Tessera is a command-line tool for end-to-end encrypted messaging using asymmetric cryptography. Generate keypairs, encrypt messages for your contacts, and sign your work — entirely on your machine.
A focused toolset built on proven RSA asymmetric cryptography — no accounts, no cloud sync, no telemetry.
Create named keypairs stored locally in a DPAPI-encrypted store. Your private keys never leave your machine. List and remove identities as your needs change.
Store contacts by username and public key. No directory server — just exchange public keys out-of-band and add them locally. Contacts are stored separately from your private keys.
Encrypt any stdin payload for a contact's public key. Optionally sign it with your own identity so the recipient can verify authorship. Decrypt with your private key.
Produce a detached signature over any message using your private key. Recipients holding your public key can independently verify the message was unaltered and signed by you.
Your store is protected by a passphrase and encrypted with Windows DPAPI. A 10-minute session cache means you type your passphrase once per session, not once per command.
Run tessera --self-test after install or migration to verify your cryptographic stack is working correctly. No passphrase or store required.
Three concepts. Five minutes to set up.
Generate an RSA keypair under a chosen username. The private key is stored locally; share only the public key.
❯ tessera identity create alice Public key: MIIBIjAN...
Exchange public keys with whoever you communicate with — over email, chat, or any channel you trust — and register them locally.
❯ tessera contact add bob MIIBIjAN...
Pipe any message through Tessera to encrypt it for a contact. Optionally sign it so they can verify it came from you.
❯ echo "Hello" | tessera \ message encrypt bob alice gX4mP2nKsR7wQ...
Every command Tessera supports, at a glance.
identity create <username>Generates a new RSA keypair and prints the public key.
identity listLists all stored identity names.
identity delete <username>Permanently removes an identity and its private key.
contact add <username> <public_key>Registers a contact with their base-64 encoded public key.
contact listLists all registered contact names.
contact remove <username>Removes a contact from the local contact book.
message encrypt <contact> [<identity>]Encrypts stdin with the contact's public key. Optionally signs with your identity's private key — two output lines: ciphertext and signature.
message decrypt <identity> [<contact>]Decrypts stdin with your identity's private key. Optionally verifies the signature against a known contact.
message sign <identity>Signs stdin with your private key and outputs the message and signature as separate base-64 lines.
message verify <contact>Verifies the signature and recovers the original plaintext, or throws if the message was tampered.
--self-testGenerates a throwaway keypair, encrypts a known string, decrypts it, and prints PASS or FAIL. No passphrase or store required. Ideal for verifying an install.
Tessera CLI is free forever. Paid products built on top will follow.
A native WinForms application wrapping the same cryptographic core in a polished GUI. Manage identities and contacts visually, compose and read encrypted messages without touching a terminal.
Bring end-to-end encryption to the platforms your team already uses. Tessera integrations for Slack and Discord will let you encrypt and decrypt messages inline, without leaving your chat client.
A single executable for Windows. No installer, no runtime, no account required.
Requires Windows 10 or later · .NET 8 runtime · No installer needed