2020 05:32 PM

    mark's Avatar

    Thanks. That's really clear and re-assuring. Just what I wanted to know.

    Much appreciated :-)

  3. Support Staff 3 Posted by Steve on 19 Jun, 2020 08:05 PM

    Steve's Avatar

    This KB-article explains the basics of public key cryptography. It's a long text but worth the time.


  4. 4 Posted by grail on 22 Jun, 2020 01:09 AM

    grail's Avatar

    Well I learned something too. I had thought that the session key was encrypted using some form of trickiness with both parties' keys.

  5. 5 Posted by mark on 22 Jun, 2020 04:56 AM

    mark's Avatar

    Isn't it the case that a one-time session key does get sent with the sender's Public Key to aid in decryption bu the recipient?

  6. 6 Posted by grail on 22 Jun, 2020 10:13 PM

    grail's Avatar

    The receiver's private key is used to decrypt the session key, which was previously encrypted using the receiver's public key.

    Check the section "How OpenPGP works" in the article Steve linked earlier

    If I want to send you a secret message, I'll use a generated session key to encrypt the message, then use your public key to encrypt the session key, then bundle the encrypted message and the encrypted session key together to send to you.

    You'll then unpack that bundle and decrypt the session key using your private key (which you never let anyone see), then use the decrypted session key to decrypt the message.

    The security of this system relies on both the private key and the session key being hard to guess.

  7. 7 Posted by mark on 22 Jun, 2020 10:49 PM

    mark's Avatar

    Thanks, grail. I understand. Am very happy with GPGTools!

    Off Topic, if I may, please: although I have registered and created a profile for this tenderapp forum, I cannot view the complete thread. The URLs which I receive in notifications only ever take me to the 'Reply to this discussion' form/page.

    That's also the only page I can ever get to when I click on the thread's title at https://gpgtools.tenderapp.com/discussions/problems

    Is it a cookie, browser, VPN even, perhaps issue?

    I'm using Safari 13.1.1 on 10.14.6 and am logged in.

    Thanks in advance for any help here :-)

  8. 8 Posted by mark on 22 Jun, 2020 10:55 PM

    mark's Avatar

    Please disregard my last question!

    I had a suspicion that my ad-blocker was responsible. So have 'whitelisted' this domain :-)

    FYI, in case it comes up with anyone else, 1Blocker does prevent threads from displaying.

    All working as it who'll now…

    Thanks again!

  9. Support Staff 9 Posted by Steve on 24 Jun, 2020 02:56 PM

    Steve's Avatar

    Re-read this thread and wanted to clarify something from comment #6

    "Encryption uses your private key and the recipient's public key." That is not correct. Encryption uses the public key of the recipient and your own public key. Otherwise the sending would be unable to access the sent content at a later point in time. This is a requirement in GPG Mail. It is optional when using GPG Services.

    "Decryption uses your public key and the recipient's private key." No public key will ever be used for decryption. Decryption is done with the secret key corresponding to the public key used for encryption.

    There are no "session keys" involved currently in OpenPGP.

    And secret keys should never be sent anywhere. They are to be kept secret. You might have to transfer your secret key though if you are looking to use a second device with the same OpenPGP key. In that case the transfer should be done via local file sharing or using a thumb drive.

    Glad you are now also able to access this discussion in your browser.


  10. 10 Posted by mark on 24 Jun, 2020 05:00 PM

    mark's Avatar

    Thanks so much, Steve, for keeping an eye on us in this discussion :-)

    Is this summary correct, then, please:

    • Open PGP Encryption: recipient’s public key + sender’s public key.
    • Open PGP Decryption: recipient’s private key corresponding to the same public key (the sender’s) which was used for encryption by the sender


    If so, may I ask you to clarify exactly what is meant by your, "…Decryption is done with the secret key corresponding to the public key used for encryption.…", please?

    Especially how this correspondence works.

    I too have read here that an encrypted message from a (known, specific) sender must contain a single one-time session key as the only way the the recipient can use their (private) key to decrypt it:

    OpenPGP then creates a session key, which is a one-time-only secret key. This key is a random… Once the data is encrypted, the session key is then encrypted to the recipient's public key. This public key-encrypted session key is transmitted along with the ciphertext to the recipient.

    Obviously, I for one, do not completely understand this properly. Any help you can kindly give will be much appreciated:-)


  11. Support Staff 11 Posted by Steve on 24 Jun, 2020 05:09 PM

    Steve's Avatar

    Alice encrypts a message with Bob's public key. Bob can then decrypt using his secret key.

    In GPG Mail the message is also encrypted with Alice's public key so that she can decrypt the sent message later using her own secret key.

    So anything encrypted to public key of person x can only be decrypted using the secret key of person x.

    Will double check the session key explanation.

  12. 12 Posted by mark on 24 Jun, 2020 05:13 PM

    mark's Avatar

    Thanks, Steve. I notice you use 'secret'. That is the same as 'private' (key), isn't it?

  13. Support Staff 13 Posted by Steve on 24 Jun, 2020 05:15 PM

    Steve's Avatar

    Yes. We use "secret" key throughout GPG Suite as we believe it makes the purpose more clear than "private".

    That KB article is a very good read, but it is really old. Not sure if we find the time to check and rewrite parts of it.

  14. 14 Posted by mark on 24 Jun, 2020 05:18 PM

    mark's Avatar

    Thanks very much, Steve. All clear, as usual. Appreciated!

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:


Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac