Welcome to upgp.xyz

A zero-trust, PGP-powered upload gateway.

Start in 60 seconds — no sign-up, no tracking.

🔐 Zero-Trust Uploads — Files are encrypted in-browser with OpenPGP. The server never sees your plaintext.
📥 Upload Routing — Encrypted messages can update webhook destinations or store files based on the key used.
🧾 PGP-Signed Identity — We trust your public key and nothing else. Endpoints are tied to verifiable identities.
🪪 Signed Acknowledgments — All server responses are signed using the gateway’s private key.
💡 Client-Side Checksum + Verification — See and verify SHA-256 before and after encryption.

🧾 Register via CLI

Use your PGP key to register a secure drop zone in minutes:

Step 1: Export your PGP public key

gpg --armor --export [email protected] > pubkey.asc

Step 2: Download our public key

curl https://upgp.xyz/key -o upgp.asc

Step 3: Encrypt your key for the server

gpg --encrypt --recipient-file upgp.asc pubkey.asc > encrypted.asc

Step 4: Upload it to register

cat encrypted.asc | sed ':a;N;$!ba;s/\n/\\n/g' | awk '{print "{\"content\":\"" $0 "\"}"}' > payload.json

curl -X POST https://upgp.xyz/register/upload -H "Content-Type: application/json" --data @payload.json

You’ll get a signed response with your personal endpoint, ready to use or route.

upgp.xyz eliminates reliance on server-side security assumptions. Your key is your identity and your protection.

🔍 View source • Trust the code, not the company

🧠 How It Works (Deep Dive)

1. You Encrypt — Data is encrypted locally with OpenPGP using the recipient's key.

2. You Upload — Content is submitted to the server. If encrypted for the gateway, it’s interpreted as a metadata update.

3. The Server Verifies — All signed data is verified. Invalid messages are rejected without exception.

4. You Control Routing — Valid signed JSON payloads can define where future encrypted data gets forwarded.

5. Server Responds With Signature — Every valid response is cryptographically signed with the gateway’s key.