Create, import, and auto-fill OTP & HOTP passcodes in just two clicks. With EviOTP HSM PGP, each secret key is encrypted into a segmented PGP container — no NFC, no mobile device, and no cloud access required. Tokens stay offline, and injection is fully automated.
Private OTP keys are never exposed. EviOTP HSM PGP decrypts containers only in your computer’s RAM, ensuring that secrets are never written to disk or stored anywhere permanently. Even if your system is compromised, keys stay secure.
You can share encrypted OTP containers securely via QR code or portable storage. EviOTP HSM PGP encrypts each key with segmented AES-256 CBC and a password of your choice. Use it on-demand from any location, without needing to install or decrypt anything in advance.
Each OTP container includes the original login URL. When used, EviOTP HSM PGP launches a dedicated sandbox that checks domain integrity before injecting the OTP PIN — blocking phishing and fake login pages automatically.
Latest update: April 10, 2025
The OTP key manager feature powered by EviOTP HSM PGP is embedded in the PassCypher HSM PGP desktop application. It enables secure, offline generation and use of TOTP and HOTP secrets — without relying on mobile apps, cloud services, or external servers.
Unlike standard OTP apps, this innovation encrypts each OTP secret in a PGP AES-256 CBC container using segmented keys. The OTP is decrypted and displayed only in volatile memory during usage, ensuring maximum privacy and full cyber resilience.
- Support for TOTP & HOTP
- PGP-encrypted container with segmented AES-256 CBC keys
- Fully offline, no account creation, no data collection
- Sandboxed auto-login injection system included
This technology is currently deployed inside PassCypher HSM PGP, available for Windows and macOS. It allows users to manage an unlimited number of OTP keys in a sovereign and secure environment, entirely under their control.
EviOTP HSM PGP is an advanced OTP key manager for desktop environments, purpose-built for offline, zero-trust, and zero-knowledge authentication. It secures TOTP and HOTP private keys using a patented segmented AES-256 CBC encryption system, without relying on mobile apps, cloud services, or centralized databases.
Unlike conventional OTP software, each secret is encapsulated in a 1 KB PGP-encrypted container, split across two segments:
Decryption occurs only in RAM, during usage. As soon as the OTP code is injected automatically, the decrypted data is instantly destroyed — ensuring that secrets are never written to disk, never uploaded, and never retained.
Each OTP container includes the original login URL, enabling automatic domain sandboxing. This process validates the destination before injecting the OTP, thereby preventing typosquatting and phishing attempts.
Fully independent and completely serverless, EviOTP HSM PGP:
Containers remain permanently encrypted, enabling users to transfer, copy, and use them directly from any drive. Furthermore, the system ensures that decryption occurs exclusively within its memory, preventing any need for external decryption.
With zero integration dependencies, no plugin pairing, and no mobile requirement, the system ensures a self-contained, sovereign architecture. It gives users total control over their OTP lifecycle — from secure creation and encrypted storage to seamless auto-authenticated injection — all without exposing private keys at any time.
Whether you’re securing admin consoles, managing sensitive air-gapped environments, or deploying multi-user MFA with granular access, EviOTP HSM PGP stands apart with:
EviOTP HSM PGP enables encrypted storage, sharing, and usage of an unlimited number of TOTP and HOTP private keys. This full offline vault ensures maximum security and sovereignty over your 2FA secrets — with no cloud, no USB token, no smartphone dependency.
EviOTP HSM PGP decentralizes OTP key management entirely away from servers, apps, or central infrastructures. It supports secure human-to-human key sharing using encrypted PGP containers — freely duplicable across drives — while enforcing segmented cryptographic trust rules. Each usage must validate all key segments, even from separate locations or supports.
Share OTP secrets securely with AES-256 CBC PGP encryption and a user-defined passphrase.
Each container can be transferred via QR Code, USB drive, air gap (e.g., webcam), or local storage — without ever exposing the raw OTP key.
Your OTP remains 100% encrypted, even in transit or backup, making interception or misuse impossible.
EviOTP HSM PGP applies the patented segmented-key authentication system — awarded the Gold Medal at the 2021 Geneva International Exhibition of Inventions — to offline OTP key management.
