Reference
99 terms covering OpenPGP, modern cryptography, key derivation, and operational privacy. Each term links to authoritative external references where available.
Authenticated Encryption with Associated Data — a cipher mode that produces ciphertext + an integrity tag in one operation, so any tampering is detected at decrypt time. Modern OpenPGP and TLS use AEAD modes (AES-GCM, ChaCha20-Poly1305) by default.
See also: en.wikipedia.org
Advanced Encryption Standard — the NIST-standardised symmetric block cipher (FIPS 197, 2001). Available in 128-, 192-, and 256-bit key sizes. Hardware-accelerated on every modern CPU and the default symmetric cipher in OpenPGP, TLS, and almost everything else.
See also: en.wikipedia.org · wikidata.org
AES used in Cipher Block Chaining mode. Encrypts each block XORed with the previous ciphertext block. CBC provides confidentiality but no integrity — unauthenticated CBC is the source of many real-world attacks (padding oracles). Considered legacy; AES-GCM is preferred.
See also: en.wikipedia.org
AES in Galois/Counter Mode — an AEAD construction that produces ciphertext plus a 128-bit authentication tag. Fast, parallelisable, and widely supported. Used by Web Crypto, TLS 1.3, OpenPGP's SEIPDv2 packets, and this app's Secure Paste.
See also: en.wikipedia.org
An operational mode that disables every outbound network request from an application. In this app, air-gap mode blocks keyserver lookups, Drand fetches, analytics, and any other cross-origin call — the page can still encrypt, decrypt, and sign locally. Useful when the threat model includes a compromised network.
See also: en.wikipedia.org
A family of memory-hard password-hashing functions, winner of the 2015 Password Hashing Competition. Three variants: Argon2d (data-dependent, fastest), Argon2i (data-independent, side-channel-resistant), Argon2id (hybrid, recommended default). Standardised in RFC 9106.
See also: en.wikipedia.org · rfc-editor.org
The hybrid Argon2 variant — first pass uses Argon2i for side-channel resistance, subsequent passes use Argon2d for speed. The recommended default for new password-based key derivation. RFC 9106 §4.
See also: rfc-editor.org
OpenPGP's text encoding for binary key and message data: base64 + a checksum + ----BEGIN/END markers. Lets you paste a key or ciphertext into an email, chat, or HTML form without the binary getting mangled. The ".asc" file extension marks armored content.
See also: en.wikipedia.org
Encryption that uses two keys — one to encrypt (public), one to decrypt (private). Anyone can encrypt; only the holder of the private key can decrypt. The basis of PGP, S/MIME, TLS handshakes, and SSH host keys. Also called public-key cryptography.
See also: en.wikipedia.org
Encryption that also produces an integrity tag, so the receiver can detect tampering. Without authentication, an attacker can flip ciphertext bits and the receiver cannot tell. Modern protocols always use authenticated encryption (AEAD).
See also: en.wikipedia.org
A binary-to-text encoding using 64 printable characters (A–Z, a–z, 0–9, +, /). Expands data ~33% but makes it safe for email, URLs (with the URL-safe variant), and JSON. ASCII armor is base64 + framing.
See also: en.wikipedia.org
A password hashing function from 1999 based on the Blowfish cipher. CPU-hard with a tunable work factor. Pre-dates Argon2 and lacks Argon2's memory-hardness, but still widely deployed and acceptable for password storage. Not recommended for new code over Argon2id.
See also: en.wikipedia.org
A symmetric cipher that operates on fixed-size blocks (typically 64 or 128 bits). AES, DES, 3DES are block ciphers. To encrypt arbitrary-length data, a block cipher is used inside a mode of operation (CBC, GCM, CTR).
See also: en.wikipedia.org
A modern stream cipher designed by Daniel J. Bernstein (2008). Faster than AES on CPUs without AES-NI, and resistant to several timing-attack classes that AES variants struggled with. Standardised in RFC 8439.
See also: en.wikipedia.org · rfc-editor.org
AEAD construction pairing the ChaCha20 stream cipher with the Poly1305 MAC. Used in TLS 1.3, OpenSSH, WireGuard, and modern OpenPGP. The default cipher of choice when AES hardware acceleration is unavailable.
