New innovation 2025
EviOTP HSM PGP Manager
Offline PGP-Based OTP Manager for Multi-Factor Authentication
Unlimited TOTP & HOTP secrets encrypted in segmented key containers
Powered by EviOTP HSM PGP Technology — patented by Freemindtronic Andorra
Desktop OTP Key Manager with Segmented Encryption
A powerful offline OTP solution built for secure desktop authentication
Easy and secure desktop use
Create, import, and auto-fill OTP & HOTP passcodes in just two clicks. With EviOTP HSM PGP, each secret key is encrypted into a segmented PGP container — no NFC, no mobile device, and no cloud access required. Tokens stay offline, and injection is fully automated.
Protection against malware and data theft
Private OTP keys are never exposed. EviOTP HSM PGP decrypts containers only in your computer’s RAM, ensuring that secrets are never written to disk or stored anywhere permanently. Even if your system is compromised, keys stay secure.
Offline key sharing via AES-256 CBC
You can share encrypted OTP containers securely via QR code or portable storage. EviOTP HSM PGP encrypts each key with segmented AES-256 CBC and a password of your choice. Use it on-demand from any location, without needing to install or decrypt anything in advance.
Built-in anti-typosquatting sandbox
Each OTP container includes the original login URL. When used, EviOTP HSM PGP launches a dedicated sandbox that checks domain integrity before injecting the OTP PIN — blocking phishing and fake login pages automatically.
EviOTP HSM PGP – Integrated in PassCypher HSM PGP
Latest update: April 10, 2025
The OTP key manager feature powered by EviOTP HSM PGP is embedded in the PassCypher HSM PGP desktop application. It enables secure, offline generation and use of TOTP and HOTP secrets — without relying on mobile apps, cloud services, or external servers.
Unlike standard OTP apps, this innovation encrypts each OTP secret in a PGP AES-256 CBC container using segmented keys. The OTP is decrypted and displayed only in volatile memory during usage, ensuring maximum privacy and full cyber resilience.
- Support for TOTP & HOTP
- PGP-encrypted container with segmented AES-256 CBC keys
- Fully offline, no account creation, no data collection
- Sandboxed auto-login injection system included
This technology is currently deployed inside PassCypher HSM PGP, available for Windows and macOS. It allows users to manage an unlimited number of OTP keys in a sovereign and secure environment, entirely under their control.
EviOTP HSM PGP – Offline Segmented Key Manager for Secure OTP Authentication
Secure and Sovereign OTP Key Management — Without Compromise
EviOTP HSM PGP is an advanced OTP key manager for desktop environments, purpose-built for offline, zero-trust, and zero-knowledge authentication. It secures TOTP and HOTP private keys using a patented segmented AES-256 CBC encryption system, without relying on mobile apps, cloud services, or centralized databases.
Unlike conventional OTP software, each secret is encapsulated in a 1 KB PGP-encrypted container, split across two segments:
- One segment resides in the browser’s local storage.
- The other is stored on a user-chosen external medium (USB key, SD card, encrypted folder, etc.).
Decryption occurs only in RAM, during usage. As soon as the OTP code is injected automatically, the decrypted data is instantly destroyed — ensuring that secrets are never written to disk, never uploaded, and never retained.
Each OTP container includes the original login URL, enabling automatic domain sandboxing. This process validates the destination before injecting the OTP, thereby preventing typosquatting and phishing attempts.
Unlimited Encrypted Containers — Fully Duplicable, Fully Offline
Fully independent and completely serverless, EviOTP HSM PGP:
- Stores no containers internally,
- Requires no account creation,
- Operates without a master password,
- And supports unlimited containers that can be freely duplicated across storage devices.
Containers remain permanently encrypted, enabling users to transfer, copy, and use them directly from any drive. Furthermore, the system ensures that decryption occurs exclusively within its memory, preventing any need for external decryption.
With zero integration dependencies, no plugin pairing, and no mobile requirement, the system ensures a self-contained, sovereign architecture. It gives users total control over their OTP lifecycle — from secure creation and encrypted storage to seamless auto-authenticated injection — all without exposing private keys at any time.
Whether you’re securing admin consoles, managing sensitive air-gapped environments, or deploying multi-user MFA with granular access, EviOTP HSM PGP stands apart with:
- End-to-end encryption sovereignty
- Offline resilience and duplicability
- Segmented key authentication with password-based sharing
- And absolute independence from external infrastructure
EviOTP HSM PGP Manager
EviOTP HSM PGP enables encrypted storage, sharing, and usage of an unlimited number of TOTP and HOTP private keys. This full offline vault ensures maximum security and sovereignty over your 2FA secrets — with no cloud, no USB token, no smartphone dependency.
