GPG is probably not the best choice for IM because it lacks Perfect Forward Secrecy. Meaning if someone obtains the key they can read all consent ever encrypted with it both past and present.

PFS requires that both endpoints communicate together so for email's "fire and forget" structure it didn't make sense. But for IM it sure does.

note that with email, you can still choose to advance the ratchet every time a round trip happens by pure coincidence or whatever.

There's also deniable authentication: in the case of email, a simple pre-shared key (instead of public/private) means that the recipient of an email can't prove they didn't forge it.

With encrypted email you get perfect deniability simply by not signing the message in the first place.

* https://articles.59.ca/doku.php?id=pgpfan:repudiability

If you use a hardware key, forward secrecy doesn’t matter.

Of course it does. The attacker just has to steal your token and pin. Because it's unique (well it should be if you generated the key on token as you should have) it's not possible to do so without the target's knowledge. But you can still decypher all past intercepts with it.

Also, some types of tokens like the original openpgp card don't have touch to sign functionality. So it's possible to 'milk' them for decrypts though the gpg agent. This is why I only use Yubikeys now that do have this functionality (though by default it's off!)

Clients like Pidgin have an OTR (off the record) plugin that will do end to end encryption over random channel IIRC. It's possible.

Definitely. I was doing EE2E with friends using Pidgin and OTR plugin (just because it was possible, not that we were discussing anything sensitive) over ICQ and MSN... so ages before TextSecure (now Signal) was even a thing.

* https://news.ycombinator.com/item?id=36091710

The tricky bit is the auto-paste into and auto-copy out of the message app where the people that make the app might be actively hostile to your activity. See Mailvelope[1] for an example of doing this sort of thing for webmail.

If you are willing to do things manually then PGP works with anything already.

[1] https://mailvelope.com/

Ditch commercial "free" messaging, deploy your own Matrix instance and make accounts for your friends and family who can't.

Yeah that's probably the way.

Briar, matrix, mumble. All decent options though with their own flaws.

If briar can get onto iOS with its full features, it would be incredible. Maybe clean up the UI to look like it was designed past android 7.

Like this? https://f-droid.org/packages/io.oversec.one/

I used to do something similar over Google chat with OTR. It was possible with Facebook too, before they dropped XMPP support.