See also: en.wikipedia.org
The encrypted form of a message. Indistinguishable from random data to anyone without the decryption key.
See also: en.wikipedia.org
An OpenPGP signature format that wraps the original plaintext between BEGIN/END markers and appends a detached signature. The message stays human-readable; the signature can be verified separately. Useful for signed email and signed announcements where you want the body visible without decrypting.
See also: en.wikipedia.org
A property of a hash function: it is computationally infeasible to find two distinct inputs that produce the same output. Broken collision resistance (e.g. SHA-1, MD5) means an attacker can forge documents that share a hash with a legitimate one.
See also: en.wikipedia.org
Cryptographically Secure Pseudo-Random Number Generator. Produces output indistinguishable from true randomness to a computationally bounded attacker. The browser's crypto.getRandomValues() and crypto.subtle.generateKey() use the OS CSPRNG.
See also: en.wikipedia.org
An elliptic curve designed by Daniel J. Bernstein (2005) for use with X25519 ECDH. Provides ~128 bits of security with 32-byte keys. Standardised in RFC 7748. The modern default for OpenPGP encryption subkeys, alongside Ed25519 for signing.
See also: en.wikipedia.org · rfc-editor.org
A signature stored as a separate file from the data it signs (typically .sig). Lets you sign binaries, packages, or any file you cannot or will not modify. Verification requires both the original file and the signature.
See also: en.wikipedia.org
A 1976 key-exchange protocol that lets two parties agree on a shared secret over a public channel without ever transmitting the secret. Modern variants (ECDH, X25519) underpin TLS, Signal, OpenPGP, SSH.
See also: en.wikipedia.org
The fixed-size output of a hash function. Sometimes called a checksum (informal) or a hash. SHA-256 produces a 256-bit (32-byte) digest.
See also: en.wikipedia.org
A cryptographic proof that a specific message was created by the holder of a specific private key. The signature is a function of both the message and the private key, and can be verified by anyone with the matching public key. PGP, S/MIME, and code-signing all rely on digital signatures.
See also: en.wikipedia.org
Elliptic Curve Cryptography — public-key cryptography over the algebraic structure of elliptic curves. Smaller keys for the same security as RSA (256-bit ECC ≈ 3072-bit RSA). Standard curves include Curve25519, P-256, P-384, P-521.
See also: en.wikipedia.org
Elliptic Curve Diffie-Hellman — Diffie-Hellman key exchange over an elliptic curve. The asymmetric component of OpenPGP encryption when using ECC keys. X25519 is the most common variant in modern systems.
See also: en.wikipedia.org
Elliptic Curve Digital Signature Algorithm — the elliptic-curve variant of DSA. Used in TLS, JWT, Bitcoin, and OpenPGP signing subkeys. Requires a fresh random nonce per signature; reusing a nonce leaks the private key (the famous Sony PlayStation 3 attack).
See also: en.wikipedia.org
EdDSA over Curve25519 — a deterministic signature scheme that avoids the nonce-reuse failure mode of ECDSA. Fast, small (64-byte signatures, 32-byte keys), modern. Standardised in RFC 8032 and the default signing algorithm in modern OpenPGP and SSH.
See also: en.wikipedia.org · rfc-editor.org
Edwards-curve Digital Signature Algorithm — a family of signature schemes over Edwards-form elliptic curves. Deterministic (no per-signature nonce), simple to implement correctly. The Ed25519 instantiation is the modern default.
See also: en.wikipedia.org
A property of a communication system: data is encrypted on the sender's device and only decrypted on the recipient's device. Intermediate servers see only ciphertext. Signal, WhatsApp, iMessage, and PGP-encrypted email are E2EE; standard email, SMS, and most "encrypted" cloud services are not.
See also: en.wikipedia.org
A measure of unpredictability, in bits. A 128-bit AES key has 128 bits of entropy if it is generated uniformly at random. A six-character lowercase password has ~28 bits of entropy. The Password Strength Tester computes entropy assuming a uniform distribution over the apparent character set.
