PGP Converter

About PGP Converter

About This App

PGP Converter is a free, open-source tool for encrypting and decrypting messages using PGP (Pretty Good Privacy). It has been free, ad-free, and open source since its launch in May 2023. No sponsors, no affiliate links, no paid placements; the project is supported solely by optional donations, and donors receive nothing in return. All cryptographic operations run entirely in your browser; no keys, messages, or passphrases are ever sent to any server.

This means:

  • Your private keys never leave your device
  • Your messages are never transmitted over the network
  • The only external request the app makes is to fetch up-to-date donation wallet addresses on the donate page, and no user data is involved
  • You can verify the source code on GitHub

Hosting & Privacy

PGP Converter is hosted on Netlify. Basic server-side analytics are enabled through Netlify's standard logs, giving us aggregate metrics like page views, unique visitors, and top locations. This data is never shared with anyone.

Beyond that:

  • No cookies are set
  • No client-side tracking scripts are loaded
  • No third-party code runs on this site besides OpenPGP.js and a private API used solely to retrieve donation wallet addresses
  • No personal data, user accounts, databases, or per-user logs; beyond the aggregate Netlify metrics above, nothing about you or your activity is retained
  • Because user data is never collected or stored, it cannot be produced in response to a subpoena; we simply do not have it

Prefer to verify this independently? You don't have to take our word for it. Routing your traffic through a trustworthy VPN hides your IP address and approximate location from the aggregate analytics described above; however, a VPN shifts trust to the VPN provider rather than removing it and does not provide anonymity on its own. For genuine anonymity, use Tor Browser, which is purpose-built for it. Privacy Guides maintains vetted recommendations for both.

How PGP Works

PGP (Pretty Good Privacy) uses a system called public-key cryptography. Here's how it works:

Key Pairs

Every user has two keys that are mathematically linked:

  • Public Key: Share this freely. Others use it to encrypt messages to you.
  • Private Key: Keep this secret. Only you can decrypt messages with it.

Encryption

When someone wants to send you a secret message:

  1. They obtain your public key
  2. They encrypt their message using your public key
  3. Only your private key can decrypt the message

Decryption

When you receive an encrypted message:

  1. You use your private key and passphrase
  2. The message is decrypted and readable

Using This App

Generate Keys

Create a new PGP key pair. You'll need to provide your name, email, and a strong passphrase. Choose between ECC (faster, modern) or RSA (traditional, widely compatible) key types.

Go to Generate Keys โ†’

Encrypt Messages

Enter your message and the recipient's public key. The encrypted output can only be read by the person who has the corresponding private key.

Go to Encrypt โ†’

Decrypt Messages

Paste the encrypted message, your private key, and enter your passphrase to reveal the original message.

Go to Decrypt โ†’

Security Best Practices

๐Ÿ”
Protect your private key

Never share your private key with anyone. Store it in a secure location.

๐Ÿ”‘
Use a strong passphrase

Choose a long, unique passphrase that you can remember but others cannot guess. This protects your private key.

โœ…
Verify public keys

Before encrypting, confirm you have the correct public key through a trusted channel.

๐Ÿ’พ
Backup your keys

Keep secure backups of your key pair. If you lose your private key, you cannot decrypt messages.

Threat Model

Every security tool has a scope. Here is what this one does and does not protect you from.

What this tool is designed to protect against

  • Passive network eavesdroppers reading your messages in transit
  • Tampering of ciphertext in transit: OpenPGP v6 uses authenticated encryption (AEAD), which detects and rejects modified messages before revealing plaintext
  • Server-side key theft, because there is no server-side key storage
  • Server-side logging of your inputs, because there is no server-side processing
  • Cryptanalysis of the underlying ciphers with current classical computing power: Curve25519 provides around 128-bit security, and RSA at 3072+ bits remains unbroken against known attacks
  • Accidental transmission of plaintext when you intended to encrypt

What this tool does not protect against

  • A compromised deployment. If an attacker gained control of this site's hosting or build pipeline, they could serve tampered JavaScript that exfiltrates your keys. This is the inherent limitation of any web-based cryptographic tool, and the reason we recommend a local PGP client for high-stakes use.
  • Endpoint compromise. If your device has a keylogger, malware, or a compromised browser extension, nothing done in-browser can save you.
  • Metadata leakage. PGP encrypts message content, but not the email subject line, sender or recipient addresses, or the timestamp. Who talked to whom and when remains visible to anyone with access to the headers.
  • Loss of forward secrecy. PGP does not provide forward secrecy. If your private key is ever compromised, every past message encrypted to that key can be decrypted.
  • High-value targeted adversaries. For journalistic sources, legal material, long-term archives, or any threat model at that level, use GnuPG locally or a desktop PGP mail client.

Verifying This Deployment

As noted in the OpenPGP.js documentation, web-hosted cryptographic applications provide a different security model compared to installable applications. With web apps, users trust the server to deliver the correct code each time.

What: Every production deploy is built and signed by GitHub Actions using a short-lived Sigstore-issued certificate. The attestation links each deployed file to a specific commit and workflow run, and is recorded in Sigstore's public transparency log.

Why: A web app's security depends on the deployed JavaScript matching the reviewed source code; attestation makes this a check you can run, not a promise you have to take on faith.

How to verify: Install the GitHub CLI and run:

gh attestation verify <file> --repo polyym/pgp-converter

For additional assurance:

  • Use browser developer tools to confirm no unexpected network requests are made during crypto operations
  • For high-security needs, consider running locally or using dedicated PGP software like GnuPG

Reporting Issues

Found a bug, have a suggestion, or want to report a security issue? Please open an issue on GitHub.

Useful Resources

OpenPGP.js The library that powers this application
OpenPGP.org Official OpenPGP standard documentation
Surveillance Self-Defense EFF's guide to digital security and privacy
Privacy Guides Independent recommendations for privacy tools
Source Code View and contribute on GitHub