Autonomous, peer-to-peer & duplicable
EviOTP HSM PGP decentralizes OTP key management entirely away from servers, apps, or central infrastructures. It supports secure human-to-human key sharing using encrypted PGP containers — freely duplicable across drives — while enforcing segmented cryptographic trust rules. Each usage must validate all key segments, even from separate locations or supports.
True zero-trust and zero-knowledge
EviOTP HSM PGP never collects or stores any personal data.
OTP containers remain encrypted at all times and are only decrypted in volatile RAM for the duration of usage. Nothing is written to disk, nothing is retained — even temporarily. You control the key. Not the software. Not the system.
OTP containers remain encrypted at all times and are only decrypted in volatile RAM for the duration of usage. Nothing is written to disk, nothing is retained — even temporarily. You control the key. Not the software. Not the system.
Password-encrypted OTP sharing
Share OTP secrets securely with AES-256 CBC PGP encryption and a user-defined passphrase.
Each container can be transferred via QR Code, USB drive, air gap (e.g., webcam), or local storage — without ever exposing the raw OTP key.
Your OTP remains 100% encrypted, even in transit or backup, making interception or misuse impossible.
International Award-Winning Innovation – EviOTP HSM PGP
EviOTP HSM PGP applies the patented segmented-key authentication system — awarded the Gold Medal at the 2021 Geneva International Exhibition of Inventions — to offline OTP key management.
Unlike mobile apps or USB tokens, this desktop-only solution encrypts each OTP secret inside a PGP AES-256 CBC container, split across two independent segments:
- One segment is stored in the browser’s local storage.
- The other stays on an external medium chosen by the user (USB key, SD card, encrypted folder, etc.).
Decryption occurs only in volatile RAM, during usage. As soon as the OTP code is injected, the decrypted data vanishes instantly — leaving no trace.
- True zero-trust and zero-knowledge
- Offline OTP vault — no server, no cloud
- Password-protected key sharing
- Unlimited, duplicable, and autonomous containers
🔗 Learn more about the Geneva Gold Medal and the segmented-key patent
Thanks to its offline design and military-grade encryption, EviOTP HSM PGP empowers critical sectors to deploy sovereign, passwordless, and resilient authentication — without third-party trust.
Native Multi-Factor Authentication
Access to each OTP secret requires two key segments: one in local storage, one on a separate physical support. Additionally, the original URL is verified via sandboxing. Without both segments and a valid domain, the container stays encrypted and the OTP is never generated — ensuring true segmented-key 2FA.
Redundant privacy
EviOTP HSM PGP encrypts every OTP key inside a PGP container and splits it across two physically distinct locations: the browser’s local storage and a removable device. Moreover, it ensures the container is only decrypted within RAM and never stored in decrypted form, keeping the key cryptographically inaccessible—even during system compromise.
Cloudless (Serverless)
EviOTP HSM PGP operates 100% offline, without any reliance on the cloud, servers, or sync tools. Nothing is uploaded or connected. You keep total sovereignty over your OTP lifecycle — from generation and encryption to injection and disposal.
Human-to-Human Secure Key Sharing
Users actively encrypt and share OTP secrets securely with AES-256 CBC PGP containers, which are protected by a user-defined password. This ensures safe transmission across any channel, whether USB, SD, LAN, or even air gap. Furthermore, the encrypted container enforces segmented-key decryption with a domain check, ensuring no unauthorized access or alteration is possible.
End-to-end anonymity
EviOTP HSM PGP actively ensures user, system, and device anonymity. It avoids account creation, telemetry, and tracking entirely. Furthermore, during OTP sharing, it embeds trust within the encryption itself rather than relying on a third-party service, keeping the sender anonymous yet trusted by cryptographic design.
Cross-platform desktop compatibility
EviOTP HSM PGP works seamlessly on any desktop operating system that supports a web browser and local storage — including Windows, macOS, and Linux. Once installed, the extension decrypts OTP containers on demand, directly in RAM, without installing additional apps or requiring administrator rights.
You stay fully offline, in control, and independent from mobile or NFC hardware.
Zero Trust in Host Devices
Treats every computer as untrusted. OTP keys never reside on the system’s permanent memory. Codes are generated in RAM only, in real-time, and automatically destroyed after use. This ensures complete resilience against keyloggers, malware, or forensic analysis.
