Advanced client-side PGP tools — single-file. Run locally for best security.
OpenPGP: (loading...)
RNG: crypto.getRandomValues
Keys
Encrypt
Decrypt
Sign
Verify
Tools
Audit
Password Generator
Help
Status: initializing...
Key Management
Generate Keypair
Invalid email format
Advanced options
Passphrase should be 8+ characters
Revocation cert can be generated after creating keys. For best security run this file locally with openpgp.min.js placed beside it.
Public Key
Private Key
Revocation Certificate
App Configuration (export/import)
Export your preferences & settings to an encrypted file.
Encrypt (text & files)
Provide at least one valid recipient public key or use a symmetric password.
Advanced / Symmetric options
Drag & drop files here
Ciphertext
Decrypt (text & files)
Drag & drop encrypted .asc files here
Decrypted
Sign (detached)
Signature
Verify
Tools
Import key file
Drop a .asc/.txt file to auto-fill fields
Passphrase change
Recipients manager (encrypted)
Fingerprint
Audit
Local activity log (optional)
Paranoid OPSEC Password Generator — Airgap Ready
Fully offline • Client-side only • No persistent storage • Verifiable file hash
Self-hash: calculating...
Generation Options
Advanced password options
(generator will choose length if set)
Passphrase options
This file does not use localStorage, service workers, cookies, or any network calls. Run from read-only media for air-gap use.
Output
—
Entropy: — bits
How entropy is calculated
For passwords: bits = length × log2(charset_size).
For passphrases: bits = words × log2(wordlist_size).
Ambiguous characters removed and custom charsets adjust the charset size.
Warning: likely leaked (Bloom filter positive) — treat as unsafe.
Verification & Tools
File SHA-256 fingerprint (verify before use):
calculating...
How to verify file hash
On macOS / Linux:
shasum -a 256 index.html
On Windows (PowerShell):
Get-FileHash index.html -Algorithm SHA256
On Windows (cmd.exe):
certutil -hashfile index.html SHA256
Compare the output to the displayed hash above. They must match exactly.
Optional: Load leaked Bloom filter
Built-in leaked check is conservative; load an expanded bloom to improve coverage.
Advanced OPSEC Features
Manual / Hardware Entropy
Roll dice or feed system jitter. These bytes are XOR-mixed into the RNG pool (best-effort).
Idle
Airgap / Print
Use Print (one-shot) for physical backups. After printing, all sensitive material is securely wiped from memory and DOM.
Help (Offline)
Best Practices
Use the built-in self-hash checker. Optionally host on localhost and place sw.js alongside this file to enable service-worker integrity notifications.
Run this tool locally (file://) on an offline or air-gapped machine for maximum security.
Protect your private key with a strong passphrase (8+ characters minimum; 12+ recommended).
Verify all public keys by fingerprint via an independent, trusted channel.
Store your revocation certificate in a different location from your keys.
Keep backups of your keys and certificates in at least two secure, offline locations.
Feature Overview
Key Management
Generate RSA (2048–4096 bits) and Ed25519 keypairs.
Configure expiration dates.
Download keys individually or bundled as ZIP.
Generate and manage revocation certificates.
Copy & Wipe function for on-screen and clipboard clearance.
Encryption
Encrypt text or multiple files with recipient public keys.
Symmetric encryption with optional password.
Drag-and-drop file encryption.
Decryption
Decrypt armored text or files.
Supports both public/private key and symmetric password decryption.
Drag-and-drop encrypted files.
Signing
Detached signature creation from messages or files.
Verification
Verify detached signatures against signer’s public key.
Tools
Import key files into active session.
Change passphrases on private keys.
Encrypted recipient vault with password protection.
Calculate key fingerprints and list user IDs.
Audit
Local activity log view & clear.
Password Generator
Password and passphrase modes with entropy calculation.
Adjustable charset, length, symbol inclusion, ambiguous character removal.
Diceware passphrase generation with EFF wordlist option.
Clipboard wipe and secure wipe functions.
Bloom filter support for leaked password detection (optional user-loaded filter).
File self-hash & verification instructions.
Advanced Utilities
Manual entropy mixing from dice or hardware jitter.
Air-gap and one-shot print mode.
Shamir secret sharing (2-of-3 demo).
Accessibility & Usability
Fully offline operation, no network calls.
Keyboard-accessible tabs and controls.
Secure clear hotkey (Ctrl+Shift+X).
Idle auto-clear for sensitive fields.
Encrypt vs. Sign vs. Verify
Encrypt uses the recipient’s public key; Sign uses your private key to produce a detached signature; Verify checks a signature against the signer’s public key.
Password Generator Tips
Prefer passphrases (4–6+ words) or 20+ character passwords from large charsets. Review the entropy estimate and avoid symbols if they reduce memorability without much entropy gain.