NSC 67: Whisply & OnlyKey Updates


Secure File Transferring with Whisply

With encryption becoming more popular in recent years, there is no lack of means to send encrypted files in this digital age. The only issue we face is the ease of use with some of these tools. As we saw with Boxcryptor in our last issue, it is possible to use existing cloud storage providers securely using a third party application. This allows someone to use their same Google Drive, Dropbox, etc that they’ve been using for years and now almost effortlessly add a layer of security between them and the storage provider. This time, we’ll look at Whisply, a way to send files securely using Dropbox, Google Drive, or OneDrive.


Whisply is very simple to use and the only thing required to start sending files is having a Dropbox, Google Drive or OneDrive account. While we don’t encourage using cloud storage, especially when its attached to your name, but if you use Whisply or Boxcryptor, at least your files will only be readable by you. This is a huge improvement to uploading your nudes and hoping that your cloud storage provider doesn’t take a peek. Cloud storage accounts are also very easy to setup non-attributively and their main benefit is: they’re free. Uploading files are done by choosing the file you want to upload, authenticating with your cloud storage provider and waiting for it to encrypt, then uploading the file.


Whisply uses AES 256 encryption using your browser’s built-in WebCrypto library to encrypt your uploaded files. With the free version, your files are automatically deleted from their server within 12 hours. With a Boxcryptor paid account, you gain access to custom expiration times and the option to set one-time downloads of uploaded files.


Whisply has three security levels to choose from when sending files: link, link and pin, and link and password. With link, a random link is generated and is the only thing required to download the files. With link and pin, a random link is generated coupled with a random pin. Link and password gives you a random generated link and the uploader gets to choose a custom password. We tried a 128 character password and there doesn’t seem to be a limit or any trimming of the password.

The link and password option is obviously the most secure option, but if you’re already using secure means to send the link, such as Signal, the link option will work as the link is basically a password itself. Never send your link and pin/password through an insecure channel! If a secure channel is unavailable, use two insecure channels, as both would need to be compromised at the same time. If someone has access to both your text messages and your email, chances are you messed up a long time ago.


Whisply is just another tool in the tool belt that uses existing infrastructure to send secure files. Unlike other encrypted file sending services, Whisply doesn’t own the infrastructure. This is good in the sense that we don’t have to worry about them suddenly shutting down because they can’t afford the server cost. Unless the apocalypse comes, we don’t have to worry about Google, DropBox or Microsoft shutting down their cloud services. This is why it’s great to be able to use their existing infrastructure to share encrypted files. As far as paying for the advanced features of Whisply, is it worth it? With the yearly cost being only $48 ($4 a month) for a Boxcryptor personal account, we think it is. This also gives you advanced features for Boxcryptor such as filename encryption, unlimited devices, unlimited cloud providers, etc. You can find pricing details here.

Update on the OnlyKey

We’ve been using the OnlyKey quite a lot recently and we love it. A firmware update was just released that added a few much needed features that we would like to share. First off, the 12 plausible deniability slots, the useless for Americans who never leave the country feature, is now optional. Those slots were meant for countries that ban encryption, but the US currently has no laws in place concerning encryption. This limited US customers to only 12 slots unless you use the other 12 slots that utilize no encryption (not a good idea).

Enjoy 5% off your OnlyKey purchase using our referral link: https://onlykey.io/tpidg

But now you have the ability to have two “profiles”. These “profiles” have 12 slots each and are accessed with separate PINs and both are now encrypted with that PIN. Don’t believe us? Try to change your PIN, then try to access a slot. With the plausible deniability slots, changing the PIN had no effect as those were not encrypted. It’s always good to verify before you put your whole life on a USB dongle.


New Features


  • Updates are now done through the app. No more downloading third party software to update the firmware of the device, this is now all handled through the app. The OnlyKey app will now notify you when there is a new update.
  • Updates no longer wipe out account data. This eliminates the need to backup your OnlyKey, update it, then restore it from backup. It’s as simple as updating to the new version and enjoying it’s new features. That doesn’t mean you shouldn’t back it up often though!
  • The OnlyKey can now be backed up with only a password instead of a password protected PGP key. This is good if you don’t want to mess with PGP, but you still want to back up your device. We believe this makes it much more viable password manager device for the masses. Most people don’t know how to make a PGP key and therefore would not backup their OnlyKey.
  • Touch sense was updated and seems to be a bit better. We don’t notice a huge difference, but there seems to be a lot less touching, not seeing the light blink, then touching it again.

Planned Features

The OnlyKey team also plans to add additional features in the coming months:

  • FIDO 2.0 support, this will allow you to use your OnlyKey as a second factor token for any website or app that currently supports it.
  • KeePassXC support by adding HMAC-SHA1. This will give you the ability to add a second factor to your existing KeePassXC databases by using something that normally only works for Yubikey.
  • Real OpenPGP support. Instead of using their app to encrypt messages, they plan on adding native support so you can encrypt messages right where they are.


Leave a Reply

Your email address will not be published. Required fields are marked *