See also: en.wikipedia.org
Exchangeable Image File Format — metadata embedded in JPEG, TIFF, HEIC, and other image formats. Includes camera make/model/serial, lens, exposure settings, GPS coordinates, and timestamps. The Metadata Tools page reads and strips EXIF without re-encoding the image.
See also: en.wikipedia.org
A short hash (usually SHA-1 or SHA-256) of a public key. Lets users compare keys by reading 40 hex characters instead of comparing 4096-bit RSA moduli. Fingerprint verification is the foundation of safe PGP key exchange.
See also: en.wikipedia.org
A property where compromise of long-term keys does not compromise past sessions. Achieved by using ephemeral keys per session and discarding them after use. TLS 1.3 and Signal have forward secrecy; PGP-encrypted email does not.
See also: en.wikipedia.org
The Free Software implementation of OpenPGP, started in 1997. Command-line, available on Linux, macOS, Windows. The reference implementation for almost every PGP operation; this app uses OpenPGP.js but produces interoperable output.
See also: en.wikipedia.org · gnupg.org
A function mapping arbitrary-length input to fixed-length output, designed so that the output is deterministic, fast to compute, infeasible to invert, and infeasible to find collisions for. SHA-256 is the standard general-purpose cryptographic hash.
See also: en.wikipedia.org
HMAC-based Key Derivation Function (RFC 5869). Extracts entropy from a high-entropy input (e.g. a Diffie-Hellman shared secret) and expands it into multiple uniform output keys. Used in TLS 1.3, Signal, Noise.
See also: en.wikipedia.org · rfc-editor.org
Hash-based Message Authentication Code (RFC 2104). Combines a secret key with a hash function to produce a tag that proves both authenticity and integrity. HMAC-SHA-256 is the workhorse MAC of the modern internet.
See also: en.wikipedia.org · rfc-editor.org
A random value mixed into a cipher's state at the start of encryption to ensure that the same plaintext + key produce different ciphertext each time. Must be unique per encryption (and for some modes, unpredictable). IV reuse is a catastrophic failure mode in AES-GCM and CTR modes.
See also: en.wikipedia.org
A function that turns a low-entropy input (a passphrase) or a high-entropy input (a Diffie-Hellman secret) into one or more uniform encryption keys. Password-stretching KDFs (PBKDF2, Argon2id) are deliberately slow; HKDF is fast and used after key agreement.
See also: en.wikipedia.org
The lower 64 bits of an OpenPGP key fingerprint. Convenient short reference (e.g. 0xDEADBEEF) but collidable — short Key IDs (32 bits) have been demonstrably forged. Always verify by full fingerprint, not by Key ID.
See also: en.wikipedia.org
A matched public + private key. Generated together; the private key cannot be derived from the public, and the public is mathematically derived from the private. The atomic unit of PGP, SSH, TLS client certs.
See also: en.wikipedia.org
A local store of PGP keys (your own + others'). GnuPG keeps a pubring.kbx and secring.gpg (or modern private-keys-v1.d/). Browser tools like this one usually do not have a persistent keyring — keys are pasted in per session.
See also: en.wikipedia.org
A server that hosts PGP public keys, indexable by email or fingerprint. The modern default is keys.openpgp.org (validated, opt-in upload, can be deleted). Older SKS servers were never validated and accumulated spam, leading to the modern split.
See also: en.wikipedia.org
A short tag computed over a message using a secret key, proving the message was produced by someone with the key and not modified. HMAC and Poly1305 are the standard MACs.
See also: en.wikipedia.org
A flawed construction: compute a MAC over the plaintext, then encrypt plaintext + MAC together. Decryption errors leak via padding-oracle-style attacks. Modern systems use encrypt-then-MAC or AEAD instead.
See also: en.wikipedia.org
A scheme that turns a block cipher into a way to encrypt arbitrary-length messages. ECB (insecure), CBC (legacy), CTR (parallelisable), GCM (AEAD) are the canonical examples.
