Philip Zimmermann

Where to find OpenPGP implementations


First, where can you find the source code for PGP? For many years, the original code base of PGP was published in source code form, to facilitate peer review and build confidence in the user community that there were no back doors in PGP. This policy held during the years when I had control of publishing the PGP source code. But I left after PGP Corp was acquired in 2010 by Symantec. Later, in 2019, Broadcom acquired PGP from Symantec. This means the original Pretty Good Privacy code lineage is now in the hands of its sixth owner. First there was me, then PGP Inc (I was chairman and CTO of that company), then Network Associates, then PGP Corp, then Symantec, and now Broadcom. Broadcom does not offer a freeware version of PGP, and does not publish source code. Fortunately, there are a number of alternatives to the original PGP.


There are other implementations, many of them open source, that implement the current modern OpenPGP protocol standard, RFC 9580. You can find some providers of OpenPGP-compliant software at OpenPGP.org.

Here is a quick summary of a few current OpenPGP implementations.

Sequoia PGP


Sequoia PGP (https://sequoia-pgp.org) is a great implementation of the OpenPGP standard, RFC 9580, implemented in Rust, the leading memory-safe language. Sequoia PGP has a rich ever-growing assortment of tooling to support the whole OpenPGP ecosystem. This includes a command line application that runs on a variety of Linux and Unix platforms, and a well-featured key server for the OpenPGP community, and more than a dozen (at last count) other tools and applications. Sequoia PGP is open source under the LGPL license.

Other open source code stacks that implement RFC 9580


GopenPGP is an OpenPGP library implemented in Golang, conforming with RFC 9580, maintained by Proton's developers. GopenPGP is open source under the MIT license.

rPGP is a Rust implementation of OpenPGP, following RFC 9580. rPGP is open source under both the MIT and Apache license, available on github.

PGPy is a Python library for implementing the OpenPGP protocol in Python programs, conforming to the OpenPGP specification. PGPy is open source under the BSD license.

OpenPGP.js is an OpenPGP-compliant Javascript library. OpenPGP.js is open source under the LGPL license, available on github.

PGPainless - This is a set of easy to use code wrappers built on top of the somewhat unwieldy Bouncy Castle Java library.


Email service providers based on OpenPGP

Proton Mail

Proton operates an OpenPGP compliant encrypted email service called Proton Mail, accessable via an iPhone or Android app, or via a web browser. Proton also offers other services, including a VPN, encrypted cloud storage, and a password manager. They are based in Geneva, with a sizable team of cryptographic engineers, who are quite active in the OpenPGP protocol RFC 9580 standard working group. They also maintain the GopenPGP open source code library. Fun fact: The company was founded by particle physicists who worked at the Large Hadron Collider at CERN, hence the company name.

StartMail

StartMail is a web-based encrypted email service that encrypts and decrypts email in your browser. They are based in the Netherlands.

HushMail

HushMail, from Canada-based Hush Communications, is a web-based encrypted email service that encrypts and decrypts email in your browser. HushMail has evolved over the years, now focused mainly on serving the health care industry.


Older source code from PGP 2.6.2 from the 1990s


It is not recommended that you use ancient obsolete fossil versions of PGP from the 1990s. That old version is not safe to use today, because the MD5 hash algorithm was broken decades ago, and the keys and message format is no longer compatible with moden OpenPGP standards. Nonetheless, if you simply want to examine the source code from PGP 2.6.2 or 2.6.3, as a matter of historical curiosity, you can find it in a few places on the web by using search engines to look for "PGP 2.6.2 source code". MIT used to host it back in the 1990s, but I don't think they still have it today.

You can also try looking for the book, "PGP Source Code and Internals", published by The MIT Press, 1995. ISBN 0-262-24039-4 (no longer in print). Sometimes you can find it on eBay, or find used copies on Amazon in some countries. You can read the preface to this book here.