Why a passphrase if my private key is in a file?

Without a passphrase, **anyone who gets the file** (a stolen laptop, a backup leak) can read your email and sign commits as you. A passphrase **wraps the private key in another encryption layer**. Without the passphrase the file is useless. This is industry standard.

What is the difference between the public and private key?

**The public key you give to everyone** (in your email signature, on GitHub, on your company page). Anyone can use it to encrypt a message for you. **The private key only you keep** (on your laptop, ideally on a YubiKey hardware token). Only you can decrypt messages encrypted with the public key. Asymmetry equals security.

What is the fingerprint and the key ID?

**Fingerprint** is a 40-character hex string (SHA-1 of the whole key), your unique "cryptographic fingerprint". **Key ID** is the last 16 characters of the fingerprint, the short version shown in UIs. When someone hands you a key with "my key: 1A2B 3C4D ...", **verify the fingerprint** before trusting it blindly (MITM attacks swap keys silently).

Can I change the passphrase later?

Yes, but **not in this tool**, this one only generates. In GnuPG (`gpg --edit-key`), in ProtonMail settings, in Keybase too. The private key itself stays the same, only the wrapper changes.

What if I lose my private key?

**You cannot decrypt old messages**, ever. That is what makes PGP strong. Standard practice: **generate a revocation certificate immediately** after creating the key, store it safely. If you lose the key, publish the certificate to tell the world your public key is burned. We do not generate a revocation cert here (advanced), do it in GnuPG.

The key expired, what now?

Generate a new one, publish it, announce it on your blog/Twitter as your new key. The **old key still decrypts old messages**, you do not lose history. Expiration is a **safety net** in case you lose access or forget about the key.

Does your server see my keys?

**No**. Generation happens entirely in your browser (the OpenPGP.js library, the same code ProtonMail uses). Open **DevTools → Network**, you will see zero requests during generation. Our server only delivers static HTML/JS/CSS.

Can I use this key in GnuPG / Thunderbird / ProtonMail?

Yes, **the keys follow the OpenPGP standard** (RFC 4880), ASCII "armored" format. In GnuPG: `gpg --import private.asc`. In Thunderbird: Settings, End-to-End Encryption, OpenPGP, Import. In ProtonMail: Settings, Encryption and keys, Import.

Does this replace S/MIME?

PGP and S/MIME solve the same problem (encrypted email) but are **incompatible**. S/MIME uses X.509 certificates (like HTTPS, hierarchical CAs), PGP uses the "Web of Trust" (peer-to-peer trust network). PGP dominates among developers and privacy organizations (EFF, Tor, ProtonMail), S/MIME dominates in corporate Outlook/Microsoft 365.

YourDevToolsPro

Full name

Generate an OpenPGP keypair (Ed25519 or RSA) right in your browser. Armored ASCII format, ready to import.

LiveRuns in your browser

PGP keypair generator

Generate an OpenPGP keypair for encrypting email, signing Git commits and verifying software. All math runs in your browser.

Full name

Comment (optional)

Private key passphrase (optional)

Without a passphrase, anyone with access to the private key file can impersonate you. We strongly recommend setting one.

Curve / algorithm

Key expiration

Everything runs locally. The private key never leaves your browser.

What is a PGP key and why do you need one?

PGP is the standard you still use today to protect private email (ProtonMail), to sign Git commits on GitHub, and to verify the authenticity of software (Linux kernel, Ubuntu, signed package releases). You generate a keypair: a public key (you hand out to everyone) and a private key (you keep to yourself). Anyone can encrypt a message for you using your public key, but only you can read it.

Here you generate the pair right in your browser. Pick Ed25519 (the modern, fast elliptic curve) or classic RSA-2048/4096 (compatibility with any legacy tool). Keys come out in ASCII "armored" format, so you can paste them straight into Gmail, GitHub, or Keybase.

Everything runs in your browser. The private key never leaves your device. That is the core rule of PGP, only you know the private key.

How to use

Enter your name and email, those fields are embedded into the public key as the "User ID".
Optionally enter a comment (e.g. "GitHub", "work", "personal") if you keep several keys for different purposes.
Passphrase for the private key: strongly recommended. Without it, anyone with file access can sign commits in your name.
Pick the curve: Ed25519 for modern use (GitHub, ProtonMail), RSA-2048 for legacy systems, RSA-4096 when you want the largest safety margin (generation takes a few seconds).
Pick the expiration: 1, 2, 5 years or never. Shorter expiration is better practice; the key can be rotated or revoked.
Click Generate. You get a public key, a private key, the fingerprint (short identifier) and the key ID.