See also: en.wikipedia.org
A "number used once" — a unique value per encryption, used by AEAD modes (AES-GCM, ChaCha20-Poly1305) to ensure ciphertexts diverge. Nonces are public and do not need to be unpredictable, only unique. Reusing a nonce with the same key in GCM is a catastrophic failure.
See also: en.wikipedia.org
The IETF standard (RFC 4880, updated by RFC 9580 in 2024) defining the PGP message format and protocols. Implemented by GnuPG, OpenPGP.js, RNP, Sequoia, and others. "PGP" colloquially means OpenPGP.
See also: en.wikipedia.org · rfc-editor.org
A smart-card specification for storing OpenPGP private keys. The card performs sign/decrypt operations internally; the keys never leave the chip. YubiKeys (in OpenPGP mode), Nitrokeys, and the FSF's Cryptostick are OpenPGP-card-compliant.
See also: en.wikipedia.org
A NIST-standardised elliptic curve (FIPS 186-4), also called secp256r1 or prime256v1. ~128 bits of security. The default curve for ECDSA in TLS, JWT, and many enterprise environments. Modern protocols increasingly prefer Curve25519 for the same security with simpler implementation.
See also: en.wikipedia.org
A NIST-standardised elliptic curve providing ~192 bits of security. Required by Suite B and several government environments. Slightly slower than P-256 and Curve25519 but with a larger security margin.
See also: en.wikipedia.org
Password-Based Key Derivation Function 2 (RFC 2898, 2000). Stretches a passphrase into a key by iterating an HMAC many times. Modern guidance: ≥ 600,000 iterations of PBKDF2-SHA256. Only CPU-hard, not memory-hard — Argon2id is preferred for new code.
See also: en.wikipedia.org · rfc-editor.org
Synonymous with forward secrecy. Long-term key compromise does not retroactively expose past sessions. Achieved via ephemeral key exchange per session.
See also: en.wikipedia.org
Pretty Good Privacy — Phil Zimmermann's 1991 program for encrypting and signing email and files. The OpenPGP standard (RFC 4880 / 9580) is the open spec derived from it. Today "PGP" almost always means an OpenPGP implementation, often GnuPG.
See also: en.wikipedia.org
An IETF standard (RFC 3156) for embedding PGP-encrypted or signed payloads in MIME-formatted email. Modern mail clients prefer PGP/MIME over the older inline ASCII-armor approach because it handles attachments cleanly.
See also: rfc-editor.org
Public Key Infrastructure — the certificate authorities, certificates, and revocation infrastructure that bind public keys to identities in TLS, S/MIME, and code signing. PGP's web of trust is an alternative trust model that avoids central CAs.
See also: en.wikipedia.org
Unencrypted data. The input to encryption and the output of decryption.
See also: en.wikipedia.org
A property where it is computationally or socially impossible to prove that someone did, or did not, send a particular message. Off-the-Record Messaging (OTR) and some Signal modes have this; PGP signatures explicitly do not — that is the point of a signature.
See also: en.wikipedia.org
A property of a hash function: given an output, it is infeasible to find an input that hashes to it. Distinct from collision resistance. SHA-256 has preimage resistance of ~2^256.
See also: en.wikipedia.org
The top-level key in an OpenPGP key bundle. Carries the user ID, certifies subkeys, and signs revocations. Best practice is to keep the primary offline and use subkeys for daily sign/encrypt operations.
See also: en.wikipedia.org
The half of a key pair that must stay secret. Used to decrypt messages encrypted to the matching public key, and to produce signatures verifiable with the matching public key. Compromise of a private key compromises all messages encrypted to its public key.
See also: en.wikipedia.org
The half of a key pair that can be shared freely. Used to encrypt messages (only the private-key holder can decrypt) and to verify signatures (only the private-key holder could have produced them).
See also: en.wikipedia.org
An attacker captures a valid encrypted or signed message and re-sends it later, hoping the receiver acts on it again. Defended against by including a fresh timestamp or nonce in every message that the receiver tracks.
