We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
Sequoia PGP: A not quite new implementation of OpenPGP
Learn how SequoiaPGP reimagines OpenPGP with mandatory authentication, flexible trust models, and adjustable security levels while maintaining compatibility with existing tools.
-
SequoiaPGP takes a library-first approach focusing on being clean, safe by default, and UI-independent while supporting multiple threat models from casual users to high-security scenarios
-
Authentication is mandatory in Sequoia, with no concept of a curated keyring. The system uses “shadow CAs” and the Web of Trust model to combine multiple pieces of evidence for key verification
-
Keys.openpgp.org acts as a de facto CA by verifying email addresses, though users can control how much they trust it and scope trust to specific domains
-
The system supports different security levels through a “dial” approach - users can adjust automation vs security based on their threat model, from basic privacy needs to high-security activist scenarios
-
Command line interface (SQ) provides clear guidance and transparency, showing authentication paths and trust levels to help users understand the system’s security decisions
-
Federated CAs offer a middle ground between fully decentralized trust and global CAs, allowing organizations to manage their own trust infrastructure
-
Sequoia maintains compatibility through GPG-SQ, a drop-in replacement for GPG, while adding new security features and improvements
-
The project focuses on making good security practices accessible without forcing users to learn entirely new tools or workflows
-
Authentication is treated as fundamental - the system refuses to encrypt without proper authentication rather than offering insecure fallback options
-
Built with multiple crypto backends (Nettle, OpenSSL, Botan, etc.) and emphasizes safe-by-default interfaces while still allowing advanced usage when needed