The NSA has likely harvested and cached thousands of PGP secret keys from passive monitoring of internet links public and private (Google famously failed to use encryption on internal WAN links for a long time), active exploitation of host and workstation systems, and bulk exfiltration of nonpublic data from service providers (think stored records: emails and files).

(Unrelated: As well as TLS long term keys, passwords, hashes, usernames, and any other kind of metadata or secrets that may be useful one day in the future, if nothing more than for dictionary attack prefix/suffix fodder.)

I wouldn’t be surprised if they have some more creative secret key sources too: stolen and glitched smart cards, laptops that disappeared out of targets’ cars, tossed offices via evil maid, dumpster diving, all of it, including some I probably haven’t thought of because I’m a computer nerd and not a military intelligence cloak-and-dagger type.

Put all the recovered secrets into a big ol’ database, because disk is cheap and keys are small. Keep it for all time, Just In Case.

Of course, there is a request system frontending this capability.

There are many PGP messages they can decrypt, simply because they slurped up the specific private keys for those messages at some point, and simply saved every secret key, hash, or password that they ever saw, as a general organizational policy.

That doesn’t mean they have broken PGP.