UtilityKit

500+ fast, free tools. Most run in your browser only; Image & PDF tools upload files to the backend when you run them.

PGP Encrypt / Decrypt

Encrypt, decrypt, generate PGP key pairs, and sign/verify messages in-browser with OpenPGP.js.

About PGP Encrypt / Decrypt

PGP (Pretty Good Privacy) is a proven standard for end-to-end encrypted communications. This tool brings the full OpenPGP workflow to your browser using the OpenPGP.js library — the same engine behind ProtonMail and many open-source email clients. Four tabs cover the complete PGP lifecycle: Encrypt a message using a recipient's public key so only they can read it; Decrypt a ciphertext using your private key and optional passphrase; Generate a fresh key pair (ECC ed25519 for modern use, or RSA 2048/4096 for broad compatibility); and Sign a message or Verify a signed message using public-key cryptography. All operations happen entirely in your browser — no data is sent to any server. ECC key generation is recommended for new use cases because ed25519 keys are far smaller and faster than RSA while providing equivalent security.

Why use PGP Encrypt / Decrypt

  • Fully client-side — OpenPGP.js never sends your keys or messages to any server.
  • Supports modern ECC (ed25519) and legacy RSA 2048/4096, covering all common interoperability needs.
  • The Verify tab lets you authenticate messages without installing GPG locally.
  • Generate and download key pairs in standard ASCII armor format accepted by all PGP tools.
  • Useful for testing PGP integrations, onboarding users to encrypted workflows, and learning the OpenPGP standard.
  • Fully client-side — OpenPGP.js never sends your keys, passphrases, or messages to any server, and you can verify zero network activity in DevTools.

How to use PGP Encrypt / Decrypt

  1. To encrypt: paste the recipient's public key block in the Encrypt tab, type your message, and click Encrypt to get the ASCII-armored ciphertext.
  2. To decrypt: paste your private key, enter your passphrase if the key is protected, paste the ciphertext, and click Decrypt.
  3. To generate a key pair: go to Generate Keys, choose ECC (recommended) or RSA, enter a name and email, set an optional passphrase, and click Generate. Download both keys.
  4. To sign a message: paste your private key, enter the passphrase if needed, type the message, and click Sign.
  5. To verify a signature: paste the signer's public key and the signed message, then click Verify — a green or red badge shows the result.
  6. To encrypt a message: open the Encrypt tab, paste the recipient's public key block (-----BEGIN PGP PUBLIC KEY BLOCK-----), type or paste your message, then click Encrypt to receive ASCII-armored ciphertext.
  7. To decrypt a message: open the Decrypt tab, paste your private key block, enter the passphrase if the key is protected, paste the ciphertext, and click Decrypt to reveal the plaintext.

When to use PGP Encrypt / Decrypt

  • Encrypting sensitive messages to send over email or chat.
  • Testing PGP encryption/decryption logic in a backend service.
  • Generating key pairs for a new user or service without installing GPG locally.
  • Verifying that a signed release or document is authentic before trusting it.
  • Learning OpenPGP workflows before integrating a library into your application.
  • Encrypting sensitive messages to send over email, chat, or a public paste link where only the named recipient should be able to read it.

Examples

Encrypting a sensitive message to a recipient

Input: Recipient public key: -----BEGIN PGP PUBLIC KEY BLOCK----- mDMEY3... -----END PGP PUBLIC KEY BLOCK----- Message: The deploy key for prod is in 1Password under prod-deploy

Output: -----BEGIN PGP MESSAGE----- hQEMAyM... -----END PGP MESSAGE----- (only the recipient's private key can decrypt this)

Generating an ed25519 key pair for a new contributor

Input: Name: Alice Example Email: alice@example.com Algorithm: ECC ed25519 Passphrase: (set a strong passphrase)

Output: Two ASCII-armored blocks: a public key (~700 chars, share this) and a private key (~1100 chars, keep secret). Download both as alice-public.asc and alice-private.asc.

Verifying a signed release announcement

Input: Signer public key: -----BEGIN PGP PUBLIC KEY BLOCK----- ... Signed message: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 v2.4.0 is now available... -----BEGIN PGP SIGNATURE----- ...

Output: Verified — green badge. The signature is valid and the message has not been altered since the holder of this private key signed it.

Decrypting a paste link sent by a colleague

Input: Your private key: -----BEGIN PGP PRIVATE KEY BLOCK----- ... Passphrase: ******** Ciphertext: -----BEGIN PGP MESSAGE----- hQEMAyM...

Output: Decrypted plaintext appears in the output panel: 'AWS_ACCESS_KEY=AKIA...; AWS_SECRET=...' — only readable by the holder of this specific private key.

