RSA Key Generator & Encrypt/Sign

What is RSA Key Generator & Encrypt/Sign?

This is a free, in-browser RSA toolkit that combines a key-pair generator with hands-on encryption and signing. Click Generate key pair to mint a new public/private pair at your chosen modulus size; the keys appear as PEM blocks you can copy straight into config files, scripts, or another tool. The Operation control picks RSA-OAEP (public-key encryption) or RSA-PSS (digital signatures, both with SHA-256), and the Direction control flips between forward and reverse so you can encrypt then decrypt, or sign then verify. Developers, students, and security engineers use it to test crypto flows, learn how asymmetric keys work, or quickly produce a throwaway PEM key pair without installing OpenSSL. Because it relies on the browser's built-in Web Crypto, results are standards-compliant and your private key never leaves the page.

How to use RSA Key Generator & Encrypt/Sign

1. Open Settings and choose the key size: 2048, 3072, or 4096 bits.
2. Pick the Operation: Encrypt (RSA-OAEP) or Sign (RSA-PSS) — this determines the algorithm of the keys you generate.
3. Click Generate key pair; the public and private keys appear as PEM and can be copied with the copy buttons.
4. Set the Direction to Encrypt/Sign (forward) or Decrypt/Verify (reverse).
5. Type your message in the Plaintext field, and for reverse direction paste the base64 ciphertext or signature into the second field.
6. Read the result, which updates automatically as you type, and copy it.

Examples

Operation: Encrypt, Direction: Encrypt, Plaintext: hello world

A base64 ciphertext such as kQf8...== that only the matching private key can decrypt.

Operation: Encrypt, Direction: Decrypt, Ciphertext: kQf8...==

hello world

Operation: Sign, Direction: Sign, Message: invoice #42

A base64 signature; switch Direction to Verify, paste it back, and the result reads "Signature is valid".

Frequently asked questions

Is anything sent to a server?

No. Key generation, encryption, decryption, signing, and verification all run locally through the browser's Web Crypto API. Your private key and plaintext stay on the page and are never uploaded or stored, so the tool works offline.

Why can't I encrypt with the same keys I generated for signing?

RSA-OAEP and RSA-PSS keys are bound to their algorithm when created. If you switch the Operation, generate a new key pair so the keys match the selected algorithm.

How much text can RSA-OAEP encrypt?

RSA encrypts only small payloads — roughly the key size minus padding (for 2048-bit keys, about 190 bytes). For longer data, real systems encrypt the data with a symmetric key and wrap only that key with RSA.

What format are the keys in?

The public key is exported as SPKI and the private key as PKCS#8, both wrapped in standard PEM (-----BEGIN PUBLIC KEY----- / -----BEGIN PRIVATE KEY-----), the same format OpenSSL and most libraries accept.

Which hash and padding are used?

Both algorithms use SHA-256. RSA-PSS signatures use a 32-byte salt, and RSA-OAEP uses SHA-256 for its mask generation, matching common defaults.