Is PGP Tool safe to use?

Yes. PGP Tool runs 100% in your browser — no data is ever sent to a server. All encryption and decryption happens client-side using openpgp.js. The code is open source under MIT license.

Can I use PGP Tool offline?

Yes. PGP Tool is a Progressive Web App (PWA) that works fully offline once installed. Enable air-gap mode to disable all network requests for maximum security.

What encryption algorithms does PGP Tool support?

PGP Tool supports RSA (2048–4096 bit) and ECC (Curve25519, P-384) for PGP key generation, AES-256-GCM for symmetric encryption and secure paste, and PBKDF2 with SHA-256 for key derivation.

How does the password generator work?

The password generator uses the browser's crypto.getRandomValues() API for cryptographically secure randomness. It supports random character passwords (6–128 chars) and EFF-wordlist passphrases (3–10 words). No passwords are stored or transmitted.

How does Secure Paste work without a server?

Secure Paste encodes the paste content directly into the URL fragment (after the # symbol). Optionally, content is encrypted with AES-256-GCM before encoding. The URL IS the paste — no server or database is involved.

Why detached instead of clearsigned?

Clearsign wraps the content with the signature, which means the file is no longer the original. Detached keeps the file byte-identical — useful when downstream tools need the original (binary releases, archives, etc.).

Can I sign a file without ever loading it?

No — the signature is over a hash of the file, so the tool needs to read the file to compute the hash. The file is not transmitted anywhere; the read happens locally.

What is the .sig vs .asc extension?

Both work. .sig is binary-format signature; .asc is ASCII-armored. PGP Tool produces ASCII-armored .sig files by default — readable, copy-paste-safe, and what most upstream verification scripts expect.

Does the verifier need the original file?

Yes. Detached signatures only confirm a file matches; they do not contain the file itself. Send both the original and the .sig.

How is this different from Notary?

Notary creates a self-contained certificate with the hash, timestamp, and signature in one block. Detached Sign produces a standard OpenPGP signature file — useful for tooling compatibility (curl/sha256sum/gpg --verify workflows).

Create and verify detached PGP signatures

Sign any file type with a separate signature file. The original file stays byte-for-byte identical; the signature lives in a companion .sig (or .asc) file alongside it.

A detached signature is the right tool when you want to vouch for a file without altering it — releases, archives, ISOs, software builds, contracts. The signing operation produces a small .sig file that any verifier with your public key can use to confirm the file's integrity and authorship.

Drop the file you want to sign, paste your private key and passphrase, and download the resulting signature file. To verify, drop the original file, the .sig file, and the signer's public key — the tool reports a green check or a specific error.

Detached signatures are the OpenPGP standard for software distribution. Linux distros, Tor releases, GnuPG itself, and many more use detached .sig files alongside their tarballs. Your file plus the .sig plus the developer's public key is everything needed to prove a download is genuine.

Frequently asked questions

Why detached instead of clearsigned?: Clearsign wraps the content with the signature, which means the file is no longer the original. Detached keeps the file byte-identical — useful when downstream tools need the original (binary releases, archives, etc.).
Can I sign a file without ever loading it?: No — the signature is over a hash of the file, so the tool needs to read the file to compute the hash. The file is not transmitted anywhere; the read happens locally.
What is the .sig vs .asc extension?: Both work. .sig is binary-format signature; .asc is ASCII-armored. PGP Tool produces ASCII-armored .sig files by default — readable, copy-paste-safe, and what most upstream verification scripts expect.
Does the verifier need the original file?: Yes. Detached signatures only confirm a file matches; they do not contain the file itself. Send both the original and the .sig.
How is this different from Notary?: Notary creates a self-contained certificate with the hash, timestamp, and signature in one block. Detached Sign produces a standard OpenPGP signature file — useful for tooling compatibility (curl/sha256sum/gpg --verify workflows).