PGP Key Generator

Generate OpenPGP (GPG) key pairs, export ASCII-armored public/private keys, and optionally create a revocation certificate—secure and copy-ready.

Encrypting Entropy...

This may take a few seconds for high-bit RSA keys.

Engine Settings

Identity

Security Profile

Passphrase Protection

None

Persistence

Export Private Key

Generate Revocation Cert

ASCII Armored Output

Recent Session History

Specify identity and click generate to begin.

Security Warning: Never share your private key. Store it in a secure password manager or hardware security module.

How it works

Our generator uses a transient, sandboxed GnuPG environment. Keys are generated using server-side entropy and streamed back to you. We do not store any keys; once the session is closed, the temporary keyring is cryptographically wiped from our memory.

Copied to clipboard

About PGP Key Generator

PGP Key Generator: Create OpenPGP Key Pairs Instantly

Generating cryptographic keys should not require an encyclopedic knowledge of terminal commands. Whether you are setting up encrypted email, preparing to sign Git commits, or building a secure identity profile, this PGP Key Generator creates standards-compliant OpenPGP key pairs directly from your browser.

For decades, Pretty Good Privacy (PGP) and its open-source equivalent, GnuPG (GPG), have been the absolute gold standard for digital communication security. They rely on asymmetric cryptography—a system where you hold a secret private key to decrypt messages or sign documents, and you distribute a mathematical public key to the world so people can verify your identity or send you secure files. But the reality is, the standard command-line tools used to generate these keys are incredibly intimidating for newcomers and overly tedious for busy professionals who just need a quick testing key for a CI/CD pipeline.

And here is the deal: skipping security because the tools are hard to use is no longer an option. We built this utility to bridge the gap. Operating on a real, isolated server-side GnuPG engine, this tool provides a graphical interface to construct your primary User ID, select modern algorithms like Ed25519 or legacy RSA, apply custom passphrases, and instantly export fully formatted, ASCII-armored key blocks. You get the robust security architecture of GPG without wrestling with the command prompt.

How the PGP Key Generator Works

We have streamlined the complex process of key generation into a linear, easy-to-follow workflow. Everything you need to configure your identity, security parameters, and export preferences is visible on one screen.

Step 1: Define your Identity. Start in the "Identity" section. Enter your real Name and Email address. Optionally, add a Comment (like "Work Key" or "Personal") to help differentiate this key from others you might generate. The tool automatically builds your standard OpenPGP User ID in real-time.
Step 2: Enable Pro Mode for Extra UIDs (Optional). If you use multiple email addresses (e.g., a personal email and a corporate email) but want to manage them under a single master key, toggle the "Pro mode" switch. This reveals the "Advanced UIDs" text area where you can add up to 5 secondary identities.
Step 3: Choose your Crypto Algorithm. In the "Crypto settings" panel, pick your Algorithm. You can choose the modern, highly efficient Ed25519 (recommended) or the classic RSA. If you select RSA, you must also define your RSA key size—3072 bits is the current standard, but 4096 bits is available for maximum legacy security.
Step 4: Set the Expiration Date. Keys should not live forever. Under "Expiry", choose whether the key expires in days, months, or years, and enter a value. If you want a permanent key, select "Never expires", though we highly recommend setting an expiry to limit the blast radius if you ever lose your private key.
Step 5: Apply a Passphrase and Generate. In the "Protection" section, type a strong passphrase to encrypt your private key locally on disk. Ensure the strength meter turns green. Leave the "ASCII armor" checkbox checked, and click Generate (or press Ctrl/⌘ + Enter). Your keys will be processed in an isolated GNUPGHOME workspace and output immediately.

Pro Tip: Do not skip the passphrase! If you export an unprotected private key, anyone who gains access to that text file can perfectly impersonate you or read your encrypted mail. Always aim for a passphrase of 12 characters or more.

Ed25519 vs. RSA: Choosing the Right Algorithm

One of the most confusing parts of generating a PGP key is knowing which mathematical algorithm to pick. Our tool offers two primary paths. Understanding the difference is crucial for ensuring your keys are both secure and compatible with your target software.

Ed25519 (The Modern Default)

Ed25519 is an elliptic curve signature scheme. It is the modern gold standard for cryptographic keys. Why? Because it offers incredibly high security while maintaining a tiny footprint. An Ed25519 key is vastly shorter than an RSA key, making it faster to generate, faster to encrypt/decrypt, and much easier to store on hardware tokens like YubiKeys. If you are generating a new key today for modern software, Git signing, or current email clients, choose Ed25519.

RSA 2048 / 3072 / 4096 (The Legacy Workhorse)

RSA (Rivest–Shamir–Adleman) is the oldest and most widely supported asymmetric algorithm in existence. While it is mathematically bulkier and slower than elliptic curves, it has near-universal compatibility. If you need to communicate with someone using an email client from 2012, or you are integrating with legacy enterprise mainframes that do not understand elliptic curves, RSA is your safest bet. We default RSA to 3072 bits, which strikes the perfect balance between unbreakable security and acceptable performance, though 4096 bits is available for paranoid threat models.

Key Features of the PGP Key Generator

We built this tool to replicate the exact functionality of the command line, wrapped in an interface that prevents common formatting mistakes.

1. True Server-Side GnuPG Engine

Unlike purely JavaScript-based generators that might rely on outdated or unmaintained crypto libraries, our tool hooks directly into a real GnuPG (`gpg`) binary on the backend. When you click generate, the system spins up an isolated, temporary `GNUPGHOME` directory, executes the key generation securely, and immediately destroys the workspace after extracting your ASCII-armored text. You get genuine, standards-compliant OpenPGP blocks.

2. Automated Revocation Certificates

Losing your private key or having it stolen is a nightmare scenario. Without a revocation certificate, you have no cryptographic way to tell the world, "Hey, do not trust this key anymore!" Our tool automatically generates a revocation certificate by default alongside your public and private keys. You can download this specific block and store it somewhere incredibly safe (like a printed piece of paper in a safe).

3. Multi-UID Support via Pro Mode

A single PGP key can represent multiple identities. For example, you might want your primary key tied to `[email protected]`, but also want it to validate signatures for `[email protected]`. By enabling Pro mode, you can inject up to 5 extra User IDs into the key generation process. The GPG engine will bind all of these identities to the single master key pair.

4. Rich Metadata Extraction

Once your key is generated, you do not just get a wall of gibberish text. The "Details" tab parses the generated key and displays critical metadata. You will immediately see your 40-character Fingerprint, your short Key ID, the exact creation timestamp, and the explicit expiration date. This makes it incredibly easy to verify the key generated exactly as you intended before you start distributing it.

5. One-Click Bundled Exports

Managing multiple text files for a single key pair is annoying. Our interface includes a robust toolbar that lets you interact with your generated data effortlessly. You can click "Copy tab" to grab just the active key, or use the "Download bundle" button. The bundle feature combines your public key, encrypted private key, and revocation certificate into a single, clearly labeled text file for easy archival into a secure password manager.

Who Uses This Tool? (Real-World Use Cases)

PGP keys are the backbone of digital trust. From software engineering to journalism, here is how professionals utilize our generator.

Software Developers Cryptographic Git Commits: Platforms like GitHub and GitLab allow developers to upload a PGP public key. When a developer signs their local commit with their private key, the platform displays a green "Verified" badge, proving the code was not tampered with or pushed by an imposter.
Journalists & Whistleblowers Secure Communication: Investigative journalists publish their public PGP keys on their Twitter profiles or websites. Sources can use that public key to encrypt sensitive documents before emailing them. Only the journalist, holding the generated private key, can decrypt the payload.
DevOps Engineers Package Signing & Verification: When releasing software packages (like `.deb`, `.rpm`, or Docker images), release engineers use a PGP private key to sign the binaries. End-users use the corresponding public key to verify that the software was not modified by a malicious middleman.
Privacy Advocates Encrypted Data Archival: Users who want to store highly sensitive files (like tax returns or seed phrases) in the cloud utilize a PGP key pair. They encrypt the file locally against their own public key, ensuring that even if the cloud provider is breached, the data remains unreadable without the passphrase-protected private key.
IT Administrators Automated CI/CD Testing: Setting up deployment pipelines often requires testing PGP decryption routines. Rather than tying up their personal, high-security keys, administrators use this web tool to rapidly generate disposable, short-lived RSA keys strictly for integration testing environments.

When to Use PGP Key Generator vs. Alternatives

How does an online generator compare to local terminal commands or dedicated desktop clients? Here is a breakdown of the trade-offs.

Feature / Scenario	Our PGP Key Generator	GnuPG Command Line (CLI)	Desktop GUI (e.g., Kleopatra)
Ease of Use	Incredibly high. Form-based, instant visual feedback.	Steep learning curve. Requires memorizing flag syntax.	Moderate. Requires software installation and OS integration.
Setup Speed	Instant. Works in any modern browser immediately.	Requires installing GnuPG and configuring environment variables.	Requires downloading and configuring a heavy desktop suite.
Revocation Handling	Generated automatically and output in a separate, easy tab.	Requires running a separate `--gen-revoke` command later.	Usually handles it well, but varies by specific client version.
Testing & Disposability	Perfect for quick, disposable keys for CI/CD or temporary use.	Clutters your local keyring; requires manual cleanup.	Clutters local keyring; annoying to delete cleanly.
Maximum Paranoid Security	Not recommended for nation-state threat models (runs in cloud).	The absolute gold standard (when run on an air-gapped machine).	Highly secure, as private key never leaves your local hardware.

Tips for Getting the Best Results

Generating the key is only the first step. Proper key management is what actually keeps your data secure. Follow these rules to protect your cryptographic identity.

Understand ASCII Armor

By default, cryptographic keys are raw binary data, which breaks if you try to copy and paste it into an email or text editor. The "ASCII armor" setting (which produces the `-----BEGIN PGP...` block) converts this binary data into safe, printable text. Always leave ASCII armor enabled unless a specific piece of legacy software demands a raw `.gpg` binary file.

Isolate Your Revocation Certificate

Do not store your revocation certificate in the exact same folder as your private key. If an attacker breaches your machine and steals your key, they will also delete the revocation cert to prevent you from warning the public. Print the revocation certificate on physical paper, or store it offline on a USB drive locked in a drawer.

Use Passphrase Managers

A private key is useless to an attacker if they cannot guess the passphrase used to encrypt it. Do not use a short, memorable word. Use a password manager (like Bitwarden or 1Password) to generate a random 20+ character passphrase, and paste it into the tool before generating.

Always Verify Fingerprints Out-of-Band

When you give someone your public key, the only way they know it belongs to you (and not a hacker who intercepted the email) is by checking the Fingerprint. Call the person on the phone or text them via a secure messenger like Signal, and read the 40-character fingerprint aloud. If it matches what they imported, the connection is trusted.

Frequently Asked Questions (FAQ)

A PGP key pair consists of two mathematically linked keys. The Public Key acts like a padlock; you share this freely with the world. Anyone can use it to encrypt a message meant only for you, or use it to verify a signature you created. The Private Key (or secret key) acts like the physical key to that padlock. You must keep it fiercely guarded and never share it. It is used to decrypt messages sent to you, and to digitally sign files to prove you authored them.

It depends entirely on your threat model. Our tool generates keys in a strictly isolated, temporary server environment that is immediately destroyed. It is highly secure and perfect for low-to-medium risk scenarios: learning PGP, testing API integrations, setting up automated CI/CD pipelines, or standard encrypted emails. However, if you are a journalist protecting whistleblowers or managing high-value cryptocurrency, your threat model demands absolute paranoia. In those cases, you should generate keys locally on an offline, air-gapped computer using command-line GnuPG.

When an OpenPGP key passes its expiration date, compatible software (like Thunderbird or GPG) will refuse to use it to encrypt new messages to you. However, you will still be able to use your private key to decrypt old messages that were sent before the expiration. Expiry is a safety net; if you lose your key and forget to revoke it, it will eventually stop working on its own. You can always use your private key to "extend" the expiration date later if you still control it.

Once generated, download the "bundle" or copy the text blocks. You will need to import them into a PGP client on your local computer. If you use Linux or macOS, you can save the private block to a file (`key.asc`) and run `gpg --import key.asc` in your terminal. For Windows, you can paste the text blocks directly into the Kleopatra certificate manager. Once imported, you can configure your email client (like Enigmail or ProtonMail) to use them.

A PGP fingerprint is a cryptographic hash—a unique 40-character hexadecimal string—that mathematically represents your massive public key block. Because public keys are hundreds of lines long, they are impossible for humans to compare visually. Instead, humans compare fingerprints. If the fingerprint matches, you can be 100% mathematically certain that the underlying public key is exactly the same and has not been tampered with.

Absolutely not. The encryption algorithms used (like AES or Camellia) to protect the private key block are computationally unbreakable. Because we do not store your keys, logs, or passphrases on our servers, there is zero recovery mechanism. If you lose your passphrase, the private key is permanently useless. You will need to import your Revocation Certificate to inform the world the key is dead, and generate a brand new one.

Why Choose Our PGP Key Generator?

Navigating the world of asymmetric cryptography is fundamentally challenging. The underlying math is complex, and the standard tooling was built decades ago for system administrators, not everyday users. Yet, as digital privacy becomes increasingly critical, the need for robust OpenPGP keys extends far beyond the server room.

By combining the raw power of the native GnuPG engine with an intuitive, error-preventing interface, our PGP Key Generator removes the barrier to entry. Whether you need a secure Ed25519 identity for GitHub commits or a legacy RSA 4096 key for an enterprise mail server, you can configure, generate, and deploy your keys in seconds. Stop fighting with terminal syntax and start securing your communications today.