Open Source

OpenPGP encryption tools benefit from new developments

Some things are changing in the world of OpenPGP public key encryption protocol implementations. Chad Perrin looks at up-and-coming netpgp for basic encryption and decryption capabilities.

One of the best known protocols for secure communication is OpenPGP. It all started with Philip Zimmerman's creation of a public key encryption tool called PGP in 1991. Since then, ownership of the main codebase has changed hands a few times, and an encryption protocol standard called the OpenPGP standard has been created. A number of other pieces of software that implement that protocol have been created along the way as well.

For a long time, the only OpenPGP tools people used with any frequency were the official PGP and the GnuPG implementation.

In recent years, the custodians of the core PGP codebase have been PGP Corporation, and though it was operated as a closed source, commercial vendor for security software -- an industry mostly filled with sketchy snake oil peddlers -- PGP Corp was mostly staffed by people who liked open source software and cared about personal privacy. Customers could view the source, minus license enforcement components, which is not exactly the best practice for assurance of software security, but is a darn sight better than the way most security vendors handle things.

Alas, things are not looking well on that front. As of April 2010, Symantec Corporation announced an agreement to acquire PGP Corporation. Perhaps it is worth withholding judgment for now, but given Symantec's reputation in the security community as a security software vendor in recent years one might be forgiven for thinking this is the end of an era for the Pretty Good Privacy tool.

GnuPG, meanwhile, was the GNU Project's open source (the GNU people would say Free Software) implementation of the OpenPGP protocol. It kept up with the times in terms of encryption capabilities, but its features have become an eclectic mix of feature creep and lacking features, combining a "write output to file" option where a simple shell redirect would suffice with an inability to check multiple server sources to verify a cryptographic signature.

A number of articles about the use of GnuPG have been published at TechRepublic over the years, including the following:

Things have been proceeding apace, however. Neither strictly copyright-enforced PGP nor copyleft GnuPG filled a needed niche: an OpenPGP implementation that uses the best licensing model for security software. Less than two years ago, Options for OpenPGP offered a short list of copyfree licensed implementations:

Unfortunately, none of these four offerings served as a suitable replacement for either PGP or GnuPG. Each is old and outdated, designed for too narrow a purpose, or simply not intended as an end-user tool. Fortunately Alistair Crooks, of NetBSD fame, took it upon himself to resolve that little discrepancy. The result of his hacking on OpenPGP SDK sources is netpgp, what amounts to a drop-in replacement for GnuPG for most purposes.

It is still in development, and still needs testing for certain important uses such as Mutt integration. Basic encryption, decryption, and signing capabilities are reportedly stable, however, and Alistair Crooks is hard at work -- with help from contributors, including Debian developers -- on improving it. With luck, it should be a complete GnuPG replacement in no time. Then, we will be able to count the number of major production-ready OpenPGP applications at three.


Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

Sterling chip Camden
Sterling chip Camden

Not Symantec! That'll change "pretty good" to "damn near unusable piece of enterprise crap" in no time. The netpgp project looks interesting, and I see it's in the FreeBSD ports. That might be a good one with which to get involved.


I've been in touch (just a little) with a couple of the people at PGP Corp. over recent years, and know a guy who contracted with them for a while. That experience has taught me that for the most part the technical people there and a number of the decision makers were good, honest people who believed in concepts like transparency, privacy, and so on. Quite a few were even old-school cypherpunks, apparently. I want to believe their influence will be felt in years to come at Symantec, but by cynical nature tells me the opposite is probably more likely -- that Symantec's soulless bureaucratic nature will destroy the good at PGP Corp., and anyone who refuses to let go of antiquated concepts like privacy and transparency will be marginalized or pushed out of the company entirely. Still, hope springs eternal. As for netpgp . . . yeah, I want to get involved in that one, just as soon as I figure out where to find some more time to devote to yet another project.

Editor's Picks