Should I use Signal AND PGP?

For most activist workflows, yes — they cover different threat models. Signal: real-time, forward-secure, metadata-protected via sealed sender, no portable artifacts. PGP: asynchronous, archival, content-only protection, portable ciphertext. Use Signal for tactical communications where metadata matters and you don't need to keep records. Use PGP for documents, longer-form correspondence, encrypted publishing where the encrypted artifact is itself the point.

What about my contacts who can't use PGP?

Don't make them. The user-experience cost of PGP is real and it adds risk when used wrong. For one-off communications with non-PGP contacts, Signal is almost always the better choice. PGP is most useful when both ends already have keys and have already done fingerprint verification — at which point the channel is fast and stable. The bootstrapping phase is where most operational errors happen.

// for / activists

PGP for activists.

Q: Is PGP "good enough" for a hostile-state threat model?

For some workflows yes, for many no, and the answer depends on what you're protecting. PGP gives strong content confidentiality and authenticity. It gives nothing for metadata (who is talking to whom), nothing for forward secrecy (past messages safe if a future key is compromised), and nothing for anonymity (your email reveals you). For metadata-sensitive operations, layer Signal, Tor, or both. For content-sensitive operations where parties already know who they are, PGP is appropriate. There is no single answer; the threat model has to be worked through.

Q: What if my device is seized?

Plan for it before it happens. Your secret key sits on the device, protected by your passphrase and (optionally) biometric. In some jurisdictions courts can compel biometric unlock but not passphrase disclosure — if this applies to you, disable biometric in PGPony Settings and rely on passphrase alone. Keep an encrypted backup of the key off-device so seizure isn't loss. Practice the workflow of immediately rotating the key if seizure happens — generating a fresh key, publishing a transition statement, revoking the seized one. Time-to-rotation is your operational margin.

Q: Are biometrics safe in my jurisdiction?

Varies considerably. In some places, biometric unlock can be legally compelled while passphrases (treated as testimony) cannot. In others, both are compellable. In some jurisdictions neither is compellable in practice. This is a question for a lawyer familiar with the specific jurisdiction and threat model, not a generic answer. For high-risk work, defaulting to passphrase-only and disabling biometric removes one attack vector regardless of jurisdiction.

Q: How do I verify a contact's fingerprint securely?

In person whenever possible — show each other your fingerprints from your own devices. PGPony's Exchange tab renders the fingerprint alongside the QR code for visual confirmation while exchanging keys. If in-person isn't possible, voice verification on a channel the contact already trusts (a previous Signal call) is next-best. Never accept a fingerprint over the same channel as the encrypted communication — if the channel is compromised, the fingerprint can be substituted.

Read this carefully before betting on PGP for hostile-state threat models. OpenPGP is strong at content confidentiality and authenticity. It is weak at metadata, forward secrecy, and anonymity. For some work that's enough; for some it isn't. This page is the honest assessment — including when to use Signal or Tor instead, and how to combine tools for the threat model you actually have.

Threat-modeled Honest about limits Layer with other tools

Read first OpenPGP is not a panacea, and no single tool addresses every concern an activist workflow has. If the people in your network are at physical risk, treat the choice of tools as a life-safety decision, work through the threat model deliberately, consult resources like the EFF's Surveillance Self-Defense guide (ssd.eff.org) and Access Now's Digital Security Helpline, and prefer tools your collaborators can use reliably over tools that are theoretically stronger but operationally fragile.

What OpenPGP actually does for activist work.

// gives you

Content layer

End-to-end encryption. Message content and attachments are decryptable only by the secret key holder.
Authenticity. Signatures prove a message came from the key holder. After fingerprint verification, your contacts can be sure subsequent messages are from you.
No service account. No central party that can be subpoenaed for your message content. (Mail providers still see metadata; see other panel.)
Long-term ciphertext. Encrypted records remain encrypted regardless of which platforms exist. Unlike Signal, the messages are durable artifacts.
On-device-only secret key. Your secret stays in iOS Keychain or Android Keystore, gated by passphrase and (optionally) biometric.

// does not give you

What to layer with other tools

Metadata protection. Your communication graph is visible to mail providers and any surveillance with metadata-layer access. → Signal sealed-sender; Briar over Tor.
Forward secrecy. Past ciphertexts can be decrypted if a future key is compromised. → Signal (Double Ratchet).
Plausible deniability. PGP signatures are non-repudiable. A valid signature is mathematically you. → OTR historically; nothing widely used today.
Anonymity. Your email address identifies you. → Tor + anonymous email or anonymous channels.
Protection against device seizure. Your secret key sits on the device. → Hardware tokens, duress wipe, physical security planning.
Protection against coerced biometric. Biometrics can be compelled in some jurisdictions. → Passphrase-only protection; disable biometric.
Real-time chat. Email-shaped flow with high latency. → Signal.

When PGP is the right tool.

PGP fits cases where the parties already know who they are, content confidentiality is the primary concern, and metadata exposure to mail providers is acceptable:

Encrypted documents shared between activists who are already in regular contact (organizing plans, research drafts, sensitive notes).
Long-form correspondence with legal counsel, where the content is the secret but the fact of legal correspondence is unremarkable.
Archival storage of sensitive documents — encrypt to your own key, store anywhere, decrypt only on a controlled device.
Encrypted releases of evidence or testimony to journalists who have published a PGP fingerprint.
Cross-border collaboration where the parties have established identity and verified fingerprints in person at some point.

