Since bringing my new site design online, I've had dozens of responses from people asking why I publicly post an encryption key on my About page. It's a PGP public key, and you can use it to send me encrypted messages.
In symmetric encryption, we use the same key to encrypt and decrypt data. If you symmetrically encrypted an email to me, you'd also need to send me the key so I could decrypt it. Problem is, anyone else intercepting our traffic could decrypt it too, which would negate the purpose!
To solve this problem, PGP uses asymmetric, public key cryptography. When we create a new PGP identity, the software generates two mathematically-related keys for us:
- a public key to share with people
- and a private key we keep a secret to ourselves
If you want to send me an encrypted message, PGP will encrypt it using my public key. This message can then only be decrypted with my private key, which PGP uses when I receive your message. If I have your public key, I can then send you an encrypted reply.
Another application of this is email signatures, which can be used to ensure the integrity of a message. Instead of encrypting the entire message, it only encrypts a hash of the message. When you receive my email, PGP will perform a hash of the message and compare it to the decrypted hash I sent you. If they match, the email wasn't tampered with.
Image is by Silvan Schmid. His page has more detail on how PGP works, including the web of trust concept.