PGP Tool

Compare · 5 min read · 2026-03-08

Browser PGP vs GPG on the desktop — when to use which

GnuPG is the gold standard for serious key management. A browser tool wins for ad-hoc encryption and on devices without root access. Here is the honest comparison.

GnuPG (GPG) is the canonical PGP implementation — running on Linux, macOS, and Windows since 1997, scrutinised by every paranoid sysadmin, integrated into apt-get, package managers, mail clients, and signing infrastructure. A browser tool is something different. The two coexist for different jobs.

GPG on the desktop

Strengths: a permanent keyring under your control, hardware token integration (YubiKey, Nitrokey), command-line scripting, decades of audit history, integration with mail clients (Thunderbird), package signing (apt, dnf, brew), and SSH key management. If you encrypt or sign things daily, this is the answer.

Weaknesses: requires installation, root or admin to set up, has a steep CLI learning curve. Cannot run on a borrowed laptop, a Chromebook in restricted mode, or anywhere a USB stick is not allowed.

Browser PGP (this app)

Strengths: zero install, runs anywhere with a modern browser, works offline as a PWA, no admin needed. Same crypto library quality (OpenPGP.js is widely audited and used in major mail clients). Useful as a learning tool, a backup channel, or a quick one-off encryption when you do not have your normal device.

Weaknesses: no persistent keyring across browser sessions unless you save keys yourself; no hardware-token integration; trust depends on the integrity of the served HTML/JS bundle (mitigated by HTTPS, CSP, and PWA caching, but not as airtight as a static binary you compiled).

Recommendation

  • Daily user with sensitive work — GPG with a hardware token. Browser tools as a fallback.
  • Occasional user who encrypts a message every few months — browser tool is enough, less to maintain.
  • Travelling on a borrowed laptop and need to read one urgent message — browser tool, in air-gap mode, then close the tab.
  • Source contacting a journalist for the first time — browser tool from a public Wi-Fi, ciphertext sent via any channel, journalist decrypts on their GPG setup.

They are not in competition. They are different shapes for different days.