PGP for journalists.
An encrypted tip line for sources who can use PGP. A signed channel for ongoing correspondence. Archival ciphertext for material you'll need later. PGPony makes all of this work from your phone — useful because most source-first-contact happens on mobile, not at the desk.
The workflow this addresses.
A potential source emails you. They've used PGP before, they found your fingerprint on your bio page, and they've encrypted their first message to your key. You're on the subway. You want to read the message now, not in three hours when you're back at the desk — and you don't want to carry your laptop's secret key onto your phone in an insecure way.
PGPony holds your key in iOS Keychain or Android Keystore, gated behind biometric and your
passphrase. The same key that lives in gpg on your laptop can also live in
PGPony on your phone (same fingerprint, two devices). Source reaches out → you decrypt on
the spot → you reply encrypted and signed from wherever you are.
What OpenPGP protects, what it doesn't.
Content layer
- End-to-end encryption of message body and attachments. Only your secret key can decrypt.
- Authenticity via signatures. After fingerprint verification, you know subsequent messages from this source are from the same key holder.
- Long-term archival ciphertext. Encrypted records you keep — unlike Signal, the messages are portable artifacts that survive device changes and can be entered as evidence.
- Provider-agnostic. Works with any email — Gmail, Outlook, your newsroom's mail system, the source's webmail.
- No central account. No service that can be subpoenaed for your message content (the mail providers still see metadata).
Metadata + transport
- Metadata is visible. Subject, sender, recipient, timestamps, routing. For metadata-sensitive sources, route them to SecureDrop or Signal.
- No forward secrecy. If your secret key is compromised later, all past ciphertexts to that key are readable.
- No anonymity for the source. Their email address identifies them. For anonymous tipoffs, SecureDrop (over Tor) is the right tool.
- No protection against device seizure. Your secret key sits on the device. Plan for it — passphrase + biometric, encrypted backup off-device, key rotation if compromised.
- Signatures are non-repudiable. A valid signature from your key is cryptographically you. This matters if you ever need to deny authorship.
A concrete workflow.
- Generate a key on your laptop with
gpg, or in PGPony directly. Most journalists already have a laptop key; if so, skip to step 2. If not, see Generate a PGP key on iPhone or on Android. - Import your laptop key into PGPony so the same key works on both devices. Follow Import a GnuPG key to your phone. Fingerprints will match exactly.
- Back up the secret key to durable, off-device storage. Without a backup, losing the phone or laptop loses the key. See Back up your private key.
- Publish your fingerprint. Your byline page, your newsroom's contact directory, your personal site, your social bio. The fingerprint is your public identity for encrypted contact. See Publish your public key.
- Set up WKD on your domain if you control it (or your byline's domain if your outlet allows). This lets sources' mail clients auto-discover your key — no manual lookup required. See Set up WKD for your domain.
- When a source contacts you via PGP, decrypt with PGPony's Decrypt tab. The plaintext appears in the app — not written to disk. Read in place. If you need to archive, save into your secure note-taking workflow, then encrypt the archive to your own key.
- Reply encrypted and signed from PGPony's Encrypt tab in Text mode. Signing tells the source the reply really came from you; encryption keeps the body confidential. See Send an encrypted email.
- For repeat sources, verify their fingerprint by an independent channel (in person if possible, voice call on a previously-trusted line otherwise). The verification only needs to happen once per source.
Operational security notes.
- Biometric vs passphrase trade-off. In some jurisdictions, biometrics can be compelled (face/finger held to the device) while passphrases cannot. If this matters to your work, disable biometric in PGPony's Settings and rely on passphrase only. See Set up biometric lock for the toggle.
- iCloud Keychain sync trade-off. Enabling iCloud Keychain Sync in PGPony's Settings makes your key available across your Apple devices automatically. Convenient. But it also means an attacker with your Apple ID can potentially access the key on their device. For high-stakes work, keep iCloud Keychain Sync off and move keys manually.
- Require for Decryption. The optional second biometric prompt at every decryption operation is worth turning on for source material. It prevents the "phone briefly unlocked, someone glances at it" scenario.
- Sources who can't use PGP. Don't force them. SecureDrop has lower operational cost for the source (Tor Browser, paste a message, done). Signal is fine for content; sealed sender helps with metadata. Pick the tool that matches what the source can actually do.
Is PGPony right for this work?
- You receive encrypted mail from sources and want mobile access
- You want to publish a fingerprint alongside your byline
- You need long-term archival of source correspondence
- Your sources can already use PGP, or can be guided to
- Content confidentiality is your primary concern
- Sources need anonymity (use SecureDrop instead)
- Metadata leakage is a hard constraint (Signal / SecureDrop)
- Real-time chat is the workflow (Signal)
- Source cannot use PGP and you cannot route them elsewhere
- You need forward secrecy for tactical reasons (Signal)
Common questions from journalists.
Is PGP enough for whistleblower contact?
For someone who can already use PGP and has good operational security, yes — it gives end-to-end content protection. For someone who cannot use PGP, or whose threat model includes metadata-level surveillance, SecureDrop is a stronger choice (it runs over Tor, eliminating IP correlation, and doesn't require the source to manage keys). PGPony complements SecureDrop rather than replacing it: many journalists publish both a SecureDrop URL and a PGP fingerprint so sources can pick whichever they're comfortable with.
What does my newsroom need to allow?
Most newsrooms allow personal PGP keys for journalists. The newsroom's legal and security team can usually answer whether you can publish a personal fingerprint alongside your byline. Some larger outlets (NYT, Guardian, ProPublica, WaPo) maintain organizational tip pages with their own keys; if your outlet has one, use it instead of or alongside a personal key.
I generate the key on my laptop already. Why PGPony?
Most working journalists do their writing on a laptop but their first source contact often happens via mobile. PGPony lets you decrypt an incoming tip on your phone the moment it arrives — no waiting until you're back at the desk — without exposing the secret key from your laptop. Same fingerprint, two devices.
What about metadata? My source's email provider sees who they emailed.
Correct, and this is OpenPGP's biggest weakness for this use case. Subject lines, sender, recipient, timestamps, and routing information all stay visible to mail providers and any intermediate infrastructure with metadata access. For sources where this matters, route them to SecureDrop (Tor-based) or Signal (sealed sender) instead. Use PGP for the content layer; layer transport protections separately if needed.
How do I verify a source's fingerprint?
Whenever possible, in person — show each other your fingerprints from your own devices. When in-person isn't possible, voice verification on a channel the source already trusts (a previous Signal call, a phone number they've used before) is the next best. Don't rely on fingerprint exchange over the same channel as your encrypted communication; if that channel is compromised, the fingerprint can be substituted.
Should I archive decrypted source material?
Re-encrypt and archive offline. The plaintext should not live indefinitely on a connected device. PGPony decrypts in memory and displays the plaintext rather than writing it to disk by default; for material you need to keep, decrypt, save to your secure note-taking workflow, then encrypt the archive to your own key for storage.
Related material.
Get PGPony
Free OpenPGP encryption for iOS and Android. No accounts, no tracking.