See also: en.wikipedia.org
A pre-signed OpenPGP statement saying "this key is no longer valid". Generated at key-creation time and stored separately, so even if you lose the private key you can still publish the revocation. Required hygiene for any PGP key meant to last.
See also: en.wikipedia.org
The Rivest-Shamir-Adleman public-key algorithm (1977). Based on the difficulty of factoring large semiprimes. Modern guidance: ≥ 3072-bit keys for new use; 2048-bit for legacy compatibility only. Slower than ECC; remains universally supported.
See also: en.wikipedia.org
Secure/Multipurpose Internet Mail Extensions — an IETF standard for email encryption and signing using X.509 certificates. Native support in Apple Mail, Outlook, and most enterprise clients. Trust comes from a CA, not from a web of trust.
See also: en.wikipedia.org
String-to-Key — the OpenPGP key-derivation specification used to turn a passphrase into a symmetric key. Modern S2K specifiers support PBKDF2 and Argon2id (via RFC 9580). Older S2K modes (simple, salted) are insecure for low-entropy passphrases.
See also: rfc-editor.org
A random value mixed into password hashing to ensure that the same passphrase produces different hashes for different users. Defeats precomputed rainbow tables. Salts are public and stored alongside the hash.
See also: en.wikipedia.org
A memory-hard password hashing function from 2009 (Colin Percival). Pre-Argon2 standard for memory-hard KDF. Still used in some cryptocurrencies and password vaults; superseded by Argon2id for new design.
See also: en.wikipedia.org
Symmetrically Encrypted Integrity Protected packet — the OpenPGP packet format that pairs symmetric encryption with a SHA-1 modification-detection code (SEIPDv1) or AEAD (SEIPDv2 in RFC 9580). Replaces the older unauthenticated SE packet, which was vulnerable to active attacks.
See also: rfc-editor.org
A symmetric key generated for one specific message or session. In hybrid encryption (PGP, TLS), the session key encrypts the body and is itself encrypted to the recipient's public key. Discarded after use.
See also: en.wikipedia.org
A 256-bit hash from the SHA-2 family (FIPS 180-4). The default cryptographic hash for almost everything in 2026 — TLS, Bitcoin, OpenPGP, package signing. ~2^128 collision resistance.
See also: en.wikipedia.org
The third-generation NIST hash family (FIPS 202, 2015), based on the Keccak sponge construction. Available in 224, 256, 384, 512-bit variants. Designed as a structural alternative to SHA-2; not yet a default in most protocols.
See also: en.wikipedia.org
The 512-bit variant of SHA-2. Faster than SHA-256 on 64-bit CPUs, with double the collision resistance. Used where larger digests are useful (some HMAC profiles, password hashing, SHA-512/256 truncation).
See also: en.wikipedia.org
A 1979 scheme by Adi Shamir for splitting a secret into N shares such that any K of them can reconstruct it, and fewer than K reveal nothing. Used to back up high-value secrets without a single point of failure. The Split Key tool implements this for PGP private keys.
See also: en.wikipedia.org
An attack that exploits information leaked through the implementation rather than the algorithm — timing, cache state, power consumption, electromagnetic radiation. Modern implementations of AES, ECDSA, and RSA include explicit mitigations.
See also: en.wikipedia.org
The output of a signing operation — a short binary blob that, combined with the message and the signer's public key, proves the message was signed by the corresponding private key. See Digital signature.
See also: en.wikipedia.org
Producing a digital signature over a message using a private key. The recipient verifies with the matching public key. Distinct from encryption: signing does not hide the message, only proves who produced it.
See also: en.wikipedia.org
A tamper-resistant chip that stores private keys and performs cryptographic operations on-chip — the keys never leave. YubiKey, Nitrokey, and government PIV / CAC cards are smart cards. The OpenPGP card spec defines a PGP-specific smart-card profile.
See also: en.wikipedia.org
Hiding data inside other data so the existence of the message is obscured (as opposed to its contents, which is encryption). Image steganography uses the least-significant bits of pixels; the Steganography tool combines this with PGP for confidentiality plus concealment.
