[mkesper]

Messages are encrypted with a session key in openpgp so this doesn't work.

[lifeisstillgood]

How do I negotiate a session key with the email recipient? it's a single transmission? otherwise it's a one time pad perhaps - but then that defeats the point of the public key ?

would you mind expanding on this as it is an interesting area

[blattimwind]

A random key is used to encrypt the email, then that random key is asymmetrically encrypted using the recipient's public RSA key. You do not use your own key to encrypt mails to someone else. Indeed, you can send encrypted emails without even having a key of your own.

[lifeisstillgood]

So I actually re-read and followed links (I mean whats wrong with lazy assumptions anymore)

tptacek's "why email is insecure" post is here: https://news.ycombinator.com/item?id=16088386

And yes thats what he says in the original latacora post.

I read the article '''invariably CC the quoted plaintext of your encrypted message to someone else (we don’t know a PGP email user who hasn’t seen this happen)'''

So I made the (incorrect) leap to pgp using the long term key to encrypt files. My bad.

But this does not fix the original point it seems - email is not going to be "secure" any time soon. But you can send encrypted files over email to people.

[blattimwind]

> So I made the (incorrect) leap to pgp using the long term key to encrypt files. My bad.

It does. Which is why PGP has no forward secrecy and if I steal your key I can decrypt all your past and future mails.