Is PGP Tool safe to use?

Yes. PGP Tool runs 100% in your browser — no data is ever sent to a server. All encryption and decryption happens client-side using openpgp.js. The code is open source under MIT license.

Can I use PGP Tool offline?

Yes. PGP Tool is a Progressive Web App (PWA) that works fully offline once installed. Enable air-gap mode to disable all network requests for maximum security.

What encryption algorithms does PGP Tool support?

PGP Tool supports RSA (2048–4096 bit) and ECC (Curve25519, P-384) for PGP key generation, AES-256-GCM for symmetric encryption and secure paste, and PBKDF2 with SHA-256 for key derivation.

How does the password generator work?

The password generator uses the browser's crypto.getRandomValues() API for cryptographically secure randomness. It supports random character passwords (6–128 chars) and EFF-wordlist passphrases (3–10 words). No passwords are stored or transmitted.

How does Secure Paste work without a server?

Secure Paste encodes the paste content directly into the URL fragment (after the # symbol). Optionally, content is encrypted with AES-256-GCM before encoding. The URL IS the paste — no server or database is involved.

What is the difference between signing and encrypting?

Signing proves authorship without hiding content. Encrypting hides content from everyone except the intended recipient. Both can be combined — sign-then-encrypt — to get authenticity plus confidentiality.

Will my signed message be readable by people without PGP?

Yes. Clearsigned output has the plaintext on top and the signature below. Anyone can read the message; only those with your public key can verify it.

How long does a PGP signature stay valid?

Indefinitely, as long as the signing key remains trusted and is not revoked. PGP signatures do not have a built-in expiry — only the underlying key does.

Can I sign without my passphrase?

Only if the private key is unprotected. Strip the passphrase first via Generate Keys → Change Passphrase. Note: an unprotected private key file is dangerous if the file is stolen.

What if the verifier does not have my public key?

Send it to them out of band, or publish it on a keyserver via Key Inspector. They paste it into the Verify tool alongside your signed message.

Sign messages with your PGP private key

Create OpenPGP clearsigned messages so anyone with your public key can verify the content was authored by you. Browser-side, offline-capable.

Signing is how you cryptographically vouch for content. The signature does not hide the message — anyone can read it — but it proves the holder of the matching private key wrote (or approved) those exact bytes. Tampering with even a single character invalidates the signature.

PGP Tool produces clearsigned output by default: the original plaintext followed by an ASCII-armored signature block. This format is human-readable and works across email, chat, and code review tools. For binary files or when you need the signature separate from the content, use Detached Sign instead.

The signing operation requires your private key and its passphrase. The signature includes a timestamp and your key's fingerprint, so verifiers can confirm both authorship and time of signing. Signatures never expire, but they become untrusted if the underlying key expires or is revoked.

Frequently asked questions

What is the difference between signing and encrypting?: Signing proves authorship without hiding content. Encrypting hides content from everyone except the intended recipient. Both can be combined — sign-then-encrypt — to get authenticity plus confidentiality.
Will my signed message be readable by people without PGP?: Yes. Clearsigned output has the plaintext on top and the signature below. Anyone can read the message; only those with your public key can verify it.
How long does a PGP signature stay valid?: Indefinitely, as long as the signing key remains trusted and is not revoked. PGP signatures do not have a built-in expiry — only the underlying key does.
Can I sign without my passphrase?: Only if the private key is unprotected. Strip the passphrase first via Generate Keys → Change Passphrase. Note: an unprotected private key file is dangerous if the file is stolen.
What if the verifier does not have my public key?: Send it to them out of band, or publish it on a keyserver via Key Inspector. They paste it into the Verify tool alongside your signed message.