PGP and enterprise file encryption: where the governance gap is

TL;DR: PGP remains widely used for protecting sensitive enterprise files, but SSH Communications Security argues it creates operational friction through manual key management, weak trust verification, poor collaboration, and limited fit with onboarding, offboarding, and audit processes. The enterprise problem is not encryption strength alone, but whether identity, policy, and compliance can govern file access at scale.

NHIMG editorial — based on content published by SSH Communications Security: why PGP fails enterprise file security and what to use instead

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

Questions worth separating out

Q: How should security teams govern encrypted file access in enterprise environments?

A: Security teams should anchor encrypted file access in authoritative identity systems, policy rules, and lifecycle controls.

Q: Why do manual trust models fail for enterprise file encryption?

A: Manual trust models fail because they depend on consistent human verification across a large and changing population of users and partners.

Q: What breaks when users manage their own encryption keys?

A: What breaks is the lifecycle.

Practitioner guidance

• Map file encryption to authoritative identity sources Use Active Directory or LDAP as the control point for who can open confidential files, and remove user-managed key exchange from the normal workflow.
• Replace manual trust checks with policy-driven access rules Define which data classifications can be opened by which approved identities, then enforce those rules centrally instead of relying on users to verify key fingerprints.
• Build encryption into offboarding and audit routines Ensure key revocation, partner removal, and access evidence are part of the same lifecycle workflow.

What's in the full article

SSH Communications Security's full article covers the operational detail this post intentionally leaves for the source:

• The specific friction points users face when handling PGP keys in day-to-day enterprise workflows.
• The directory integration approach for internal users and external partner access.
• The compliance and onboarding and offboarding implications of moving encryption into identity systems.
• The product framing for teams comparing supported encryption workflows against DIY PGP tooling.

👉 Read SSH Communications Security's analysis of why PGP breaks enterprise file security →

PGP and enterprise file encryption: where the governance gap is?

Explore further

View Full Forum →  |  NHI Foundation Course →