PGP Encryption Guide 2026 | Keys, Encryption & Signatures

What is PGP?

PGP (Pretty Good Privacy) is an encryption program that provides cryptographic privacy and authentication. GPG (GNU Privacy Guard) is the free, open-source implementation of the OpenPGP standard.

PGP uses a pair of keys - a public key that anyone can use to encrypt messages to you, and a private key that only you have to decrypt them. It also allows digital signatures to verify message authenticity.

Why PGP Matters for Darknet

Encrypt shipping addresses - Only the vendor can read your address
Verify market mirrors - Signed mirror lists prove authenticity
Secure vendor communication - Private messages stay private
Two-factor authentication - Many markets use PGP 2FA
Identity verification - Proves you are who you claim to be

Video Tutorials

Learn PGP from trusted privacy educators:

How PGP Works

Computerphile - Technical explanation of public key cryptography

GPG Encryption Tutorial

David Bombal - Practical GPG guide

PGP with Kleopatra (Windows)

The Hated One - GUI-based PGP for beginners

Using PGP on Tails OS

Techlore - Secure PGP setup on Tails

Installation

Linux (Debian/Ubuntu)

GPG is usually pre-installed. If not:

sudo apt update
sudo apt install gnupg

For Arch Linux:

sudo pacman -S gnupg

Windows

Download Gpg4win from the official site:

https://www.gpg4win.org/download.html

Gpg4win includes Kleopatra (GUI) and GnuPG (command line). Verify the download signature before installing.

macOS

Install via Homebrew:

brew install gnupg

Or download GPG Suite from gpgtools.org (includes GUI).

Tails OS

GPG is pre-installed on Tails. Access it via:

Applications > Utilities > Passwords and Keys (GUI)
Terminal for command line access

Tails automatically stores keys in persistent storage if enabled.

Generate Your Key Pair

Create your personal PGP key pair:

gpg --full-generate-key

When prompted, select:

Key type: RSA and RSA (default) or ECC (more modern)
Key size: 4096 bits (maximum security)
Expiration: 1-2 years recommended (can be extended)
Name: Use a pseudonym, not your real name
Email: Use a disposable/anonymous email or leave blank
Passphrase: Strong, unique passphrase - memorize it!

                Important: Your passphrase protects your private key. If someone gets your private key file, the passphrase is your last line of defense. Use at least 20 characters with mixed case, numbers, and symbols.
            

Export Your Public Key

gpg --armor --export your@email.com > public_key.asc

Backup Your Private Key

gpg --armor --export-secret-keys your@email.com > private_key.asc

Warning: NEVER share your private key. Store backups encrypted on offline storage. If your private key is compromised, all your encrypted messages can be read.

Import Keys

To communicate with someone, you need their public key:

Import a Public Key

gpg --import vendor_public_key.asc

Import from Keyserver

gpg --keyserver hkps://keys.openpgp.org --recv-keys KEY_ID

Verify Key Fingerprint

gpg --fingerprint vendor@email.com

Always verify the fingerprint through a second channel to ensure you have the correct key.

Encrypt & Decrypt Messages

Encrypt a Message

# Encrypt for a recipient (use their public key)
gpg --armor --encrypt --recipient vendor@email.com message.txt

# Output: message.txt.asc (encrypted file)

Encrypt Directly from Command Line

echo "Your shipping address here" | gpg --armor --encrypt --recipient vendor@email.com

Decrypt a Message

gpg --decrypt encrypted_message.asc

You'll be prompted for your passphrase. The decrypted message will display in terminal.

Sign & Verify Messages

Sign a Message

# Clear-sign (readable message with signature)
gpg --clearsign message.txt

# Detached signature (separate .sig file)
gpg --detach-sign message.txt

Verify a Signature

# Verify clear-signed message
gpg --verify signed_message.asc

# Verify detached signature
gpg --verify message.txt.sig message.txt

Verification confirms the message came from the claimed sender and hasn't been modified.

                Market Verification: Always verify signed mirror lists before accessing darknet markets. This prevents phishing attacks that steal your credentials.
            

GitHub Resources

Official tools and useful PGP software:

GnuPG

Official GPG implementation source code

github.com/gpg/gnupg

Gpg4win

Windows GPG suite with Kleopatra GUI

github.com/gpg/gpg4win

OpenKeychain (Android)

PGP encryption for Android devices

github.com/open-keychain/open-keychain

Sequoia PGP

Modern OpenPGP implementation in Rust

github.com/sequoia-pgp/sequoia

OpenPGP.js

JavaScript implementation of OpenPGP

github.com/openpgpjs/openpgpjs

Pass (Password Store)

GPG-based password manager

github.com/zx2c4/password-store

Best Practices

Use unique keys for darknet - Don't reuse keys from your regular identity
Set expiration dates - Forces key rotation, limits damage from compromise
Backup securely - Encrypted offline storage, multiple locations
Verify fingerprints - Always confirm through multiple channels
Use strong passphrases - 20+ characters, memorized not written
Generate keys on secure system - Preferably Tails or air-gapped machine
Never share private keys - No exceptions, ever

Common Commands Reference

# List all keys
gpg --list-keys
gpg --list-secret-keys

# Delete a key
gpg --delete-key KEY_ID
gpg --delete-secret-key KEY_ID

# Edit key (add email, extend expiry, etc.)
gpg --edit-key KEY_ID

# Refresh keys from keyserver
gpg --refresh-keys

# Search keyserver
gpg --keyserver hkps://keys.openpgp.org --search-keys "search term"