Without trusted third party
EviOTP HSM PGP eliminates the need for any external authority. The user sets the rules. OTP decryption conditions — the two key segments and the origin domain — are strictly enforced and cannot be bypassed. This enables sovereign peer-to-peer encryption without compromise.
Zero Dependency, Full Sovereignty
To guarantee the integrity of the EviOTP HSM PGP system, Freemindtronic designs, develops, and masters every component of the solution — from the segmented key encryption engine and browser extension to the AES-256 CBC PGP container format. This fully in-house approach ensures zero third-party code, zero cloud dependency, and zero backdoor risk. By maintaining full control over both the software and hardware components, Freemindtronic guarantees long-term auditability, resilience, and sovereignty — from concept to daily use. This industrial independence also ensures compliance with strategic requirements for civil, governmental, and defense-grade deployments, enabling EviOTP HSM PGP to operate in sensitive, air-gapped, and high-assurance environments without compromise.
.
Hybrid Encryption with Segmented Keys
EviOTP HSM PGP uses a patented split-key architecture based on AES-256 CBC encryption and PGP containerization. One key segment is stored in the browser’s local storage, while the other remains on a user-defined external device (e.g., USB drive, SD card, or encrypted folder). Decryption is only triggered when both segments are present and the original login domain matches — ensuring that secrets remain unreadable if any part is missing. This dual isolation between software and hardware environments enforces a zero-trust, zero-knowledge security model. In customized enterprise deployments, additional trust layers — such as facial recognition, device ID, BSSID, or even a remote segment key server — can be added to enforce stricter access rules based on client-specific policies.
Unique Added Values of EviOTP NFC HSM Manager
Keeper of Encryption Keys
EviOTP HSM PGP links each OTP secret to a unique pair of segmented keys. Without both key segments — one local, one external — the container remains encrypted. This guarantees that only the correct OTP key can be used, blocking any unauthorized or mismatched access.
Desktop-Only Simplicity & Speed
- Use OTP containers directly from a USB, SD card, or local folder
- No pairing, no sync, no cloud
- OTP code displayed and injected in under 3 seconds
- Fully autonomous and offline
Metadata-Free Execution
- OTP containers are never saved, cached, or indexed
- Secrets decrypted only in volatile memory
- Code is auto-injected and immediately erased
- System logs nothing, ensuring zero trace
Segmented key authentication
This technology leverages segmented AES-256 CBC encryption to enforce true human-to-human authentication. One segment stays in local storage, the other on an external device. Decryption only occurs in RAM, on demand. Usage requires both key segments and the original OTP login domain. Without these, decryption never occurs. Even after secure PGP sharing, these conditions remain immutable.
Interoperability & Compatibility
- Import any TOTP or HOTP QR code
- Use across Linux, Windows, and macOS (depending on integration)
- Compatible with PassCypher HSM PGP
- No need for browser plugins or third-party apps
Contactless Secret Manager Logic
- Generate OTP secrets as encrypted containers
- Auto-authenticate via sandboxed URL
- Prevent typosquatting with built-in domain verification
- Exchange secrets securely with AES-256 CBC + password via removable storage
Comparative Table – EviOTP NFC HSM vs OTP Key Managers
| Feature / Product | EviOTP HSM PGP | KeePassXC | Nitrokey (OTP USB) | SoloKeys (FIDO2/U2F) | WinAuth | Free OTP Plus Desktop | OTPClient | Thales CipherTrust Manager |
|---|---|---|---|---|---|---|---|---|
| Offline Use (True No Internet) | ✅ | ✅ (local mode only) | ✅ (device-generated) | ❌ (needs service/cloud) | ✅ (manual setup) | ✅ (manual setup) | ✅ (local config) | ❌ (cloud-based) |
| Serverless Architecture | ✅ | ❌ (engine + options) | ✅ (hardware embedded) | ❌ (cloud handshake) | ❌ (uses registry) | ✅ (standalone) | ✅ (local only) | ❌ (cloud architecture) |
| Database-Free | ✅ | ❌ (uses .kdbx file) | ✅ (no DB) | ✅ (but cloud backend) | ❌ (uses config files) | ✅ (flat file) | ✅ (no DB) | ❌ (requires DB) |
| Master Password / Central PIN | ❌ (not needed) | ✅ (mandatory) | ✅ (PIN required) | ✅ (device PIN) | ✅ (local protection) | ❌ (none) | ❌ (none) | ✅ (admin PIN or pass) |
| Segmented Key Encryption (AES-256 CBC) | ✅ (patented) | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Auto-Fill OTP PIN Code | ✅ (transparent) | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Sandbox URL Anti-Typosquatting | ✅ (built-in) | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
| Zero-Knowledge Model | ✅ (strict) | ❌ (data trace exists) | 🔶 (hardware-bound) | ❌ (cloud device ID) | ❌ (local trace) | ❌ (no formal ZK) | ❌ (basic local only) | ❌ (admin visibility) |
| Key Sharing (Encrypted PGP Container) | ✅ (AES-256 PGP) | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ | ❌ |
EviOTP HSM PGP – At a Glance
Unlike software apps or USB tokens, EviOTP HSM PGP is a desktop-only, fully offline OTP manager.
