PGP Encryption on the Dark Web

The oldest and still one of the strongest tools for private communication.

PGP (Pretty Good Privacy) is a public-key encryption system that lets you encrypt messages so that only the intended recipient can read them. On the dark web, PGP is not optional — it is the baseline for secure communication. Marketplace vendors use it to receive shipping addresses. Journalists use it to communicate with sources via platforms like SecureDrop. Anyone handling sensitive information on onion services uses PGP.

This guide covers the fundamentals and walks you through practical usage with GPG (GNU Privacy Guard), the free, open-source implementation of the PGP standard.

How PGP Works

PGP uses asymmetric cryptography, which means it uses a pair of mathematically related keys:

Public key — You share this with everyone. Anyone can use it to encrypt a message that only you can read.
Private key — You keep this secret. It is the only key that can decrypt messages encrypted with your public key. It is also used to create digital signatures.

The fundamental workflow:

You generate a key pair (public + private).
You share your public key.
Someone encrypts a message using your public key.
Only your private key can decrypt it.
Even if the encrypted message is intercepted in transit, it is unreadable without your private key.

Installing GPG

GPG is available on every major platform:

Platform	Installation
Linux (Debian/Ubuntu)	Usually pre-installed. If not: `sudo apt install gnupg`
Linux (Fedora)	`sudo dnf install gnupg2`
macOS	`brew install gnupg` (requires Homebrew)
Windows	Install Gpg4win, which includes GPG and the Kleopatra GUI
Tails OS	Pre-installed and pre-configured

Verify the installation:

gpg --version

You should see output showing the GPG version number and supported algorithms.

Generating Your Key Pair

Command Line (All Platforms)

gpg --full-generate-key

GPG will ask you several questions:

Key type — Choose (1) RSA and RSA or (9) ECC (sign and encrypt). ECC (Curve 25519) keys are smaller and faster while providing equivalent security.
Key size — If using RSA, choose 4096 bits. For ECC, the default curve (Curve 25519) is appropriate.
Expiration — Set an expiration date (1-2 years is reasonable). You can always extend it later. Keys that never expire are a security risk if compromised.
Name and email — For anonymous use, use a pseudonym and a disposable or anonymous email address. Do not use your real name if anonymity matters.
Passphrase — Protects your private key. Use a strong, unique passphrase. If someone obtains your private key file, the passphrase is the last line of defense.

# Example output:
# pub   ed25519 2026-04-10 [SC] [expires: 2028-04-10]
#       AB12CD34EF56GH78IJ90KL12MN34OP56QR78ST90
# uid           [ultimate] DarkPortalUser <[email protected]>
# sub   cv25519 2026-04-10 [E] [expires: 2028-04-10]

The long hexadecimal string is your key fingerprint — the unique identifier for your key.

Using Kleopatra (Windows GUI)

Kleopatra provides a graphical interface for all GPG operations:

Open Kleopatra.
Click New Key Pair.
Choose Create a personal OpenPGP key pair.
Enter your name (or pseudonym) and email.
Click Advanced Settings to choose key type and size.
Set a strong passphrase.
Click Create.

To let others send you encrypted messages, you need to share your public key.

Export to a File

# Export in ASCII-armored format (text-based, easy to paste)
gpg --armor --export [email protected] > my-public-key.asc

The output looks like this:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEZvkHExYJKwYBBAHaRw8BAQdA7X2jF8k9Rv...
(many lines of base64-encoded data)
...
-----END PGP PUBLIC KEY BLOCK-----

You can:

Paste this text into your forum profile, marketplace profile, or website.
Upload it to a keyserver (though for dark web use, direct sharing is usually preferred).
Send it to specific contacts.

Export Using Kleopatra

Right-click your key in Kleopatra.
Select Export.
Save the .asc file or copy the key block to your clipboard.

Importing Someone Else's Public Key

Before you can encrypt a message to someone, you need their public key.

# Import from a file
gpg --import their-public-key.asc

# Or paste directly (press Ctrl+D when done):
gpg --import

After importing, verify the key fingerprint through a trusted channel (not the same channel you received the key from). This prevents man-in-the-middle attacks where an attacker substitutes their own public key.

# View the fingerprint of an imported key
gpg --fingerprint [email protected]

Encrypting a Message

Command Line

# Encrypt a message for a specific recipient
echo "This is a secret message" | gpg --armor --encrypt --recipient [email protected]

This outputs an ASCII-armored encrypted message:

-----BEGIN PGP MESSAGE-----

hQIMAxyz123...
(encrypted data)
...
-----END PGP MESSAGE-----

Copy and paste this entire block (including the header and footer lines) to send to the recipient.

Encrypt a File

# Encrypt a file
gpg --armor --encrypt --recipient [email protected] sensitive-document.txt

# This creates sensitive-document.txt.asc

Encrypt for Multiple Recipients

gpg --armor --encrypt \
  --recipient [email protected] \
  --recipient [email protected] \
  message.txt

Using Kleopatra

Open Notepad in Kleopatra (or use the clipboard function).
Type your message.
Click Encrypt.
Select the recipient's key.
Copy the encrypted output.

Decrypting a Message

When you receive an encrypted message, decrypt it with your private key:

# Decrypt from a file
gpg --decrypt message.asc

# Decrypt from clipboard (paste the message, then press Ctrl+D)
gpg --decrypt

GPG will prompt you for your private key passphrase, then display the decrypted message.

Signing and Verifying Messages

Sign a Message

Signing proves that a message came from you (or rather, from whoever holds your private key):

# Create a cleartext signature (message + signature in one block)
echo "I confirm this statement" | gpg --clearsign

Output:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I confirm this statement
-----BEGIN PGP SIGNATURE-----

iQIzBAABCgAdFiEE...
(signature data)
...
-----END PGP SIGNATURE-----

Verify a Signature

gpg --verify signed-message.asc

GPG will tell you whether the signature is valid and which key made it.

Key Management Best Practices

Backup Your Private Key

# Export your private key (KEEP THIS SAFE)
gpg --armor --export-secret-keys [email protected] > private-key-backup.asc

Store this backup in a physically secure location — an encrypted USB drive stored in a safe, for example. If you lose your private key, you lose access to all messages encrypted with it, permanently.

Revocation Certificate

Generate a revocation certificate immediately after creating your key pair:

gpg --gen-revoke [email protected] > revoke-certificate.asc

If your private key is ever compromised, you can publish this revocation certificate to tell the world to stop using your public key.

Key Hygiene

Set expiration dates on your keys. Extend them as needed. This limits the damage if a key is compromised without your knowledge.
Use subkeys for daily operations. Keep your master key offline.
Do not store private keys on internet-connected devices if your threat model is high. Use an air-gapped computer or a hardware security device like a YubiKey.
Regularly update your software. GPG vulnerabilities, while rare, do occur.

Common Mistakes

Mistake	Consequence
Using your real name and email in the key	Links your encrypted communications to your identity
Not verifying key fingerprints	You might encrypt messages with an attacker's key
Storing your private key on cloud storage	Anyone who accesses your cloud account gets your key
Forgetting your passphrase	Permanent loss of access to your private key and all encrypted data
Not setting a key expiration	A compromised key remains "valid" forever
Sending unencrypted messages alongside encrypted ones	Reveals the pattern and context of your communications