Logo

MonoCalc

/

PGP Key Generator

Encode/Decode

User Identity (UID)

Key Algorithm

Passphrase (optional)

No passphrase set. Your private key will be unencrypted — store it securely.

Key Expiry

About This Tool

🔐 PGP Key Generator – Create OpenPGP Key Pairs Online

Pretty Good Privacy (PGP) is the gold standard for end-to-end encrypted communication. Whether you are securing emails, signing Git commits, encrypting files, or setting up GPG-based workflows, every secure interaction begins with a key pair. This tool generates fully standard OpenPGP-compatible public/private key pairs in your browser using the trusted OpenPGP.js library — no software installation, no server contact, no data ever transmitted.

🛡️ How PGP Key Pairs Work

A PGP key pair consists of two mathematically linked keys:

🔓

Public Key

Share this freely. Others use it to encrypt messages that only you can read, or to verify signatures you produce. It starts with -----BEGIN PGP PUBLIC KEY BLOCK-----.

🔒

Private Key

Keep this secret — always. You use it to decrypt messages encrypted to you and to digitally sign data. It starts with -----BEGIN PGP PRIVATE KEY BLOCK-----.

⚙️ Choosing the Right Algorithm

The generator supports three algorithm families:

ECC – Curve25519 (Ed25519 + X25519) ⭐ Recommended

The modern standard used by ProtonMail, Keybase, and modern GPG defaults. Generates in milliseconds, produces compact keys (~400 bytes), and delivers security equivalent to RSA-3072. If in doubt, choose this option.

ECC – NIST Curves (P-256, P-384, P-521)

FIPS-certified curves used in corporate and government environments requiring NIST compliance. P-256 is roughly equivalent to RSA-3072 security. Choose these when FIPS 186-4 compliance is required.

RSA (2048 – 8192 bits)

The legacy standard with the widest compatibility. RSA 4096 is a safe choice for systems that do not support ECC. RSA 2048 is the minimum acceptable size. RSA 8192 can take 10–30 seconds to generate and offers negligible security gains over RSA 4096.

🔑 Passphrase Protection

A passphrase encrypts your private key using AES-256 with salted, iterated S2K (String-to-Key) derivation. This means even if someone steals your private key file, they cannot use it without the passphrase. Best practices:

  • Use at least 12 characters combining uppercase, lowercase, numbers, and symbols.
  • Consider using a passphrase (multiple words) rather than a single complex password.
  • Store your passphrase in a reputable password manager.
  • Never share your passphrase — unlike a key revocation certificate, a compromised passphrase cannot be undone without rotating the entire key pair.

📅 Key Expiry Date

Setting an expiry date is a security best practice. An expired key signals to recipients that they should seek a fresh key or new communication channel. It limits the blast radius if your key is lost or compromised and you forget to publish a revocation certificate. You can always extend the expiry date later using GnuPG without generating a new key.

📋 Using Your Generated Keys

After generating your keys, you can download the ASCII-armored .asc files and import them into your local GPG keyring:

# Import public key
gpg --import my_key_public.asc

# Import private key
gpg --import my_key_private.asc

# List imported keys
gpg --list-keys

Your public key can be shared via email, uploaded to a public keyserver (keys.openpgp.org), or added to your GitHub profile for signed commit verification. The private key should remain on trusted, encrypted storage only.

🔍 Fingerprint and Key ID

The fingerprint is a 40-character hexadecimal SHA-1 hash of the public key packet. It uniquely identifies your key pair and can be safely shared to verify you are exchanging keys with the right person. The Key ID is the last 8 or 16 characters of the fingerprint — a shorter, less unique reference used in some GPG commands. Always verify a full fingerprint out-of-band (by phone, in person) when establishing a trust relationship.

🔒 Privacy and Security

All key generation happens entirely in your browser using OpenPGP.js and browser-native WebCrypto APIs. No keys, passphrases, names, or email addresses are transmitted to any server. The page contains no analytics trackers that could intercept key material. For maximum security — especially for high-value keys — consider generating keys on an air-gapped machine using GnuPG directly.

Frequently Asked Questions

Is the PGP Key Generator free?

Yes, PGP Key Generator is totally free :)

Can I use the PGP Key Generator offline?

Yes, you can install the webapp as PWA.

Is it safe to use PGP Key Generator?

Yes, any data related to PGP Key Generator only stored in your browser (if storage required). You can simply clear browser cache to clear all the stored data. We do not store any data on server.

How does this PGP Key Generator work?

This tool uses the OpenPGP.js library (v6) to generate OpenPGP-compatible key pairs entirely in your browser. You choose an algorithm (RSA or ECC), provide your name and email, optionally set a passphrase and expiry date, then click Generate. All cryptographic operations run client-side — no key material ever leaves your device.

Which algorithm should I choose: RSA or ECC?

ECC (Ed25519 / Curve25519) is the modern recommended choice — it produces compact keys, generates instantly, and offers strong security (equivalent to RSA-3072). RSA 4096 is the safe legacy choice with the widest compatibility across older GPG versions and email clients. For new setups, ECC Curve25519 is best.

What key size should I use for RSA?

RSA 3072 or 4096 bits is recommended for production use. 2048-bit keys are the absolute minimum and are becoming outdated. 8192-bit keys offer marginal security gains but take significantly longer to generate (10–30 seconds) and are not needed for most use cases. Avoid RSA 1024 entirely — it is considered broken.

Should I set a passphrase on my private key?

Yes, setting a strong passphrase is highly recommended. The passphrase encrypts your private key using AES-256 with S2K derivation, so even if your key file is stolen, the attacker cannot use it without the passphrase. Choose at least 12 characters mixing letters, numbers, and symbols.

What is the key expiry date and should I set one?

The expiry date is an optional timestamp embedded in the key that tells recipients when the key should no longer be trusted for new communications. Setting an expiry (e.g., 2 years) is a security best practice — it limits the blast radius if your key is compromised and you forget to revoke it. You can always extend the expiry later.

Is it safe to generate PGP keys in a browser?

Yes — all cryptographic operations run locally using OpenPGP.js and browser-native WebCrypto APIs. No key material, passphrase, or personal data is sent to any server. However, as a general best practice, avoid using browser-generated keys for classified or critical infrastructure. For maximum security, generate keys on an air-gapped machine using GnuPG.