PGPResources

Resources for Pretty Good Privacy

Intro

If you've landed on this repo, I've assumed you've done your research on PGP/GPG; otherwise, please read the starred sections in "Resources". I have some advice here, combined with links (and my global configuration files) to make your journey into it a bit easier.

Recommended Keytypes

Based on information from respected researchers and raw information about PGP clients, here are the best public keytypes for most users:
RSA-3072 or RSA-4096, Ed25519 (about equivalent in security to RSA-3072), Ed448 and BrainpoolP512r1 (not for ProtonMail)

Rationale for Keytypes

RSA is a longly-held standard to the point where it is supported by any modern PGP client. 3000+ is the current recommended keysize for that. However, most systems use mutliples of 1024, so that really means 3072 or 4096 in practice.
Regarding ECC, the Edwards curves -- Ed25519 and Ed448 -- is recommended for most users, if one has a choice of curves (vs a compliance reason). Ed25519 is similar in cryptanalytic strength (by classical computers) to RSA-3072, but with a smaller key size. Ed448 exceeds RSA-4096 by a large margin. Indeed, in modern versions of GNU Priavcy Guard, these are at the top of the list for ECC! The primary disadvantage of Edwards curves is that most PGP smartcards don't support them (Yubikey 5 currently supports Ed25519). The original PGP program, now called PGP Command Line, supports less ECC algorithms than the others (namely GPG and ProtonMail). That program seems to be geared towards corporations vs individuals, though.
NIST and BSI (German Government) each have their own standard curves, so if you're using PGP in a situation like that, the choices for type and perhaps size has already been made for you. There are some concerns raised by
Daniel J. Bernstein about the NIST curves and the smaller Brainpool curves. The largest Brainpool curve, BrainpoolP512r1, is more for individuals who actually need a reliable 512-bit ECC curve which allows for a public key security margin equivalent to AES-256. However there are compatibility issues with ProtonMail (which a large population uses), which means you might not want to use it.
Finally, if you're really concerned about quantum computing, then RSA is a better hedge against it compared to ECC. Then again, GPG just supported Kyber+ECC in its newest stable version, 2.5.16. My position is that I'm more concerned about ID theft than major governments potentially reading my emails via a quantum computer, so ECC is better for my use case (I use BrainpoolP512r1.).

Rationale for AES

Why is AES preferred? AES was standardized via an open competiton near the turn of the last century -- just like Kyber in recent years -- and most cryptographers prefer it to this day over other symmetric encryption schemes. In particular, AES-256 is the "gold standard" of encryption.

Rationale for SHA-2/3

SHA-1 will be not be allowed by NIST (for US Govenment use) as of 2030. RIPEMD-160 is the same size as SHA-1. The newer, safe generations of hash algorithms are SHA-2 (SHA-224, SHA-256, SHA-384, SHA-512) and SHA-3. SHA-224 is not as safe as it used to be due to quantum computing risks.

Resources

Basic*

Phil Zimmermann on PGP
Email Self-Defense webpage
Thunderbird Mail Client (PGP client built-in)
ProtonMail

Intermediate*

GPG4Win
Glossary of GPG FAQ

Advanced

GPG Options

Guru

LibrePGP
OpenPGP

Scientist

A Review Paper on Cryptography
Ed448-Goldilocks, a new elliptic curve
NIST Post-Quantum Cryptography Standards