PGP in your browser.
Nothing leaves it.
Six OpenPGP tools that run entirely on your machine. Keys, messages, and passphrases are processed locally by OpenPGP.js served from this site — the page's security policy blocks every third-party request. Open devtools and watch the network tab stay quiet.
Encrypt a message so only the intended recipient can read it — with their public key, or with a shared passphrase (symmetric encryption). Output is ASCII-armored, ready to paste anywhere.
Also sign the message (optional)
Decrypt an armored PGP message with your private key, or with the passphrase it was encrypted to. Optionally paste the sender's public key to verify their signature at the same time.
Verify the sender's signature (optional)
Prove a message or file came from you and hasn't been altered.
Clearsigning wraps readable text in a signature;
a detached signature is a separate .sig
file that travels alongside the original.
Check that a signature is genuine. Paste a clearsigned message, or a detached signature plus the original text or file, along with the signer's public key. Any tampering — even a single character — makes verification fail.
Paste any PGP key — public or private — and see exactly what's inside: fingerprint, algorithm, user IDs, expiry, and every subkey with its capabilities. Private keys are parsed for structure only; secret material never leaves your browser.
Generate a fresh OpenPGP keypair — Ed25519/Curve25519 by default, the same modern algorithms PGPony uses. You'll get a public key to share, a private key to guard, and a revocation certificate to store somewhere safe.
Don't trust. Verify.
Open your browser's developer tools, switch to the Network tab, and use any tool above. After the page loads its own files, no further requests occur while you encrypt, decrypt, sign, or generate — the Content-Security-Policy on this page makes third-party requests impossible, and you can read that policy in the response headers.
The cryptography is OpenPGP.js
version 6.3.1, served from this domain, unmodified — SHA-256
9736f49e81790af972029cd8416a8f9e5be7c4bddfb041676ab93fcad8332f5e.
Compare it against the official release yourself. For the strongest guarantee,
download the offline copy,
disconnect from the internet, and run everything from a local file.
One honest footnote: like every page on this site, clicking an App Store / Play Store link sends a single first-party counting beacon (no cookies, no identifiers, just "someone clicked iOS"). That is the only network request this page can make after loading, and the crypto tools never trigger it.