Tips

  • Generate a dedicated test key pair for experimenting before using this tool with important keys; throwaway keys make it easy to validate workflows without risking real identities.
  • ECC ed25519 is the recommended choice for new key pairs — keys are tiny, operations are fast, and modern OpenPGP tools all support it. Choose RSA 4096 only when forced by legacy interop.
  • Always protect private keys with a strong passphrase, especially if you download and store them. The passphrase encrypts the private key on disk so a stolen .asc file is not immediately usable.
  • Compare key fingerprints out-of-band (phone call, in person, or a separate trusted channel) before trusting a public key to belong to a specific person.
  • Sign-then-encrypt is the canonical workflow for sensitive correspondence: signing inside the encrypted envelope ensures the recipient knows exactly who sent the message and that it has not been altered.
  • Save your generated private key somewhere safe (encrypted password manager, hardware token, or offline backup) the moment it is created — closing the tab without downloading means the key is gone forever.

Frequently Asked Questions

Is it safe to paste my private key into this tool?
This tool runs entirely in your browser and makes no network requests while processing keys or messages. However, for maximum security, avoid using your primary personal private key in any online tool — create a test key pair here first and use that for experimentation.
What is the difference between ECC and RSA key types?
ECC (specifically ed25519) produces much smaller keys and is significantly faster than RSA while offering equivalent security. RSA is older and more widely supported by legacy systems. For new use cases, ECC is recommended; choose RSA only if your target system requires it.
What does ASCII armor mean?
ASCII armor is the base64-encoded text format for PGP data, enclosed in -----BEGIN PGP ... BLOCK----- headers. It allows binary cryptographic data to be transmitted in plain-text systems like email or copy-paste.
Can I use a key I generated here with real GPG software?
Yes. Keys generated in OpenPGP.js format are fully compatible with GnuPG (gpg), Kleopatra, ProtonMail, and any other OpenPGP-standard tool. Download the key files and import them with gpg --import.
Why does the Decrypt operation fail even with the right key?
The most common reason is a mismatched passphrase or using the public key instead of the private key. Ensure you paste the PRIVATE key block (-----BEGIN PGP PRIVATE KEY BLOCK-----) in the Decrypt tab.
What is the difference between encrypting and signing?
Encryption ensures only the recipient can read the message (confidentiality). Signing proves the message came from you and was not tampered with (authenticity). Both can be combined: you can sign-then-encrypt a message for maximum security.

Explore the category

AES Text Encryptor PBKDF2-hardened AES-GCM encrypt and decrypt. RSA Key Generator Issue RSA-OAEP 2048 PEM pairs via Web Crypto. SSH Public Key Fingerprint Calculate the MD5 and SHA-256 fingerprints of an SSH public key to verify identity without sharing the full key. bcrypt Generator & Verifier Hash passwords with bcrypt (cost 8–14) and verify hashes in-browser. Hash Generator Generate SHA-256, SHA-1, MD5 hashes UUID Generator Generate random UUIDs v4
How PGP Encryption Works: Keys, Trust, and Real-World Use PGP (and OpenPGP) has secured email and files since 1991. We explain key pairs, the web of trust, signing vs encrypting, and where PGP still May 2026 · 8 min

Glossary

OpenPGP
The open standard (RFC 4880) for PGP encryption and signing, implemented by tools like GnuPG, OpenPGP.js, and many email clients. PGP is the brand; OpenPGP is the spec.
Public-key cryptography
An asymmetric scheme where each user has a key pair: the public key encrypts and verifies, the private key decrypts and signs. Knowing the public key reveals nothing about the private key.
ASCII armor
Base64 encoding of binary PGP data with human-readable -----BEGIN/END----- header lines, enabling PGP data to travel safely through plain-text channels like email and chat.
Key ring
A local collection of OpenPGP keys you trust or own. GnuPG stores public keys in pubring.gpg/pubring.kbx and private keys in secring.gpg/private-keys-v1.d. This tool does not maintain a persistent key ring.
Web of trust
A decentralized PGP trust model where users sign one another's keys to attest identity, building a graph of vouched relationships. An alternative to centralized certificate authorities.
RSA vs ECC
RSA is an integer-factorization-based algorithm (key sizes 2048–8192 bits); ECC (elliptic curve, curve25519/ed25519) provides equivalent security with 32-byte keys. ECC is faster, smaller, and recommended for new keys.
Passphrase
A secret used to encrypt a private key on disk. Without the passphrase, a stolen private key file cannot be used. Required when decrypting or signing with a passphrase-protected key.
Fingerprint
A short hash of a public key (typically 40 hex characters for SHA-1, 64 for SHA-256) used for out-of-band identity verification — easier to compare by phone or in person than a full key block.