See also: en.wikipedia.org
A symmetric cipher that produces a key-derived pseudo-random stream and XORs it with the plaintext. ChaCha20 is the modern default. Block ciphers in CTR mode behave as stream ciphers.
See also: en.wikipedia.org
A key bound to a primary key by a certification signature. Subkeys can have their own algorithms, expiry dates, and capabilities (sign / encrypt / authenticate). Best practice: use subkeys for daily operations, keep the primary offline.
See also: en.wikipedia.org
Encryption that uses the same key to encrypt and decrypt. Fast (orders of magnitude faster than asymmetric) but requires both parties to already share the key. Modern systems combine symmetric + asymmetric: asymmetric encrypts a fresh symmetric key per message, symmetric encrypts the body.
See also: en.wikipedia.org
An explicit statement of who the attacker is, what they can do, and what they want. "PGP-encrypted email defends against a passive network adversary, not against malware on the recipient's laptop" is a threat-model statement. Picking the wrong tool is usually a threat-model mismatch.
See also: en.wikipedia.org
Encryption that becomes decryptable only after a specified date, without trusting any single party to release a key. The Time-Lock tool uses Drand (League of Entropy) — a distributed randomness beacon — as the trust anchor.
See also: en.wikipedia.org
A side-channel attack that exploits variations in how long an operation takes, depending on secret data. Constant-time implementations mitigate this by ensuring the operation always takes the same time regardless of input.
See also: en.wikipedia.org
The part of a URL after the #. Browsers do not send the fragment to the server. Secure Paste exploits this: paste content lives entirely in the fragment, so it never crosses the network even when the URL is loaded.
See also: en.wikipedia.org
A string attached to an OpenPGP primary key, typically of the form Name <[email protected]>. A key can have multiple user IDs (e.g. several email addresses). Each user ID is signed by the primary key and optionally by other keys (web-of-trust certifications).
See also: en.wikipedia.org
PGP's decentralised trust model: any user can sign any other user's public key, vouching that the key really belongs to them. Trust propagates transitively (you trust Alice, Alice signs Bob's key, you trust Bob's key) up to a configurable depth. Contrasts with PKI, which relies on centralised CAs.
See also: en.wikipedia.org
A W3C standard for browser-mediated public-key authentication, often using hardware authenticators (YubiKey, Touch ID, Windows Hello). The Decrypt tool uses WebAuthn as an optional gate before revealing decrypted plaintext.
See also: en.wikipedia.org
Web Key Directory — a discovery protocol where a domain advertises its users' OpenPGP keys at a well-known URL (/.well-known/openpgpkey/...). Lets recipients fetch a key by email address without trusting a separate keyserver. Supported by GnuPG and the Key Inspector tool.
See also: datatracker.ietf.org
The ITU-T standard for digital certificates used in TLS, S/MIME, code signing, and PKI generally. Defines certificate fields (subject, issuer, validity, public key) and the CA-signed chain that establishes trust. Distinct from OpenPGP's certificate format.
See also: en.wikipedia.org
ECDH key agreement over Curve25519 (RFC 7748). The encryption-side counterpart to Ed25519. Used for OpenPGP encryption subkeys, TLS 1.3 key exchange, Signal, WireGuard, SSH.
See also: rfc-editor.org
Extensible Metadata Platform — an Adobe-developed XML metadata format embedded in PDFs, JPEGs, RAW files, and Office documents. Often carries tracking IDs (xmpMM:DocumentID, xmpMM:InstanceID) that survive lazy "strip metadata" operations. The Metadata Tools page extracts and removes XMP packets.
See also: en.wikipedia.org
A family of hardware security tokens from Yubico. Supports OpenPGP card mode, FIDO2/WebAuthn, U2F, OTP, and PIV. Common pairing with GnuPG for offline-primary key setups: the YubiKey holds the encryption / signing / authenticate subkeys and never reveals them.
See also: en.wikipedia.org
A cryptographic protocol that proves a statement is true without revealing anything else. Common in privacy-preserving authentication and blockchain systems. Not directly used in PGP — included here as a frequently-asked-about concept.
See also: en.wikipedia.org