Unlike mobile apps or USB tokens, this desktop-only solution encrypts each OTP secret inside a PGP AES-256 CBC container, split across two independent segments:
Decryption occurs only in volatile RAM, during usage. As soon as the OTP code is injected, the decrypted data vanishes instantly — leaving no trace.
🔗 Learn more about the Geneva Gold Medal and the segmented-key patent
Thanks to its offline design and military-grade encryption, EviOTP HSM PGP empowers critical sectors to deploy sovereign, passwordless, and resilient authentication — without third-party trust.
Access to each OTP secret requires two key segments: one in local storage, one on a separate physical support. Additionally, the original URL is verified via sandboxing. Without both segments and a valid domain, the container stays encrypted and the OTP is never generated — ensuring true segmented-key 2FA.
EviOTP HSM PGP encrypts every OTP key inside a PGP container and splits it across two physically distinct locations: the browser’s local storage and a removable device. Moreover, it ensures the container is only decrypted within RAM and never stored in decrypted form, keeping the key cryptographically inaccessible—even during system compromise.
EviOTP HSM PGP operates 100% offline, without any reliance on the cloud, servers, or sync tools. Nothing is uploaded or connected. You keep total sovereignty over your OTP lifecycle — from generation and encryption to injection and disposal.
Users actively encrypt and share OTP secrets securely with AES-256 CBC PGP containers, which are protected by a user-defined password. This ensures safe transmission across any channel, whether USB, SD, LAN, or even air gap. Furthermore, the encrypted container enforces segmented-key decryption with a domain check, ensuring no unauthorized access or alteration is possible.
EviOTP HSM PGP actively ensures user, system, and device anonymity. It avoids account creation, telemetry, and tracking entirely. Furthermore, during OTP sharing, it embeds trust within the encryption itself rather than relying on a third-party service, keeping the sender anonymous yet trusted by cryptographic design.
EviOTP HSM PGP works seamlessly on any desktop operating system that supports a web browser and local storage — including Windows, macOS, and Linux. Once installed, the extension decrypts OTP containers on demand, directly in RAM, without installing additional apps or requiring administrator rights.
You stay fully offline, in control, and independent from mobile or NFC hardware.
Treats every computer as untrusted. OTP keys never reside on the system’s permanent memory. Codes are generated in RAM only, in real-time, and automatically destroyed after use. This ensures complete resilience against keyloggers, malware, or forensic analysis.
EviOTP HSM PGP eliminates the need for any external authority. The user sets the rules. OTP decryption conditions — the two key segments and the origin domain — are strictly enforced and cannot be bypassed. This enables sovereign peer-to-peer encryption without compromise.
To guarantee the integrity of the EviOTP HSM PGP system, Freemindtronic designs, develops, and masters every component of the solution — from the segmented key encryption engine and browser extension to the AES-256 CBC PGP container format. This fully in-house approach ensures zero third-party code, zero cloud dependency, and zero backdoor risk. By maintaining full control over both the software and hardware components, Freemindtronic guarantees long-term auditability, resilience, and sovereignty — from concept to daily use. This industrial independence also ensures compliance with strategic requirements for civil, governmental, and defense-grade deployments, enabling EviOTP HSM PGP to operate in sensitive, air-gapped, and high-assurance environments without compromise.
.
EviOTP HSM PGP uses a patented split-key architecture based on AES-256 CBC encryption and PGP containerization. One key segment is stored in the browser’s local storage, while the other remains on a user-defined external device (e.g., USB drive, SD card, or encrypted folder). Decryption is only triggered when both segments are present and the original login domain matches — ensuring that secrets remain unreadable if any part is missing. This dual isolation between software and hardware environments enforces a zero-trust, zero-knowledge security model. In customized enterprise deployments, additional trust layers — such as facial recognition, device ID, BSSID, or even a remote segment key server — can be added to enforce stricter access rules based on client-specific policies.
EviOTP HSM PGP links each OTP secret to a unique pair of segmented keys. Without both key segments — one local, one external — the container remains encrypted. This guarantees that only the correct OTP key can be used, blocking any unauthorized or mismatched access.
