tencrypt

terse encryption tool for the web

What is tencrypt?

tencrypt is a terse (read: simple, basic) message encryption tool for the web.

Pros / features

Cons

Why does tencrypt exist?

This tool was born after I removed the same functionality from my main project, Keyoxide. Keyoxide is an online identity tool; it shouldn't concern itself with encrypting messages. KISS, Unix philosophy, etc.

And so, here is a dedicated tool that does just that: encrypt a message, copy-and-paste the encrypted message and send it to the recipient through a separate (potentially unsecured) channel, say a chat app, IRC, sneakernet.

How to use tencrypt?

Encrypting a message to someone

Has someone given you this tencrypt URL and you see a big "Encrypt message" input field at the top? Great! Just write your message and click the big button, can't go wrong there.

There is no big input field? No luck. tencrypt doesn't have a search functionality so you'll have to ask the recipient for their tencrypt URL first before you can use this tool.

Allowing others to encrypt a message to you

You have a cryptographic key? Awesome. Let's create a tencrypt URL that you may give to others.

Have you uploaded your OpenPGP public key to keys.openpgp.org? Your tencrypt url is:

https://tencrypt.org#hkp;KEYID

Replace KEYID with your key's fingerprint or the email address you used in the userid.

Have you uploaded your OpenPGP public key to a different HKP-compatible key server? Your tencrypt url is:

https://tencrypt.org#hkp;KEYID;DOMAIN

Replace DOMAIN with the domain of the HKP server.

Have you uploaded your OpenPGP public key using the WKD protocol? Your tencrypt url is:

https://tencrypt.org#wkd;EMAIL

Replace EMAIL with the address used to identify your uploaded key.

I don't want people using web tools I don't trust to encrypt sensitive messages to me!

I hear you, I really do. This is one of the reasons why I removed the encrypt button from Keyoxide.

Yet others really want something like this to exist. I too see benefits in tools like these!

Given that your public key is already, well, public, it's impossible to prevent tools such as these from existing. So, instead of fighting it, let's craft the most respectful tool we can.

That is why I built tencrypt.

1/ tencrypt gets its parameters from the URL fragment, something the browser never sends to the hosting server.

2/ Once the page is loaded, the tool will never contact the hosting server again — use your browser's developer tools to confirm this claim. The tool will only contact key servers when needed to obtain the public key but that's it.

3/ tencrypt has no "search key" functionality to make the tool as opt-in as possible. If you don't give the user the right URL, they won't be able to use the tool. Of course, the user could find the URL themself but at least, the tool won't help them.

Is there more the tool could do? Yes, there's always more. But what and more importantly, how? Should we let people add an OpenPGP notation to their key to kindly asks web tools to not allow message encryption — and of course make tencrypt respect that? Or should we let key holders request tencrypt directly to ignore their key?

Let's discuss all these potential measures and make this tool work for everyone.

On your end, if you use WKD to host your key, feel free to block this domain — tencrypt.org — so it won't be able to access your public key.

Changelog

v0.2.0 — 2023-05-02
Add favicon
Update footer

v0.1.0 — 2023-04-29
Initial release