PGP Tutorial for Darknet Markets
Learn how to encrypt messages, verify signatures, and communicate securely with vendors
đ What is PGP and Why Use It?
PGP (Pretty Good Privacy) is a data encryption program that provides cryptographic privacy and authentication. On darknet markets, it's essential for:
- Encrypting sensitive information - Your address, order details, and personal data
- Verifying vendor identity - Confirming you're talking to the real vendor
- Two-factor authentication - Many markets use PGP-based 2FA
- Preventing phishing - Verify signed market messages
Recommended PGP Software
Kleopatra
Windows / LinuxPart of the Gpg4win suite. User-friendly GUI with full PGP functionality. Best for beginners.
gpg4win.orgGPG Suite
macOSComplete GPG solution for Mac with Mail integration and Keychain access. Native macOS experience.
gpgtools.orgGnuPG Command Line
All platformsThe underlying GPG engine. Most powerful but requires command line knowledge.
gnupg.orgStep-by-Step PGP Setup Guide
Install PGP Software
Download and install Kleopatra (included in Gpg4win) for Windows or GPG Suite for Mac.
- Download from official website only
- Verify the download signature if possible
- Run the installer with default options
- Restart your computer after installation
â ī¸ Security Warning
Only download PGP software from official sources. Malicious versions can steal your keys and expose your encrypted communications.
Generate Your Key Pair
Create your personal PGP key pair. This consists of a public key (shared with others) and a private key (kept secret).
- Open Kleopatra and click "New Key Pair"
- Select "Create a personal OpenPGP key pair"
- Enter a pseudonym (NOT your real name)
- Enter a fake email (e.g., anonymous@example.com)
- Click "Advanced Settings":
- Key Material: RSA
- Key Size: 4096 bits
- Expiration: Never or 1-2 years
- Create a strong passphrase (16+ characters)
đĄ Passphrase Tips
Use a random passphrase with uppercase, lowercase, numbers, and symbols. Write it down on paper and store securely. Without this passphrase, you cannot use your private key.
Export Your Public Key
You need to share your public key so others can send you encrypted messages.
- In Kleopatra, right-click on your key
- Select "Export" or "Export to File"
- Save as .asc file
- Open the file with Notepad to see the ASCII text
Example Public Key Block:
Upload this public key block to your market profile for vendors to contact you securely.
Import Vendor Public Keys
To send encrypted messages to vendors, you need their public key.
- Copy the vendor's public key from their profile
- In Kleopatra, go to File > Import
- Paste the key and click Import
- The vendor's key appears in your keyring
âšī¸ Key Trust
Always obtain vendor keys from their authenticated market profile. Phishing sites may display fake public keys to intercept your communications.
Encrypt a Message
When sending sensitive information like your address, always encrypt it.
- Open Kleopatra's Notepad tool (or any text editor)
- Type your message with all required information
- Select all text and copy it
- In Kleopatra: Clipboard > Encrypt
- Select the recipient's public key
- Optionally sign with your key
- Click Encrypt
- The encrypted message is now in your clipboard
Encrypted Message Example:
Paste this encrypted block into the market's message system.
Decrypt Messages
When you receive an encrypted message from a vendor:
- Copy the entire encrypted message block (including headers)
- In Kleopatra: Clipboard > Decrypt
- Enter your passphrase when prompted
- The decrypted message appears
â ī¸ Never Share Your Private Key
Your private key and passphrase must remain secret. Anyone with access to them can read all your encrypted messages and impersonate you.
đ How to Verify PGP Signatures
Verifying signatures confirms that a message was written by the claimed sender and hasn't been modified.
- Copy the signed message - Include everything from "-----BEGIN PGP SIGNED MESSAGE-----" to "-----END PGP SIGNATURE-----"
- Open Kleopatra - Go to Clipboard > Decrypt/Verify
- Check the result:
- â Green = Valid signature from known key
- â ī¸ Yellow = Valid but key not certified
- â Red = Invalid or tampered message
- Verify the key fingerprint - Match it against the vendor's published fingerprint
Signed Message Example:
đĄī¸ PGP Best Practices
đ Protect Your Private Key
Store your private key in an encrypted container. Never copy it to cloud storage or share it with anyone, ever.
đž Backup Your Keys
Create encrypted backups of your key pair. Store backups in multiple secure physical locations.
đ Use Strong Passphrases
Your passphrase protects your private key. Use 20+ characters with mixed case, numbers, and symbols.
â Always Verify Signatures
Before trusting any market announcement or vendor message, verify the PGP signature matches the expected key.
đ Consider Key Rotation
For long-term use, rotate your keys every 1-2 years. Generate new keys and update your profiles.
đ§ Encrypt ALL Sensitive Data
Never send addresses, payment details, or personal information unencrypted. Always use PGP for sensitive communications.
â Common PGP Mistakes to Avoid
đĢ Sending Address Unencrypted
Always encrypt your shipping address with the vendor's public key. Unencrypted addresses can be read by anyone with market access.
đĢ Using Weak Passphrases
Simple passwords can be cracked. A weak passphrase defeats the purpose of encryption.
đĢ Not Verifying Vendor Keys
Encrypting to a fake key means the scammer can read your message. Always verify key fingerprints.
đĢ Storing Keys Insecurely
Keys saved in plain text or cloud storage can be compromised. Use encrypted storage.