An Introduction to OnlyKey WebCrypt

In *, Confidentiality, Encryption, OnlyKey, Product News, Research by [email protected]

As part of OnlyKey Quantum we are building OnlyKey WebCrypt, a first of its kind web application to allow on-the-go encryption using OnlyKey. To understand why we are building this it makes sense to look at how this is different from everything else currently available.

Current solutions for sending encrypted messages typically fall into one of three categories.

1) Web based with *private key stored in the cloud or browser.

    Examples: Protonmail,, Mailvelope

2) App based with *private key stored on the device

    Examples: Signal, WhatsApp, Telegram, Keybase App

3) Software based with *private key stored offline (smartcard or token with openpgpcard)

    Examples: GnuPG, Thunderbird, Apple Mail / GPGTools

*A private key is essentially what is needed to view encrypted messages sent to you and to sign messages saying they are from you. If this key is compromised a hacker can send messages that appear to be from you and view all of your encrypted messages (Game over).

Here is how we define security:

For our definition of security keep in mind that we are comparing secure encryption solutions so even the ones that fit the low classification are still more secure than things like Facebook Messenger, Slack, iMessage, or other solutions where a 3rd party has access to your private key.

Why is something new needed?

If you have ever tried to communicate securely online you would probably not describe the experience as convenient. So far, no other solution works practically everywhere or with everything. If it’s convenient, you are probably using an app or web based solution and it may not be as secure as you think (see Medium and Low security). If it’s really secure you are probably using a smart card or token and it’s a hassle to set up or use on-the-go.

Why we built OnlyKey WebCrypt

TL;DR – OnlyKey is a high security device, that does not require complicated software install (like all other high security devices do) making it available for non-technical users as well being powerful enough for technical users.

To set up a typical smart card or token multiple software installations / drivers are required and typing commands into a terminal is needed to get it working. For an example of this see the steps required to set up a popular token with to encrypt emails with Apple Mail here. It works if you have technical skills and are proficient with using command line / terminal.

How OnlyKey is different from other smart cards/tokens?

Unlike other smart cards and tokens OnlyKey utilizes the U2F protocol to allow support on any browser that supports U2F. OnlyKey is currently the only device that supports this implementation, we created our own api here. This provides the same security benefits of a smartcard or token without the hassle.

In addition to not being complicated like smart cards and tokens, Onlykey also has additional security benefits. Instead of unlocking the device by typing a pin code on the keyboard where it can be intercepted, the OnlyKey pin code is entered on the device itself, offline. For messages, OnlyKey requires a confirmation code to be entered on the device. So unlike smart cards and tokens, if OnlyKey is left plugged into a compromised computer, the messages are secure. This user presence prevents hackers, intelligence agencies or malware from accessing encrypted messages or impersonating a user.

We have created the first device to provide high convenience and high security. Your key is both stored in inaccessible offline storage and you can use your OnlyKey to send encrypted messages in the browser with no software to install. It works practically everywhere.

See it in action

Securely encrypt messages anywhere with OnlyKey WebCrypt

Securely decrypt messages anywhere with OnlyKey WebCrypt

Proof of concept site here