Pretty Good Privacy (PGP) is a cryptographic standard that has protected sensitive digital communications since 1991. On darknet markets, PGP encryption is the primary mechanism for ensuring that messages between buyers and vendors remain confidential and cannot be read by third parties, including the platform itself.
How PGP Works
PGP uses asymmetric cryptography, which means each participant has two mathematically linked keys: a public key and a private key. The public key is shared openly and can be used by anyone to encrypt a message addressed to you. Only the corresponding private key, which you keep secret, can decrypt that message. This system ensures that even if your messages are intercepted in transit, they cannot be read without your private key.
PGP also supports digital signatures. When you sign a message with your private key, anyone with your public key can verify that the message genuinely came from you and has not been altered. This is how market administrators publish verified announcements and how vendors authenticate their identities.
Generating Your PGP Keys
The recommended tool for PGP on modern systems is GnuPG (GPG), which is available for all major operating systems. On Linux and macOS, it is typically pre-installed or available through a package manager. On Windows, Gpg4win provides a user-friendly interface. To generate a key pair, run gpg --gen-key and follow the prompts. Use a strong, unique passphrase to protect your private key, and never share that passphrase with anyone.
Practical Use on Markets
When communicating with a vendor about a sensitive matter (such as a delivery address or order dispute), you should always encrypt your message using the vendor's public key, which is typically displayed on their profile page. Most markets also allow you to store your own public key in your profile so vendors can send you encrypted responses. Failing to use PGP for sensitive communications exposes that information to anyone who gains access to the platform's message store.
Verifying Market PGP Keys
Phishing sites often display counterfeit PGP keys to intercept communications. Always verify the fingerprint of a market's PGP key against multiple independent sources before trusting it. Legitimate markets publish their key fingerprint in their verified clearnet presence, on trusted forum threads, and through signed announcements on the platform itself.
PGP remains one of the most reliable tools available for private digital communication. Understanding and using it correctly is a foundational skill for anyone operating in privacy-sensitive environments.