Is PGP safe from the NSA

GnuPG - NSA-safe encryption made in Germany

Arne Arnold

It almost seemed as if the secret services could crack any encryption on the Internet. But then it turned out that a German programmer had written the NSA-safe tool.

EnlargeSecure emails with GnuPG
© Spectral-Design -

The American secret service NSA has an estimated budget of around 11 billion dollars a year. That's enough money to pay highly specialized code breakers who can decipher anything the NSA is interested in. But as it stands now, there is a tool that the NSA cannot crack. It is the GnuPG mail encryption, software "Made in Germany". The German Werner Koch programmed the tool almost single-handedly around 18 years ago.

With GnuPG against NSA and code breakers

For around two years now, journalists, activists and hackers have been evaluating the intelligence data that the whistleblower Edward Snowden gave to the press in 2013. The data showed not only massive monitoring of unencrypted Internet traffic, but also many attacks on encrypted communication on the Internet. Two experts reported on this at the 31st Chaos Communication Congress (CCC) in December 2014 in Hamburg. But they also talked about encryption software that the American secret service NSA could not crack. It is the GnuPG program that was largely developed by the German programmer Werner Koch. And that has been going on since 1997. Koch, who himself was part of the audience, received thunderous applause for his commitment to secure encryption. Because for years the programmer took care of GnuPG full-time with a comparatively low salary.

Since the 31st CCC, Werner Koch and the open source project GnuPG have been known to a broad public: The Süddeutsche Zeitung reports about him, and the US has also noticed the man whose tool defies the multi-billion dollar NSA. Since then, money is no longer an issue for the developer. Individual donations alone brought in 200,000 euros for the GnuPG project, Facebook and the Linux Foundation also want to donate large amounts. The programmers disclose the current state of GnuPG on the project website You can read an interview with Werner Koch here.

PGP / GPG: A checkered history of encryption

PGP stands for Pretty Good Privacy and describes an encryption method that is mainly used for emails. It works with a public key for encrypting a message and a private key for decrypting the same.

PGP was developed by Phil Zimmerman in 1991 and was initially available for free. Phil Zimmerman even published the source code in book form free of charge in 1995. Because only in this form could the code be exported from the USA. Encryption code in digital form was subject to strict export restrictions at that time.

EnlargeGetting on in years. Phil Zimmerman's free code is still available in the form of PGP 8, but the last update was in 2002.

However, a changeable licensing history followed. Because Zimmerman's code was not left free. He switched to McAfee and ended up at Symantec. PGP for Mails is sold today by Symantec for a license fee of $ 175 per year per PC ( Even when he was at McAfee, the code was no longer public and new functions were added. As a result, some security experts no longer consider the program to be one hundred percent trustworthy.

The Open-PGP standard developed at the end of the 1990s as a permanently free and open source alternative to PGP. The matching and completely newly developed code is GPG or GnuPG. GPG stands for Gnu Privacy Guard. Unlike the commercial PGP code, GnuPG has always been open source. All changes to the code are therefore public.

The GnuPG code is now integrated in many application programs (front ends), such as Thunderbird with the Enigmail extension. Colloquially, however, the term PGP encryption is still used, even if it means GnuPG programs based on the Open PGP standard.

GnuPG: How to set up mail encryption

If you would like to use the NSA-safe encryption with GnuPG from Werner Koch yourself, that's no problem. Here we show how this works with the popular Thunderbird mail program. Our step-by-step instructions below reveal how to install and configure all the necessary tools. If you don't want to use Thunderbird, you can find alternatives at

First of all, the theory of encryption with GnuPG: The system works with two keys, one public and one private. Each participant has their own public key, which they can send on request or make available for download on a server. And everyone has their own private key. It matches the public key. You keep the private one absolutely secret. Together with a password, it is used to decrypt received mail messages.

If you want to send someone a secret message yourself, encrypt it with the recipient's public key. The public key is comparable to an envelope addressed to the recipient that can be glued tightly. Anyone can put a message in there, seal the envelope and send it off. However, only the recipient can open the envelope with their private key.

You need these programs: The open source tool Thunderbird is recommended as a mail program. You receive the GnuPG code together with the Gpg4win software. This will also install the Kleopatra program for you, which can be used to manage GPG keys. The Thunderbird extension Enigmail, which also offers good key management, is recommended for emailing protected messages.

EnlargeIn the key management of Enigmail you generate a new key pair for one of the mail addresses that you have set up in Thunderbird. In many cases, an expiration date for the keys can be useful.

Step 1: First install the three necessary programs: If you are not yet using the Thunderbird mail program, first install this tool and configure it for your mail account. Thunderbird offers a simple wizard for this after the first start. Thunderbird can automatically get the necessary information for the mail server from many mail providers. If that doesn't work for you, you will find all the information on the help pages of your mail service.

Now install Gpg4win and leave the default settings in the installation wizard. The tool brings the GnuPG code to the PC and is later used by Enigmail.

The Enigmail extension is in the form of an XPI file. To integrate them into Thunderbird, start the mail program and click on "Menu symbol -> Add-ons". Now drag and drop the XPI file onto the left menu area. A window with the title "Software Installation" pops up, in which you click on "Install now". Restart Thunderbird so that the tool can load the extension. All three necessary tools are now installed.

Step 2: