An Introduction to OnlyKey WebCrypt

In *, Confidentiality, Encryption, OnlyKey, Product News, Research by [email protected]

UPDATE 01/27/21 – WebCrypt 3.0 has been released with many improvements including now supporting file encryption, multiple recipients, and ProtonMail support. Try WebCrypt 3.0 out here.

We are building OnlyKey WebCrypt, a first of its kind web application to allow on-the-go encryption using OnlyKey. To understand why we are building this it makes sense to look at how this is different from everything else currently available.

Current solutions for sending encrypted messages typically fall into one of three categories.

1) Web based with *private key stored in the cloud or browser.

    Examples: Protonmail,, Mailvelope

2) App based with *private key stored on the device

    Examples: Signal, WhatsApp, Telegram, Keybase App

3) Software based with *private key stored offline (smartcard or token with openpgpcard)

    Examples: GnuPG, Thunderbird, Apple Mail / GPGTools

*A private key is essentially what is needed to view encrypted messages sent to you and to sign messages saying they are from you. If this key is compromised a hacker can send messages that appear to be from you and view all of your encrypted messages (Game over).

Compare current options:

For our definition of security level keep in mind that we are comparing secure encryption solutions so even the ones that fit the low classification are still in many cases more secure than things like Facebook Messenger, Slack, iMessage, or other solutions where a 3rd party has access to your private key.

Why is something new needed?

If you have ever tried to use PGP you would probably not describe the experience as convenient. If it’s convenient, you are probably using an app or web based solution. If it’s really secure you are probably using a hardware based token and it’s a hassle to set up or use on-the-go.

How OnlyKey is different from other smart cards/hardware tokens?

Unlike other smart cards and tokens OnlyKey utilizes the FIDO2 protocol to allow support on any browser that supports this. OnlyKey is currently the only device that supports this implementation, we created our own api here. This provides the same security benefits of a smart card or hardware token but it works right in the browser.

In addition to not being complicated like smart cards and tokens, Onlykey also has additional security benefits. Instead of unlocking the device by typing a pin code on the keyboard where it can be intercepted, the OnlyKey pin code is entered on the device itself, offline. For messages, OnlyKey requires a confirmation code to be entered on the device that is unique to the request. So unlike smart cards and tokens, if OnlyKey is left plugged into a compromised computer, it cannot be used without user consent and even malicious apps may be mitigated.

For example, if a user has a smart card they typically enter a PIN every few minutes or hours as they are working to unlock the smart card. During that time malicious apps can sign and decrypt using the unlocked smart card the same as legitimate apps. With OnlyKey requiring a confirmation code this is not possible, and even if there is a malicious app the confirmation code will be different than the code from the legitimate app. If the confirmation fails and the user is entering the correct code it is a big red flag that something is wrong. 

See it in action

Securely encrypt messages anywhere with OnlyKey WebCrypt

Securely decrypt messages anywhere with OnlyKey WebCrypt

WebCrypt site here

If you need local encryption not in the browser see OnlyKey GPG Agent