Guides and Review Apr 02, 2023

How to use PGP keys?

PGP [Starting with Tails 5.0 The tails devs switched PGP software. If you…


[Starting with Tails 5.0 The tails devs switched PGP software. If you are using an older version of tails you should upgrade. to the newest version. This guide will cover using pgp in versions 5.0 and newer.]

General information

Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting, and decrypting texts, e-mails and files and to increase the security of email communications.

A typical darknet user will use PGP to:

Encrypt messages

  • To encrypt the shipping address and other sensitive information so only the vendor can read it.

Decrypt messages

  • Vendors will encrypt sensitive shipping information for you (e.g. tracking codes).
  • Decrypting a message is sometimes required to login to a market.

Verify messages

  • To verify that a market link is legit and not a phishing site.

Learning how to use PGP is very important. You don’t ever want your personal details to fall into the hands of law enforcement. Please carefully read through all sections in this chapter.


What if I sent a message without PGP?

Did you sent a message that contained sensitive data (e.g. your address) without encrypting it with PGP by yourself?

Then it is best to delete your market account and start a new one. And no, this is not overkill. When the Silk Road servers were seized, a lot of messages were not PGP encrypted and contained addresses in plaintext. In the following years the FBI gave those data to other law enforcement agencies around the world and they busted buyers that sent their addresses unencrypted. So if you would continue to order with that account, the evidence against you would just stack up even more.

[Please make the cut now and create a new market account with which you will always PGP encrypt your address by yourself.]

Can I use the market’s built in encryption?

No. The server processes the message in plain text, if the market is compromised attackers will be able to see the contents. Always encrypt sensitive information yourself.

Do I need to encrypt all messages?

You only need to encrypt messages containing sensitive information such as packaging details (which should only ever be discussed between a vendor and a buyer) or addresses. Saying “Thanks!” doesn’t need encryption.

Can I decrypt a PGP message I sent?

No, only the user whose public key you used to encrypt the message can decrypt it. However if you select the public keys of the users you want to send the message to and your own public key, then you will be able to decrypt the encrypted message. You will learn later how to do that.

Creating a PGP key pair

When you create a PGP key pair, it gives you two unique keys: a public key, and a private key. You are to not, at any times, or for any reason, to give anyone your private key. That is for your eyes only. Your public key, however, is able to be given out so others can encrypt messages with your public key, send them to you, and then only YOU can decrypt them with your private key.

When you sign up to a market you may be asked to enter a public key. To prevent your market accounts from being linked together, you should always generate a new key pair for every account you make. Never upload the same public key to multiple accounts.

By uploading your public key you allow your vendor to securely send you sensitive information about your shipment (e.g. tracking codes). It can also serve as a two factor authentication mechanism to login to a market: every time you login you are required to decrypt a message containing a special code. Entering this special code proves that you own the account, because only you would be able to decrypt the message.

You should not keep private keys around that are no longer in use. If you make a new account on a market, delete the old key. If a markets gets busted or exit scams delete all keys for the accounts you created on that market. In the event that your private keys are compromised you want an attacker to be able to decrypt as little sensitive information as possible.

  • create a new key first Open application->Accessories->Kleopatra
  • File -> New Keypair

  • Create personal OpenPGP keypair

  • Enter a name: Usually your account name for this key. Not your real name!

  • It is recommended to leave the email field blank

  • Advanced settings
  • Change the 3072 bit options to 4096

  • Set an expiration date to one or two years in the future.

  • Note: Setting an expiration date does not prevent messages that were encrypted with the associated public key from being decrypted in the future. In other words, if your private key is ever compromised an attacker can still decrypt messages after the key is expired.

    The expiration date only serves as a reminder to periodically rotate your key pair, to limit the amount of sensitive information that can be decrypted with a single private key. When you do this be sure to let others know you are changing your key by signing your new public key with your old key.

    Rotating a key only applies to keys that were created for off-market use. For example, a public key that you add to your profile on Dread. Keys created for market accounts are generally short-lived and should not be kept around for long.

  • Click ok
  • Next
  • Create
  • Enter a strong password
  • You will now see a message box creating your keys. Once it is done you will see a notification letting you know it is finished.

Congratulations, you have now created your own PGP key pair!

Finding your public key

  • To find your public key double click the name of the key just created.
  • Click export
  • You should see something like this:


Version: GnuPG v1

mQINBFhNDOsBEACzwJJVsMo7sIiLhvCsLx2n+DVHzw1trM/C8Yao8EmWdDYe3ei9 mXRqSudbD6S4KvJfm+ZeOlEQ6gGoG2q3aFYASRgcK7WDhs+jwG42EA+j2oIpU/EO 8EQXTmTn8T+LQT84JZ5KkiZZp2CqLU8RVszfkKEj1oX/sO5watxNQur4fbk9FiCA 1MjHMYir1g== =TV04 —–END PGP PUBLIC KEY BLOCK—–

You can now copy your key and send it to others to encrypt messages to you!