This technology leverages segmented AES-256 CBC encryption to enforce true human-to-human authentication. One segment stays in local storage, the other on an external device. Decryption only occurs in RAM, on demand. Usage requires both key segments and the original OTP login domain. Without these, decryption never occurs. Even after secure PGP sharing, these conditions remain immutable.
| Feature / Product | EviOTP HSM PGP | KeePassXC | Nitrokey (OTP USB) | SoloKeys (FIDO2/U2F) | WinAuth | Free OTP Plus Desktop | OTPClient | Thales CipherTrust Manager |
|---|---|---|---|---|---|---|---|---|
| Offline Use (True No Internet) | ✅ | ✅ (local mode only) |
✅ (device-generated) | ❌ (needs service/cloud) |
✅ (manual setup) |
✅ (manual setup) |
✅ (local config) | ❌ (cloud-based) |
| Serverless Architecture | ✅ | ❌ (engine + options) |
✅
(hardware embedded) |
❌ (cloud handshake) |
❌ (uses registry) |
✅ (standalone) |
✅ (local only) | ❌ (cloud architecture) |
| Database-Free | ✅ | ❌ (uses .kdbx file) |
✅ (no DB) |
✅ (but cloud backend) |
❌ (uses config files) |
✅ (flat file) |
✅ (no DB) |
❌ (requires DB) |
| Master Password / Central PIN | ❌ (not needed) |
✅ (mandatory) |
✅ (PIN required) |
✅ (device PIN) |
✅ (local protection) |
❌ (none) |
❌ (none) |
✅ (admin PIN or pass) |
| Segmented Key Encryption (AES-256 CBC) | ✅ (patented) |
❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Auto-Fill OTP PIN Code | ✅ (transparent) |
❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Sandbox URL Anti-Typosquatting | ✅ (built-in) |
❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Zero-Knowledge Model | ✅ (strict) |
❌ (data trace exists) |
🔶 (hardware-bound) |
❌ (cloud device ID) |
❌ (local trace) |
❌ (no formal ZK) |
❌ (basic local only) |
❌ (admin visibility) |
| Key Sharing (Encrypted PGP Container) | ✅ (AES-256 PGP) |
❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
Unlike software apps or USB tokens, EviOTP HSM PGP is a desktop-only, fully offline OTP manager.
A sovereign tool for secure, automated OTP authentication — without compromise.
Here are specific scenarios where EviOTP HSM PGP provides unmatched segmented-key OTP security for desktop environments:
Secure administrative access (e.g., to root accounts, servers, or internal portals) without any online dependency. EviOTP HSM PGP decrypts OTP secrets locally in RAM and auto-fills login pages — fully offline, fully autonomous.
In military, classified, or confidential environments, users operate entirely without network exposure. They store OTP secrets on removable devices (USB, SD, encrypted volume) and decrypt them only on demand via segmented keys.
Securely share OTP containers encrypted with AES-256 CBC and a user-defined password. Access requires both key segments and domain validation. No server, no account — just sovereign, human-to-human key exchange.
Deploy EviOTP HSM PGP in high-risk sectors like forensics, infrastructure, or law enforcement. OTP secrets stay encrypted, undecryptable, and unusable until both key segments and sandbox validation are fulfilled — even under system compromise.
Ideal for legal, health, or compliance-sensitive use cases. Logs remain localized, container-based, and fully encrypted — giving users human-readable traceability while preserving confidentiality. No tracking, no metadata leaks.
Use case : OTP key management for classified systems (red/black separation). Prevents OTP leakage even during invasive attacks. Works offline across air-gapped defense infrastructures with no USB or Bluetooth.
Use case : Seamless MFA login to admin panels, servers (SSH/RDP), or internal tools. Auto-injection of OTP code in browser login forms using segmented key encryption — no mobile needed.
Use case : Use encrypted OTP containers during audits to access regulation-sensitive accounts. OTP secrets remain confined to certified devices, sharable without cloud sync or admin involvement.
As a fully sovereign and offline software solution, EviOTP HSM PGP enforces the highest standards of cybersecurity, encryption, and data protection — without relying on any server, database, or centralized password.
Although not certified by third-party entities, this OTP key manager strictly complies with — and often exceeds — internationally recognized regulations and technical norms.
Developed in strict alignment with major security standards, including:
Built for sensitive sectors including national security, critical infrastructure, healthcare, and regulated industries:
⚖️ EviOTP HSM PGP provides legal-grade confidentiality and unmatched operational independence — for professionals who cannot afford compromise.
