The tl;dr to public key encryption.

The concept is fairly simple. Imagine you own a lock that uses two keys which we'll call A and B. These two keys compliment each other. Whatever operation you do with one requires the other to undo it. For example, if you lock it with key B, I can unlock it with key A. If I lock it with key A, you can unlock it with key B. Note that you can't reverse the operation with same key. e.g. If it was locked with key A you can not then unlock it with key A.

So, how does this analogy apply to public key encryption? Let's start by changing the names of the above keys. Instead of A and B let's call the keys private and public. Instead of physical keys these are small electronic files.

• The private you keep to yourself.
• The public key you share with anyone you want to communicate with. (we'll discuss how this is done later.)

Per the original analogy, anything locked/encrypted, with one can can be unlocked/decrypted with the other.

Secure/Encrypted transmission

If someone wants to send me something only I should be able to read, they simply encrypt it with my public key. The only way to decrypt it is to use the corresponding private key. As I am the only one who should have access to that private key, I am the only one who should be able to decrypt it.

If I want to send a message to someone else so only they can read it, I simply use their public key to encrypt it. As they are the only one who should have access to the corresponding private key, only they should be able to decrypt it.

Signing

If I want to prove I sent a message, I can use a my private key to encrypt a digital signature for that message. Anyone who wants to verify the message came from me can use my public key to decrypt that signature. If they can decrypt it then my private key was used for the signature so I must have been the one who signed it. If they can't decrypt it then my private key was not used to encrypt it and something is wrong.

Practical issues:

You may have noticed some some practical issues with the above system. For example

1. How do you share your public key or get someone else's public key?
2. How can anyone trust that a public key actually belongs to the person it claims to be associated with?
3. What happens if you lose your private key or if it's compromised? e.g. Someone steals your laptop which has your private key on it.

The PGP system has methods for dealing these issues.

Sharing keys

At the most direct level, you can exchange a public key directly with the person you want to communicate with, e.g. via email or on physical media like a thumb drive. This is fine if you actually know the person but not practical for general use.

For widespread use, the are many key servers on the Internet. These are public repositories that you allow you to post your public key for others to see and for you to lookup other people's public keys.

Trusting keys

It's bad practice to blindly trust some key you found on the Internet or which just shows up, unannounced in email. "Hi, I'm a Nigerian Prince and you can trust this email because it's signed with my public PGP key." So, how can you verify a key is legit? There are two mechanisms for this.

Verify for yourself

If you've physically exchanged keys with someone you know, you can be confident it's their key. For someone you don't know , you can still physically exchange keys and ask for some ID to confirm they are who they claim to be.

Of course, it's generally not practical to meet in person to exchange keys. To that end, you can send a person your public key via email or a thumb drive and then verify the "fingerprint" of that key using a different method like a phone call. (A key fingerprint is a shorthand version of the key which is human readable and short enough to be easy to verify this way.)

Related to this, people may post their PGP fingerprint somewhere such as their website. If you trust that the person owns the website and are confident the website hasn't been hacked you can use that fingerprint to verify the public key from a key server is, indeed, their public key.

The chain of trust

This leverages signing capability of PGP. You can, for example sign someone else's public key. When you do this you are, in effect, saying "I have verified this key belongs to the person it claims to be associated with." Others can do the same for your public key. If enough people do this it's possible to reach a state where a key has enough signatures that you can follow the chain and have some level of confidence it is valid.

For example. You know Mary personally and have exchanged public keys with her, in person. She has signed Bob's key. Bob has signed Jane's key which you've just retrieved from a public key server. Because you trust Marry and she has vouched for Bob who, in turn, has vouched for Jane you are reasonably confident the key does belong to Jane.

To facilitate this, organizations often have "key signing" events where people exchange public keys in person while presenting some form of valid ID. This helps build the pool of highly trusted keys on key servers.

Lost or stolen Private Keys

Your private key is your electronic identity. It's what you use to sign message or decrypt messages which are interned only for you. If you lose this key, you won't be able to do either. What's worse, if someone else obtains access to it it they'll be able to impersonate you and read encrypted messages to you. This is why it's critical to protect this key as you would any other form of critical, personal identification.

However, stuff happens. What do you do if your private key is lost or compromised? You simply tell the world "Hey, stop using that private key. It can no longer be trusted." This is done by uploading a revocation certificate to the key server which has the corresponding public key. Note that this can not be undone. You'll have to start over with a new key-pair, have your public key signed, share it with others, etc. To mitigate this risk, people create subkeys for day to day use and keep their root/master key off their regular system in a safe location.