When to use it

Six common situations where a PGP key solves the problem:

Encrypting email in ProtonMail/Tutanota/Thunderbird. Exchange public keys with a friend; from then on you both can encrypt for each other.
Signing Git commits on GitHub. Add the public key to your account, commits get a green "Verified" badge.
Verifying a Linux package signature. The PGP signature proves the package comes from the original author (apt-get, pacman).
Identity on Keybase, ProtonMail key server, GitHub. Your public key is your cryptographic identity.
Backing up a password or API key. Encrypt the file with your own public key, you can even push it to a public repo safely.
Anonymous whistleblowing. Journalists and organizations (Wikileaks, ProPublica) publish their public key so sources can submit documents safely.

To encrypt text without keys (just a password), use AES encryption. For JWT signing see the JWT signer/verifier.

Questions and answers

Ed25519 is the modern default. Smaller keys (256-bit vs RSA-4096), faster generation (milliseconds vs seconds), still strong. Pick RSA only if you must support some legacy system that does not understand Ed25519 (rare in 2025). GitHub, GPG 2.1+, ProtonMail all accept Ed25519.

Related tools

JWT Keypair Generator

Generate a JWT signing keypair: RS256/RS384/RS512, PS256, ES256/ES384/ES512 or EdDSA. PEM + JWK + sample signed JWT. Server-side, never stored.

CSR Generator

Generate a CSR (Certificate Signing Request) and matching private key in your browser. RSA, ECDSA, SANs, PEM.

AES Encrypt / Decrypt

Encrypt text with a password (AES-GCM 256). Runs in your browser, nothing leaves the device.

DKIM Keypair Generator

Generate an RSA DKIM keypair and a paste-ready DNS TXT record. 1024 / 2048 / 4096-bit, server-side, never stored.

JWT Signer / Verifier

Sign a JWT with a secret or private key. Verify an existing token. HS/RS/ES/PS 256/384/512.

Full name

Generate an OpenPGP keypair (Ed25519 or RSA) right in your browser. Armored ASCII format, ready to import.

LiveRuns in your browser

PGP keypair generator

Generate an OpenPGP keypair for encrypting email, signing Git commits and verifying software. All math runs in your browser.

Full name

Comment (optional)

Private key passphrase (optional)

Without a passphrase, anyone with access to the private key file can impersonate you. We strongly recommend setting one.

Curve / algorithm

Key expiration

Everything runs locally. The private key never leaves your browser.

What is a PGP key and why do you need one?

Everything runs in your browser. The private key never leaves your device. That is the core rule of PGP, only you know the private key.

How to use

Enter your name and email, those fields are embedded into the public key as the "User ID".
Optionally enter a comment (e.g. "GitHub", "work", "personal") if you keep several keys for different purposes.
Passphrase for the private key: strongly recommended. Without it, anyone with file access can sign commits in your name.
Pick the curve: Ed25519 for modern use (GitHub, ProtonMail), RSA-2048 for legacy systems, RSA-4096 when you want the largest safety margin (generation takes a few seconds).
Pick the expiration: 1, 2, 5 years or never. Shorter expiration is better practice; the key can be rotated or revoked.
Click Generate. You get a public key, a private key, the fingerprint (short identifier) and the key ID.

When to use it

Six common situations where a PGP key solves the problem:

Encrypting email in ProtonMail/Tutanota/Thunderbird. Exchange public keys with a friend; from then on you both can encrypt for each other.
Signing Git commits on GitHub. Add the public key to your account, commits get a green "Verified" badge.
Verifying a Linux package signature. The PGP signature proves the package comes from the original author (apt-get, pacman).
Identity on Keybase, ProtonMail key server, GitHub. Your public key is your cryptographic identity.
Backing up a password or API key. Encrypt the file with your own public key, you can even push it to a public repo safely.
Anonymous whistleblowing. Journalists and organizations (Wikileaks, ProPublica) publish their public key so sources can submit documents safely.

To encrypt text without keys (just a password), use AES encryption. For JWT signing see the JWT signer/verifier.