Sending an encrypted PGP email to someone who doesn't yet have my public key

They don't need your public key at all to decrypt.

You need their public key to encrypt the message, which they decrypt with their private key. The only thing they need your public key for is to verify that the message comes from you. In that sense it doesn't make sense to attach your public key, unless, for instance, you plan to confirm fingerprints over the phone soon after.


In the asymmetric encryption scheme you can achieve two things:

  • message confidentiality : this is done by using someone's public key to encrypt a message. Only the owner of the private key can decrypt the message
  • message authentication : this is done by using your own private key to sign a message. Anyone with the public key can verify the signature of the message.

However, this problem is hindered by the fact that getting the right public key is somehow difficult. If someone was to attack the communication channel through which you pass the key, you could be fooled into thinking that the attacker own key is your recipient key. So in order to achieve authentication, you need to verify the public key first.

This is usually done through the "web of trust". If you cannot get the key from hand to hand, you look for someone you already trust (and have a trusted key) that can vouch for your recipient. If that third person already have a key for your recipient that he trusts, he can sign it for you. This way, you can assess that the key is the good one by verifying your trusted third person signature. By transitivity you have know a trusted key for your new recipient.

In your particular case: if you send your public key in the email, the recipient will have no way to verify that you are who you claim to be. For what he knows, you could be an attacker trying to impersonate someone else and forging key pairs.


I had the same question and after some thought I think its correct to send your public key as long as you encrypt as well.

So encrypt the following with your receivers's public key:

  • your message
  • your public key at the bottom

That way when they decrypt it, they will see your message, and your public key. This was the receiver of your message can also reply to you securely, using your public key to encrypt their reply to you.