You know that sinking feeling. You need to send sensitive information—a vulnerability report, a contract, a private message. Your brain goes: “I should encrypt this.” Then you remember the horror of PGP. The key generation. The fingerprint verification. The command-line incantations. The GPG agent that randomly breaks. The contact you accidentally signed with the wrong key.
So you sigh and send it plaintext. Because even though you know better, the friction of doing it right is higher than the risk of doing it wrong. And that’s not a failure of will. It’s a failure of design.
I’ve been that person. I do vulnerability research with sensitive data. I hate the CLI—not because it’s hard, but because it’s needless gatekeeping. So I built something that shouldn’t be revolutionary but is: a Chrome extension that makes PGP actually usable.
Let’s be honest: the command-line interface is not a security feature. It’s a moat that keeps encryption out of the hands of the people who need it most. The industry has spent decades polishing GPG’s cryptographic guarantees while ignoring its UX rot. And the result? Most encrypted emails are never read. Most PGP keys are never used.
My extension flips the script. It uses browser-native passkeys (or passwords) to encrypt all your keys—public and private—at rest. Your contact list doesn’t leak. Your private key stays locked. And the whole thing lives in your browser, where you already live. No terminal. No trust-the-process. Just click, encrypt, send.
Of course, the purists will scream: “But browser extensions are insecure! Sandboxing! JavaScript!” And they’re right—in theory. But here’s the twist: the best encryption is the one people actually use. A theoretically perfect system that nobody deploys is worse than a pragmatic system that protects real data. Your PGP setup on a disconnected laptop in a Faraday cage? Beautiful. Also useless when you’re on a plane and need to send a report.
This isn’t just about convenience. It’s about the real-world security equation. If a tool requires a PhD in cryptography and a Linux terminal, it will be bypassed. The moment you make encryption as easy as clicking a button, you’ve won more security than any algorithm ever could.
I made this extension because I was tired of the lie we tell ourselves: that CLI PGP is the gold standard. It’s not. It’s a gatekeeper. And gatekeepers don’t protect—they exclude. If your encryption tool requires a manual, it’s not a tool; it’s a test.
So here’s the takeaway: next time you hear someone sermonize about “real security” on the command line, ask them how many people they’ve actually helped encrypt a message. The answer will tell you everything. The future of encryption isn’t more complex—it’s so invisible you forget it’s there.
FAQ
Q: Isn't a browser extension less secure than a local CLI tool?
A: Yes, in the abstract. But the real-world threat model matters more. A CLI tool that nobody uses protects zero data. This extension encrypts keys at rest with passkeys, uses browser sandboxing, and makes encryption accessible. The trade-off is worth it for the 99% of people who would otherwise send plaintext.
Q: What's the practical implication for someone who already uses PGP via CLI?
A: If your workflow is already solid, stick with it. But realize that your approach is not scalable. For teams, for occasional users, for anyone who doesn't live in a terminal, this extension lowers the barrier to entry. The practical implication: encryption can finally reach the masses without sacrificing core security.
Q: What's the contrarian take?
A: The obsessive focus on 'hardware air-gapped keys' and 'perfect forward secrecy' is actually harming security. It creates an elitist culture where only the technically privileged can participate. The contrarian truth: a browser extension that gets used by millions is far more secure than a CLI tool that gets used by dozens.