And cases where it isn't:

Initial contact with an unknown party, where revealing your identity to your mail provider is itself a risk.
Real-time coordination during a protest or rapid-response situation — Signal is faster, lower-friction, and metadata-protected.
Anonymous tipoffs or leaks — SecureDrop and Tor-based channels are stronger.
Communications where future legal proceedings might compel decryption — passphrase + key on device is a single point of failure.
Network where most contacts don't have keys and won't reliably manage them — operational errors are the dominant risk.

Operational security defaults for high-risk work.

Strong passphrase, no biometric. In PGPony, disable Face ID / Touch ID / Biometric Lock in Settings → Security. Rely on a long passphrase you can produce reliably but isn't trivially guessable. This removes biometric-coercion as an attack vector and avoids the jurisdictional question. See Set up biometric lock (and choose not to).
iCloud Keychain Sync OFF. If keys sync to iCloud, an attacker with your Apple ID can potentially retrieve them. For high-risk work, keep keys on-device-only and move them manually between devices via the export / import flow.
Encrypted backup, off-device. A backup that lives next to your phone is no backup. Encrypted USB in a safe, paper backup with paperkey, or a password manager attachment — somewhere device loss doesn't lose the key. See Back up your private key.
Fingerprint verification in person. Use PGPony's Exchange tab → Show My Key to display your QR + fingerprint to a contact; have them scan via Scan Key. The in-person QR exchange verifies fingerprints automatically through visual comparison. See Share your key via QR code.
Plan for key rotation. If you suspect compromise, rotate immediately. A revocation certificate generated at key creation time and stored offline can be published even if you no longer have access to the secret key. See Rotate your PGP key safely.
Compartmentalize identities. One key per role: a key for your activism work, a separate key for personal correspondence. Compromise of one shouldn't burn the other. PGPony handles multiple keys in the same keyring.
Use Signal in parallel. For real-time coordination, metadata-sensitive contact, and most contemporary activist workflows, Signal is the default. PGP is for the work where you specifically need long-term encrypted artifacts or where Signal isn't an option.

Is PGPony right for this work?

// yes if

Content confidentiality is the primary concern
Your contacts can already use PGP reliably
Metadata leakage to mail providers is acceptable
You need long-term encrypted artifacts (documents, archives)
You've done a threat model and PGP fits a specific slice of your work

// not the right tool if

Metadata-sensitive — surveillance can see who talks to whom (use Signal / Briar)
Real-time coordination (use Signal)
Need anonymity from your mail provider (use Tor + anonymous channels)
Threat model includes coerced unlock and you can't reliably "forget" the passphrase
Forward secrecy is required (use Signal)
Most contacts can't manage PGP keys reliably

Common questions from activist users.

Is PGP "good enough" for a hostile-state threat model?

For some workflows yes, for many no, depending on what you're protecting. PGP gives strong content confidentiality and authenticity. It gives nothing for metadata, forward secrecy, or anonymity. For metadata-sensitive operations, layer Signal, Tor, or both. For content-sensitive operations where parties already know who they are, PGP is appropriate. There is no single answer; the threat model has to be worked through.

What if my device is seized?

Plan for it before it happens. Secret key sits on device, protected by passphrase and (optionally) biometric. In some jurisdictions biometric can be compelled but passphrase cannot — if this applies, disable biometric. Keep an encrypted backup off-device. Practice immediate rotation: generate fresh key, publish transition, revoke seized one. Time-to-rotation is your operational margin.

Are biometrics safe in my jurisdiction?

Varies. In some places biometric unlock can be legally compelled while passphrases cannot. In others both are compellable. This is a question for a lawyer familiar with the specific jurisdiction and threat model, not a generic answer. For high-risk work, defaulting to passphrase-only removes one attack vector regardless.

Can I be forced to decrypt?

Depends on jurisdiction and what authorities can prove about your knowledge of the passphrase. Several legal doctrines exist and vary by country and case law. Operationally: a passphrase you don't remember is harder to compel than one you do. Some activists use long random passphrases stored in places they can lose access to under duress — this trades availability for deniability and is a real trade-off.

Signal AND PGP?

For most activist workflows, yes. Signal: real-time, forward-secure, metadata-protected, no portable artifacts. PGP: asynchronous, archival, content-only, portable ciphertext. Use Signal for tactical communications; PGP for documents and longer-form correspondence.

Contacts who can't use PGP?

Don't make them. The UX cost of PGP is real and it adds risk when used wrong. For one-off communications with non-PGP contacts, Signal is almost always better. PGP is most useful when both ends already have keys and have done fingerprint verification.

How do I verify a contact's fingerprint securely?

In person whenever possible — PGPony's Exchange tab renders the QR alongside the fingerprint. If in-person isn't possible, voice verification on a previously-trusted channel (a previous Signal call) is next-best. Never accept a fingerprint over the same channel as the encrypted communication.

Related material.

Get PGPony

Free OpenPGP encryption for iOS and Android. No accounts, no tracking.

Download on the App Store Get it on Google Play

PGP for activists.

What OpenPGP actually does for activist work.

Content layer

What to layer with other tools

When PGP is the right tool.

Operational security defaults for high-risk work.

Is PGPony right for this work?

Common questions from activist users.

Related material.

Set up biometric lock

Share your key via QR code

Rotate your PGP key safely

PGPony vs Signal

Get PGPony