PGP Key Generator & Encrypt / Decrypt
A PGP toolkit that runs entirely in your browser. Generate a fresh OpenPGP key pair (RSA 2048/4096 or modern Curve25519), then use the same page to encrypt messages to a recipient, decrypt messages addressed to you, or sign and verify text. Output is the standard OpenPGP format that works with GnuPG, Thunderbird, ProtonMail, Kleopatra, Mailvelope and any other compliant tool — no lock-in. Useful when you need to send one encrypted message without installing GnuPG, or generate a key pair on a borrowed machine that you'll then move to your own.
How to use
Enter your name, email, and a strong passphrase. Pick Curve25519 for new keys (fast), or RSA 4096 if you need maximum compatibility with older tools.
Copy or download the "-----BEGIN PGP PUBLIC KEY BLOCK-----" output. Publish it on your website, send via email, or upload to a keyserver. The public key is meant to be public.
Switch to the Encrypt tab. Paste a recipient's public key and the message. The output is a "-----BEGIN PGP MESSAGE-----" block — only the recipient (with their private key) can decrypt it.
Switch to the Decrypt tab. Paste the encrypted message, your private key, and your passphrase. The plaintext appears below.
Generate a PGP / OpenPGP key pair and encrypt, decrypt, sign or verify messages — directly in your browser tab
🔒 How the cryptography is wired
- Key material is drawn from your browser's cryptographically secure random source — never Math.random.
- Key generation, encryption, decryption and signing all run inside your browser tab, on your CPU.
- Your passphrase stays on the device — it is used locally to protect the private key and is not transmitted.
- For an air-gap, load the page once with a connection, then disconnect before generating long-term keys — the toolkit keeps working offline from the service-worker cache.
- Save your private key and passphrase securely; losing either makes the key permanently unrecoverable.
Features
FAQ
Does my private key or passphrase leave my device?
No. Everything — key generation, encryption, decryption, signing — runs inside your browser tab on your CPU. The private key and passphrase live only in tab memory and are gone when you close it. For long-term identity keys, load the page once, then disconnect from the network before generating — the toolkit keeps working offline.
Which algorithm should I pick?
Curve25519 for new keys: ~128-bit security, much smaller keys, generates instantly. RSA 4096 if you need to communicate with older systems that don't support modern ECC. RSA 2048 only for legacy compatibility — current guidance (NIST, BSI) recommends at least 3072 bits.
Can I import my existing key?
Yes. On Encrypt / Decrypt / Sign / Verify tabs, paste your existing OpenPGP key block. The page does not save it — only uses it for the current operation.
What if I forget my passphrase?
The private key becomes unusable. There is no recovery — that's the point of strong encryption. Save the passphrase in a password manager when you generate the key.
Is this compatible with GnuPG / Thunderbird / ProtonMail?
Yes. The output is the standard OpenPGP format (RFC 4880 / 9580). Decrypts with GnuPG, Thunderbird's built-in OpenPGP, Kleopatra, ProtonMail, Mailvelope, and any other compliant tool.
Why does Curve25519 generate instantly while RSA 4096 takes 10+ seconds?
RSA has to randomly sample large integers and test each for primality until it finds two suitable primes — a slow trial-and-error process. Curve25519 just picks a random integer in a known valid range, no primality test required.
We can — and it's free! Just send us a quick message with your idea. If you'd like to discuss it in detail, leave your email and we'll get back to you. You can stay anonymous.
