PGP Desktop Home 9

PGP Desktop Home 9 has emerged as a powerhouse of a personal-security product after surviving ownership by four different companies, a U.S. government munitions lawsuit (dismissed), and benign neglect. PGP was released as Pretty Good Privacy in 1991. Ever since, PGP has worked best at encrypting communications. It’s been less successful at making encryption approachable for normal human beings.

This latest version of the product makes it much easier for average folk to ensure their communications and documents remain obscured from unintended eyes. PGP Personal 8.0 (   , April 2003 ) was a solid program that could deliver powerful and reliable encryption, but it had a confusing interface.

Version 9.0.1 improves the interface by consolidating it into a single PGP Desktop window. It also eases encryption through a new proxy process, and can now encrypt instant-message chats.

Public key at the center

At its heart, PGP Desktop manages very long encryption keys that protect your data en route. PGP uses public-key cryptography to enclose your documents, e-mail messages, virtual disks, and instant-message (IM) sessions in a so-far unbreakable wrapper.

In public-key cryptography, you create two keys as a pair; PGP offers a wizard to assist in making this pair. The private key is kept secure through a passphrase and stored on your computer. The public key should be widely distributed to people who will be sending you encrypted items. If someone sends you a message encrypted with your public key, you can only decrypt it using your private key.

PGP Desktop 9 creates, manages, publishes, and retrieves public keys; encrypts and decrypts documents, disks, or clipboard text with those keys; and uses those keys to sign or verify documents or the clipboard.

E-mail safety, with benefits

PGP Desktop 9’s e-mail encryption is now based on proxying, so PGP relays messages between any e-mail program that uses common e-mail protocols (POP, SMTP, or IMAP) and your Internet service provider’s mail server. This relieves PGP the company from having to provide plug-ins for each e-mail program, and it makes PGP the program much more flexible and more thoroughly protective.

Because PGP Desktop 9 acts as a proxy, it can now act on the contents of your e-mail using rules you define and a few rules PGP has included. For instance, the program can automatically encrypt any outgoing e-mail message that you mark with [PGP] in the subject line. And PGP decrypts incoming messages before they reach your inbox. (PGP Desktop Professional, priced for larger implementations, has a few additional features designed for corporate networks.)

More importantly, PGP can create an encrypted tunnel between itself and an ISP that offers secure e-mail connections. This encrypted tunnel relies on Secure Sockets Layer (SSL), the same technique used for secure Web sessions, but it’s erratically implemented in e-mail clients and mail servers alike. PGP spans these differences using technology from the company’s high-end Universal Server. In essence, it works–you don’t have to pull hair figuring out how to make it work.

The flaw in PGP’s method is that the program attempts to make a secure connection by default. If you already employ some form of secure e-mail, your connection will fail, and the messages reporting the failure are inexact. The setup process should take into account that a user might have a secure connection and offer appropriate setup advice.

Keep chats private

The new support in PGP for encrypting AIM and iChat sessions is adequate, and better than other encrypted alternatives. All participants must have PGP Desktop installed to take advantage of this feature, and the software protects chats between two people, and the files they transfer between them, but not audio and video or multiperson text IM.

One ease-of-use problem here is that the tools for handling IM don’t appear in the PGP Desktop window as a separate item under the PGP Messaging option. Instead, IM options are in the Preferences dialog’s Messaging pane, scattered about in the main window, and in an additional Advanced dialog.

Encrypt multitudes

PGP Desktop also includes its long-standing support for encrypted virtual disks. These disks are just like a normal disk image, but their contents are encrypted, so when you mount an encrypted virtual disk, you can’t use it without a key. Apple’s Disk Utility can create similar disks, but PGP Desktop provides lots of options for security, such as the dangerous, but potentially useful, ability to unmount a virtual disk even if some of its files are open.

PGP users can also verify that documents actually came from the person who created them, and vice versa. When you sign a document in PGP by selecting it via the File: Sign, a recipient of that signed file can verify both that the contents of the document are unchanged and that you, and not someone else, sent the file.

Macworld’s Buying Advice

PGP Desktop Home 9 is still not for every Mac user—you must have a real need for encryption to get use from it. But for the large audience PGP applies to, the program has never been more useful or relevant, or less intrusive. This product’s room to improve is around its ambitious edges.

Glenn Fleishman has used secure-key technologies since the late 1980s. He is a freelance journalist who contributes to The New York Times and The Economist.