- No USB pairing, no cloud dependency, no mobile required.
- Secrets remain encrypted across segmented storage — decrypted only in RAM.
- Combines zero-trust design with PGP containerization and password-protected sharing.
A sovereign tool for secure, automated OTP authentication — without compromise.
Real-World Use Cases of EviOTP HSM PGP Manager
Here are specific scenarios where EviOTP HSM PGP provides unmatched segmented-key OTP security for desktop environments:
MFA for Critical Desktop Access — No Internet Required
Secure administrative access (e.g., to root accounts, servers, or internal portals) without any online dependency. EviOTP HSM PGP decrypts OTP secrets locally in RAM and auto-fills login pages — fully offline, fully autonomous.
Encrypted OTP Containers for Air-Gapped Operations
In military, classified, or confidential environments, users operate entirely without network exposure. They store OTP secrets on removable devices (USB, SD, encrypted volume) and decrypt them only on demand via segmented keys.
Controlled OTP Delegation via Segmented Key Sharing
Securely share OTP containers encrypted with AES-256 CBC and a user-defined password. Access requires both key segments and domain validation. No server, no account — just sovereign, human-to-human key exchange.
Resilient MFA for Critical Environments
Deploy EviOTP HSM PGP in high-risk sectors like forensics, infrastructure, or law enforcement. OTP secrets stay encrypted, undecryptable, and unusable until both key segments and sandbox validation are fulfilled — even under system compromise.
Privacy-Preserving OTP Access with Local Auditability
Ideal for legal, health, or compliance-sensitive use cases. Logs remain localized, container-based, and fully encrypted — giving users human-readable traceability while preserving confidentiality. No tracking, no metadata leaks.
Cyberdefense & National Security
Use case : OTP key management for classified systems (red/black separation). Prevents OTP leakage even during invasive attacks. Works offline across air-gapped defense infrastructures with no USB or Bluetooth.
DevOps / Sysadmin Operations
Use case : Seamless MFA login to admin panels, servers (SSH/RDP), or internal tools. Auto-injection of OTP code in browser login forms using segmented key encryption — no mobile needed.
Finance & External Auditing
Use case : Use encrypted OTP containers during audits to access regulation-sensitive accounts. OTP secrets remain confined to certified devices, sharable without cloud sync or admin involvement.
Legal & Regulatory Compliance – EviOTP HSM PGP
As a fully sovereign and offline software solution, EviOTP HSM PGP enforces the highest standards of cybersecurity, encryption, and data protection — without relying on any server, database, or centralized password.
Although not certified by third-party entities, this OTP key manager strictly complies with — and often exceeds — internationally recognized regulations and technical norms.
GDPR-Aligned by Architecture
- EviOTP HSM PGP never collects, stores, or transmits personal data.
- No account creation, no master password, no tracking of usage or metadata.
- Operates 100% locally, without network connectivity or remote dependencies.
- Follows the core principles of the GDPR: data minimization, privacy by design, and user sovereignty.
Standards-Compliant Technology
Developed in strict alignment with major security standards, including:
- AES-256 CBC — for military-grade encryption of OTP key containers
- PGP Encryption — for secure, user-controlled OTP key sharing
- RFC 6238 & RFC 4226 — full support for TOTP and HOTP protocols
- Segmented Key Architecture — enabling zero trust and zero knowledge usage
- Sandboxed URL Injection — ensures phishing-resistant, domain-verified OTP entry
Ready for Civil, Government & Defense Use
Built for sensitive sectors including national security, critical infrastructure, healthcare, and regulated industries:
- No foreign technologies or cloud platforms involved
- Works entirely offline — with or without internet access
- Supports air-gapped environments
- Secrets remain securely stored and protected, ensuring immunity to malware and infostealers.
- Certified zero server, zero database, zero central point of failure
⚖️ EviOTP HSM PGP provides legal-grade confidentiality and unmatched operational independence — for professionals who cannot afford compromise.