// guide 01
Generate your first key pair.
A key pair is what makes PGP work. You'll need one before you can encrypt or decrypt anything. This takes about 30 seconds.
- Open PGPony and tap the Keyring tab at the bottom.
- Tap the + button in the upper-right corner. The "New Key" sheet appears.
- Enter your name and email address. These get embedded in the public key so others can identify you. Use whatever name and email you want associated with your encrypted communications — it doesn't have to be your real legal name.
- Choose an algorithm. The default —
Ed25519 + Cv25519 — is the modern recommended choice. Pick RSA 4096 only if you know you need to interoperate with older tools.
- Set a passphrase (recommended). The passphrase encrypts your private key on disk. Without it, anyone with file-system access to your device could use the key. With it, even a stolen unlocked phone can't decrypt with your key.
- Tap Generate. The key appears in your keyring immediately.
Important: the passphrase is not recoverable. There is no reset, no email-me-a-link, no security questions. Write it down or store it in a password manager before you forget it.
// guide 02
Share your public key.
Anyone who wants to send you an encrypted message needs your public key. Your private key never leaves your device — only the public half is ever shared.
- Open the Exchange tab.
- Tap your key (or select it from the list if you have multiple).
- Choose how you want to share — each option is one tap from this screen:
- QR code — best for in-person exchange. The recipient scans it.
- Export
.asc file — send through any messaging or file-sharing app.
- Copy armored block — paste into an email, chat, or document.
- Publish to keys.openpgp.org — anyone can then find your key by searching your email address.
About publishing: when you publish to keys.openpgp.org, you'll receive a verification email. Click the link in it, otherwise the email portion of your key stays hidden from public search (the key itself uploads either way).
// guide 03
Import someone else's public key.
Before you can encrypt to someone, PGPony needs their public key. There are three ways to get one in.
- Open the Exchange tab and switch to Import.
- Pick your method:
- Scan their QR code — tap the camera icon, point it at their QR. Done.
- Paste an armored block — paste their
-----BEGIN PGP PUBLIC KEY BLOCK----- text into the input. Tap Import.
- WKD / keyserver lookup — enter their email address. PGPony queries their mail provider (WKD) first, then falls back to
keys.openpgp.org.
- Verify the fingerprint against a trusted out-of-band source if the stakes are high. A 40-character (or 64-character) hex string is shown — it should match what they tell you in person, on a phone call, or in another communication channel you trust.
- The contact is now available as a recipient on the Encrypt tab.
Why fingerprint verification matters: if an attacker gets you to import a key they control, PGPony cannot detect it. The cryptographic verification you do on the fingerprint is what closes that gap.
// guide 04
Encrypt your first message.
You have your key. You have their key. Now write the message.
- Open the Encrypt tab.
- Tap Recipients and select one or more people from your imported public keys.
- Type or paste the message into the input field.
- Optionally toggle Sign with my key — this lets the recipient verify the message came from you (recommended).
- Choose output format:
- ASCII armor — text block you can paste into a chat or email.
- Binary — smaller
.pgp file, better for attachments.
- Tap Encrypt. The encrypted output replaces the input field.
- Tap Share or Copy to send through any channel — Mail, Messages, Signal, a paste site, anywhere.
Try it both ways: for your first encryption, send it to yourself (encrypt to your own public key). You can then decrypt it and confirm the round trip works before sending real content to anyone.
// guide 05
Decrypt and verify a message.
When someone sends you a PGP-encrypted message, here's how to read it.
- From wherever the encrypted block lives (an email, a chat message, a file), get the content into PGPony:
- Share Sheet (recommended) — in any app, tap the share button and pick "PGPony Decrypt". The message arrives in PGPony pre-loaded.
- Paste — open the Decrypt tab and paste the armored block (between the
BEGIN and END lines).
- Open file — tap an
.asc, .pgp, or .gpg file from Files / your downloads.
- If your private key is passphrase-protected, PGPony prompts for the passphrase.
- After decryption, the plaintext appears. If the message was also signed, PGPony shows a verification badge:
- Green check — signature valid, signer is in your keyring
- Yellow caution — signature valid, but signer's key is not yet verified by you
- Red X — signature failed (the message was tampered with, or the wrong key was used)
- Tap Copy to use the decrypted text elsewhere. The clipboard countdown starts automatically — the decrypted text clears itself after the configured duration.
// guide 06
Back up and migrate your keys.
A lost key is a destroyed key. Back up immediately after generation, before you encrypt anything important.
- From the Keyring tab, long-press the key you want to back up.
- Tap Export → Secret Key. You'll be prompted for the passphrase (so PGPony can confirm it's really you).
- An
.asc file is produced. Save it somewhere durable:
- A password manager that supports encrypted file attachments (1Password, Bitwarden)
- An encrypted USB drive kept in a safe place
- Printed on paper in a locked drawer (yes, really — paper survives device failure)
- Encrypted cloud storage (iCloud Drive, Google Drive, etc.)
- To migrate to a new phone, copy the
.asc file to the new device and open it with PGPony installed. The import flow asks for the passphrase, then adds the key to the new keyring.
Note on iCloud Keychain (iOS only): if you enabled iCloud Keychain sync in PGPony settings, your keys will appear automatically on any new device signed into the same Apple ID — no manual export needed. This is Apple's end-to-end encrypted sync. Off by default.
