Pretty Good Privacy (PGP) is a widely used encryption system that enables secure communication and identity verification through public-key cryptography. It works by generating a pair of cryptographic keys: a public key, which can be shared with anyone, and a private key, which must remain secret.
Although many people think of PGP keys as simple encryption keys, each key actually contains several pieces of structured information such as metadata, identities, signatures, and key capabilities. Understanding what data exists inside PGP keys helps with key management, security auditing, and troubleshooting.
This article explains the information contained in PGP public keys and PGP private keys, and how they differ.
How PGP Key Pairs Work
PGP uses asymmetric cryptography, where two mathematically related keys are generated together:
- Public Key – Used by others to encrypt messages or verify signatures.
- Private Key – Used by the key owner to decrypt messages or create digital signatures.
Even though these keys are paired, their contents differ significantly in terms of security sensitivity.
Information Contained in a PGP Public Key
A PGP public key is designed to be shared openly. It contains enough information for others to encrypt messages to the owner or verify their digital signatures.
Below are the main components typically found inside a PGP public key.
1. Public Key Material
The public key material contains the cryptographic parameters required for encryption or verification.
Depending on the algorithm used, this may include:
- Algorithm type
- RSA
- DSA
- ECDSA
- EdDSA
- ElGamal
- Public key value
- For RSA: modulus (n) and public exponent (e)
- For ECC: public point on the curve
This information enables encryption and signature verification but cannot be used to derive the private key.
2. Key Fingerprint
The fingerprint is a cryptographic hash of the public key. It uniquely identifies the key and is commonly used to verify authenticity.
Example fingerprint format:
F2A1 7C3B 9E5D 6A8C 42D1 7F2E 1B4C 3A9E 0D1F 2B8C
Fingerprints are used when verifying keys through secure channels or key signing events.
3. Key ID
The Key ID is a shorter identifier derived from the fingerprint.
Two formats are commonly used:
- Short Key ID – last 8 hex characters
- Long Key ID – last 16 hex characters
Example:
Key ID: 0D1F2B8C
Key IDs make referencing keys easier but are less secure than fingerprints because collisions are possible.
4. User IDs (UIDs)
A public key can contain one or more User IDs, which associate the key with a person’s identity.
Typical User ID format:
Full Name (optional comment) <email@example.com>
Examples:
Alice Smith <alice@example.com>
Alice Smith (Work Key) <alice@company.com>
Multiple identities can be attached to the same key.
5. Self-Signatures
Each User ID is usually accompanied by a self-signature created using the private key.
Self-signatures confirm that the key owner asserts the association between the key and the identity.
Self-signatures also store important metadata such as:
- preferred encryption algorithms
- preferred hash algorithms
- preferred compression methods
- key expiration time
6. Third-Party Signatures
Other users can sign a public key to verify the identity of the key owner. These are called certifications or third-party signatures.
This forms the foundation of the PGP Web of Trust, where trust relationships between users help verify identities.
7. Subkeys
A PGP key can include additional keys called subkeys. Subkeys allow different cryptographic operations to be separated for security and flexibility.
Common subkey types include:
- Encryption subkey
- Signing subkey
- Authentication subkey
Using subkeys allows the primary key to remain offline while operational keys are used for daily tasks.
8. Key Capabilities and Flags
Keys include flags that indicate what operations they support, such as:
- Signing
- Encryption
- Authentication
- Certifying other keys
These flags guide software in selecting the correct key for each operation.
9. Key Creation and Expiration Information
Each key contains metadata including:
- Creation date
- Expiration date (optional)
Expiration helps limit the long-term risk if a key becomes compromised.
10. Revocation Information
Public keys may also include revocation data indicating that the key should no longer be trusted.
Revocation may occur if:
- the private key is compromised
- the owner loses access to the key
- the key is replaced with a new one
Revocation certificates are often generated when the key is created.
Information Contained in a PGP Private Key
A PGP private key contains all of the information found in the public key plus the secret cryptographic components required for decryption and signing.
Because of this, the private key must always remain confidential.
1. Private Key Material
The private key contains secret parameters required for cryptographic operations.
For example:
RSA Private Key Components
- private exponent (d)
- prime factors (p and q)
- CRT parameters for optimized decryption
Elliptic Curve Private Key
- private scalar value
These values enable:
- decrypting encrypted messages
- generating digital signatures
If an attacker obtains this information, they can impersonate the key owner.
2. Embedded Public Key Information
A private key also includes the public key data so that applications can reconstruct the full key pair.
This means the private key file typically contains:
- public key material
- fingerprint
- user IDs
- signatures
- subkeys
- metadata
3. Passphrase Protection
Private keys are normally encrypted using a passphrase.
Protection mechanisms include:
- symmetric encryption (commonly AES)
- string-to-key (S2K) algorithms
- salted hashing to derive encryption keys
This prevents attackers from using the private key even if they obtain the key file.
4. Secret Subkeys
Just as public keys include subkeys, private keys include the private components of those subkeys.
These may include:
- encryption subkey private material
- signing subkey private material
- authentication subkey private material
Each subkey can perform a specific cryptographic function.
5. Revocation Certificates
Some implementations store revocation certificates with the private key or generate them during key creation. These certificates allow the owner to invalidate the key if needed.
Key Differences Between Public and Private Keys
| Feature | Public Key | Private Key |
|---|---|---|
| Public key material | Yes | Yes |
| Private key material | No | Yes |
| User IDs | Yes | Yes |
| Key fingerprint | Yes | Yes |
| Subkeys | Yes | Yes |
| Signatures | Yes | Yes |
| Passphrase protection | No | Yes |
| Used for encryption | Yes | No |
| Used for decryption | No | Yes |
| Used for signing | No | Yes |
| Used for signature verification | Yes | Yes |
Why Understanding Key Contents Matters
Knowing what information exists inside PGP keys helps in several areas:
- Security auditing – verifying key integrity and trust
- Key management – rotating or revoking keys properly
- Troubleshooting encryption issues
- Understanding OpenPGP packet structures
- Designing secure key distribution systems
Developers and security engineers often inspect PGP keys using tools like:
gpg --list-keys
gpg --list-secret-keys
gpg --list-packets keyfile.asc
These commands reveal the internal structure of OpenPGP key packets.
Conclusion
PGP keys are more than just cryptographic numbers. They contain structured information including identity data, metadata, cryptographic parameters, trust signatures, and usage policies.
A public key contains the information required for encryption and identity verification, while a private key contains all of that data plus the secret components needed for decryption and signing.
Understanding these structures is essential for securely using PGP in real-world environments and managing cryptographic identities effectively.