The gibberish part in the middle will be a bit longer though.

Importing a public key

To be able to send someone an encrypted message (e.g. your address to a vendor), you need their public key. In order to get a vendor’s public key you have to visit his profile and look out for a link that is named like “PGP key” or “Vendor public key”. Sometimes it is also featured directly on the vendor’s profile page.

A public key looks like this:

The gibberish part in the middle will be a bit longer though. The “Version” line may also be different or not exist at all.

  • To import a key in Kleopatra first click the notepad option
  • Paste the public key you want to import into the text field

  • Click the import notepad option
  • A box will pop up telling you to certify the key you just imported

  • If you are sure of the key you can click Yes then certify
  • You should see cerified successful
  • Click the Notepad option again to go back to your keyring. You should see the name of the key you imported.

Encrypting a message with PGP

[You must always encrypt sensitive information yourself. Never trust a market to do it for you.]

[You first need to import the public key of the user (e.g. a vendor) that you want to message, so you can encrypt messages that you want to send to him.]

  • First open Kleopatra.
  • Click Notepad in Kleopatra
  • Type or paste your message into the text area
  • Now click the Recipients tabs
  • Uncheck sign as
  • If you want to be able to read this message in the future make sure you check “Encrypt for me” and select the name of your key. Or else only the recipient will be able to decrypt the message
  • Check Encrypt for others
  • Type the name of the person you want to encrypt to. It will be what their key is named.
  • Click Encrypt Notepad
  • You should see the message “Encryption succeeded with some other information.

  • Click back to the “Notepad” tab You should not see something like this:


hQIMA8Pzj/CHV15DAQ/+JOWXCC6vDIxNge3xRqHsKCSEToFkx02qXd9PwWRFESgc QZGwh6yz0DVlB7yKJZvzRK1O0tS2wLpKKMBNv8dPv/u6B609yXzP6ns3066C7ymO PAFA1MgvKvu7mUg5wxFRPKgFfYxBNbCleS5MzPp8bPJq6xQaVeOOogPtFWerN/vM iIcCod+JyWoBgy3iBw== =alkJ


The gibberish in the middle (the actual encrypted message) will be a little bit longer for you.

Now all you have to do is go to the market or email website, paste the clipboard content into the relevant text field and send the message or email.

Verifying a message with PGP

Verifying messages is commonly used to check the authenticity of market links. Markets publish signed messages containing links to their market. If you have the market’s public key you can use it to verify that the message was created by the market and that the links are legitimate.

Markets, vendors and moderators will sometimes sign announcements or warnings. You can also use this to verify those.

[Before you can verify the PGP signed message, you need to import the public key of the user that signed the message. So see where it is listed (e.g. on the vendor’s profile on the market, or on the market’s subdread) and then import it.]

  • Open Kleopatra and click Notepad
  • Copy the PGP signed message, and paste it into the text field. It looks something like this:

    Hash: SHA512

    Here are our onion links:

    ar3a3uxsmdjvlv3o.onion effma5umlll2bxmd.onion xw7w4apecxzw4t7h.onion



    iQIcBAEBAgAGBQJYsU1SAAoJEMPzj/CHV15DkfgP/RcJw9EtFiv/+4LIV5rrgqcF +FHEZiYb5jQhsqHrR7jS69rAwxzMD/rttQxMMw4cXBDh/dQaelwOVWbcy4DUwHaj c3gFOzt/42VK40LcQlEs =ON6z —–END PGP SIGNATURE—–

  • Click Decrypt Verify
  • If the signature was signed by someone you have imported their key you will see Valid Signuate in green.

  • If the message he been altered. Or you copied it with a letter or extra space. It will show Invalid Signaute in Red.

Decrypting a message

  • First open Kleopatra and click Notepad
  • Copy and paste the PGP message into the text field
  • Click Decrypt/Verify

  • Now the decrypted message should appear in the text field

Signing a message with PGP

[This is not for encrypting your address or other private messages.]

You can sign a message to prove that you created it. Anyone that has your public key can verify that you signed it. It is usually not necessary to sign messages as a normal DNM buyer but if you need to do it, here is how.

  • First open Kleopatra, and click Notepad
  • In the text field type your message you want to sign
  • Click the Recipients tabs
  • Check Only sign as: Type your account your key you want to sign with
  • Uncheck encrypt for me
  • Uncheck encrypt for others
  • Click Sign Notepad
  • Click back to your Notepad tab

Now the content of the clipboard should look like this:

The gibberish in the middle will be a little bit longer for you. Now all you have to do is going to the market or email website, paste the clipboard content into the relevant text field and send the message or email.


Dear Guests and Freinds !

Remember that Tape Project is NOT responsible for other forums and markets!

Tape is NOT responsible for sites which buy advertising from us!

We are NOT responsilbe for vendor's and admin's actions from other sites!