🔐 What is PGP and Why Use It?

PGP (Pretty Good Privacy) is a data encryption program that provides cryptographic privacy and authentication. On darknet markets, it's essential for:

  • Encrypting sensitive information - Your address, order details, and personal data
  • Verifying vendor identity - Confirming you're talking to the real vendor
  • Two-factor authentication - Many markets use PGP-based 2FA
  • Preventing phishing - Verify signed market messages

Recommended PGP Software

🔑

Kleopatra

Windows / Linux

Part of the Gpg4win suite. User-friendly GUI with full PGP functionality. Best for beginners.

gpg4win.org
🍎

GPG Suite

macOS

Complete GPG solution for Mac with Mail integration and Keychain access. Native macOS experience.

gpgtools.org
đŸ’ģ

GnuPG Command Line

All platforms

The underlying GPG engine. Most powerful but requires command line knowledge.

gnupg.org

Step-by-Step PGP Setup Guide

Step 1

Install PGP Software

Download and install Kleopatra (included in Gpg4win) for Windows or GPG Suite for Mac.

  1. Download from official website only
  2. Verify the download signature if possible
  3. Run the installer with default options
  4. Restart your computer after installation

âš ī¸ Security Warning

Only download PGP software from official sources. Malicious versions can steal your keys and expose your encrypted communications.

Step 2

Generate Your Key Pair

Create your personal PGP key pair. This consists of a public key (shared with others) and a private key (kept secret).

  1. Open Kleopatra and click "New Key Pair"
  2. Select "Create a personal OpenPGP key pair"
  3. Enter a pseudonym (NOT your real name)
  4. Enter a fake email (e.g., anonymous@example.com)
  5. Click "Advanced Settings":
    • Key Material: RSA
    • Key Size: 4096 bits
    • Expiration: Never or 1-2 years
  6. Create a strong passphrase (16+ characters)

💡 Passphrase Tips

Use a random passphrase with uppercase, lowercase, numbers, and symbols. Write it down on paper and store securely. Without this passphrase, you cannot use your private key.

Step 3

Export Your Public Key

You need to share your public key so others can send you encrypted messages.

  1. In Kleopatra, right-click on your key
  2. Select "Export" or "Export to File"
  3. Save as .asc file
  4. Open the file with Notepad to see the ASCII text

Example Public Key Block:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGV...
(thousands of random characters)
...=AB12
-----END PGP PUBLIC KEY BLOCK-----

Upload this public key block to your market profile for vendors to contact you securely.

Step 4

Import Vendor Public Keys

To send encrypted messages to vendors, you need their public key.

  1. Copy the vendor's public key from their profile
  2. In Kleopatra, go to File > Import
  3. Paste the key and click Import
  4. The vendor's key appears in your keyring

â„šī¸ Key Trust

Always obtain vendor keys from their authenticated market profile. Phishing sites may display fake public keys to intercept your communications.

Step 5

Encrypt a Message

When sending sensitive information like your address, always encrypt it.

  1. Open Kleopatra's Notepad tool (or any text editor)
  2. Type your message with all required information
  3. Select all text and copy it
  4. In Kleopatra: Clipboard > Encrypt
  5. Select the recipient's public key
  6. Optionally sign with your key
  7. Click Encrypt
  8. The encrypted message is now in your clipboard

Encrypted Message Example:

-----BEGIN PGP MESSAGE-----

hQIMA...
(encrypted content)
...=XyZ9
-----END PGP MESSAGE-----

Paste this encrypted block into the market's message system.

Step 6

Decrypt Messages

When you receive an encrypted message from a vendor:

  1. Copy the entire encrypted message block (including headers)
  2. In Kleopatra: Clipboard > Decrypt
  3. Enter your passphrase when prompted
  4. The decrypted message appears

âš ī¸ Never Share Your Private Key

Your private key and passphrase must remain secret. Anyone with access to them can read all your encrypted messages and impersonate you.

🔍 How to Verify PGP Signatures

Verifying signatures confirms that a message was written by the claimed sender and hasn't been modified.

  1. Copy the signed message - Include everything from "-----BEGIN PGP SIGNED MESSAGE-----" to "-----END PGP SIGNATURE-----"
  2. Open Kleopatra - Go to Clipboard > Decrypt/Verify
  3. Check the result:
    • ✅ Green = Valid signature from known key
    • âš ī¸ Yellow = Valid but key not certified
    • ❌ Red = Invalid or tampered message
  4. Verify the key fingerprint - Match it against the vendor's published fingerprint

Signed Message Example:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

This is my authenticated market profile. My public key fingerprint is:
ABCD 1234 EFGH 5678 IJKL 9012 MNOP 3456 QRST 7890

All other profiles claiming to be me are FAKE.
-----BEGIN PGP SIGNATURE-----

iQIz...
(signature data)
...=ABC1
-----END PGP SIGNATURE-----

đŸ›Ąī¸ PGP Best Practices

🔒 Protect Your Private Key

Store your private key in an encrypted container. Never copy it to cloud storage or share it with anyone, ever.

💾 Backup Your Keys

Create encrypted backups of your key pair. Store backups in multiple secure physical locations.

🔑 Use Strong Passphrases

Your passphrase protects your private key. Use 20+ characters with mixed case, numbers, and symbols.

✅ Always Verify Signatures

Before trusting any market announcement or vendor message, verify the PGP signature matches the expected key.

🔄 Consider Key Rotation

For long-term use, rotate your keys every 1-2 years. Generate new keys and update your profiles.

📧 Encrypt ALL Sensitive Data

Never send addresses, payment details, or personal information unencrypted. Always use PGP for sensitive communications.

❌ Common PGP Mistakes to Avoid

đŸšĢ Sending Address Unencrypted

Always encrypt your shipping address with the vendor's public key. Unencrypted addresses can be read by anyone with market access.

đŸšĢ Using Weak Passphrases

Simple passwords can be cracked. A weak passphrase defeats the purpose of encryption.

đŸšĢ Not Verifying Vendor Keys

Encrypting to a fake key means the scammer can read your message. Always verify key fingerprints.

đŸšĢ Storing Keys Insecurely

Keys saved in plain text or cloud storage can be compromised. Use encrypted storage.