How to Use PGP
Learning how to use PGP is one of those things that sounds like rocket science until you do it once, and then it just clicks. PGP — Pretty Good Privacy — does two jobs: it scrambles a message so only the intended person can read it, and it proves a message really came from whoever claims to have written it. That's it. Encryption and signatures. Everything else is detail.
This guide is the plain-English version: what PGP actually is, how to set it up, and how to use it day to day without a cryptography degree. Toward the end I'll cover the one job most people on the dark web reach for it: checking that a market link is real before you ever type a password. If you only learn PGP for that, it's still worth the afternoon.
What PGP Actually Is
PGP is public-key cryptography, which means you don't have one password — you have a pair of keys that work together. A public key you hand out to anyone, and a private key you guard like your life depends on it, because in a sense it does. Anything encrypted to your public key can only be opened by your private key, and nothing else.
Here's the analogy that makes it stick. Your public key is an open padlock you mail out to people. Anyone can snap it shut on a box and send it back to you, but you're the only one holding the key that opens it. So you can publish that padlock everywhere — forums, your profile, the side of a bus — and it never weakens your security. The private key never leaves your machine.
Signatures flip the same math around. You sign a message with your private key, and anyone with your public key can confirm two things at once: the message came from you, and not a single character has been changed since you signed it. That second part is what makes PGP the backbone of trust on the dark web, where you can't see a face or a domain you'd recognize.
What You'll Need to Get Started
You need exactly one piece of software, and it's free. Which one depends on your setup:
- Windows — install Gpg4win, which bundles the GnuPG engine and the Kleopatra interface together.
- macOS — GPG Suite gives you the same thing with a Mac-native front end.
- Linux — GnuPG is usually already installed; you can add Kleopatra if you want the clicky version.
- Tails — the amnesic OS most serious users run for this stuff ships with GnuPG and Kleopatra out of the box. Nothing to install.
GnuPG and Kleopatra aren't competitors, by the way — they're the same tool wearing different clothes. GnuPG (often written gpg) is the command-line engine that does the real cryptography. Kleopatra is a graphical wrapper that runs gpg for you behind the buttons. Pick whichever feels less intimidating; the keys you make in one work fine in the other.
How to Set Up PGP and Use It, Step by Step
Five steps take you from nothing installed to fully operational: make a keypair, share the public half, encrypt, decrypt, and sign. I'll give the Kleopatra clicks and the GnuPG command for each so it doesn't matter which camp you're in.
Step 1: Generate Your Keypair
In Kleopatra, go to File → New Key Pair → Create a personal OpenPGP key pair. On the command line it's gpg --full-generate-key. You'll be asked for a name and email — and here's the part newcomers stress over for no reason: neither has to be real. A pseudonym and a throwaway address are completely normal. What does matter is the passphrase. Make it long and make it unique, because that passphrase is the only thing standing between a stolen laptop and your private key.
Step 2: Share Your Public Key
Your public key is the half you give out. In Kleopatra, right-click your key and choose Export; on the command line, gpg --armor --export you@example.com > publickey.asc. That produces an ASCII-armored block starting with -----BEGIN PGP PUBLIC KEY BLOCK-----. Paste that wherever someone needs to reach you privately. The golden rule lives here: you export and share the public key, never the private one. If you ever see PRIVATE KEY in something you're about to send, stop.
Step 3: Encrypt a Message
To send someone a private message, you encrypt it with their public key, not yours. Import their key first (paste it into Kleopatra's Import, or gpg --import theirkey.asc), then in Kleopatra open the Notepad, type your message, pick them as the recipient, and hit Sign/Encrypt. The output is gibberish to everyone except the one person holding the matching private key. That's the whole point — even if it's intercepted, it's unreadable.
Step 4: Decrypt What Comes Back
When someone encrypts a message to you, you reverse it with your private key. Paste the encrypted block into Kleopatra's Notepad and click Decrypt/Verify, or run gpg --decrypt message.asc. You'll be prompted for your passphrase — that's the gate that proves it's really you — and the plain text drops out. If the passphrase is wrong, nothing happens, which is exactly how it should behave.
Step 5: Sign a Message and Verify a Signature
Signing is the half that proves authorship. You sign with your private key, and anyone with your public key can confirm it's genuinely from you and unaltered. The flip side — verifying someone else's signature — is the skill that actually keeps you safe, so it gets its own section below. The mechanics: import their public key, check the fingerprint against a second source, then run Decrypt/Verify in Kleopatra or gpg --verify file.asc and read the result.
Using PGP to Verify a Darknet Market Link
This is why most people on the dark web learn PGP at all, so let's be specific. Phishing is the number-one way buyers get burned on darknet markets — not law enforcement, not malware. Phishing. A clone of a real market looks pixel-identical, you log in, and your credentials are gone. The only thing a clone can't fake is a valid signature from the operator's real key.
Every reputable market publishes a PGP-signed message — usually called a canary or a mirrors list — that contains its current onion addresses. The verification routine is short: get the market's public key from at least two independent places (its Dread profile and a directory, say), import it, and confirm the fingerprints match. Then take the signed address list, run Decrypt/Verify, and look for Good signature. If it validates against the key you trust, those addresses are real. If it doesn't, walk away — it doesn't matter how convincing the site looks.
This is exactly the workflow behind the verified onion addresses on the market pages in our directory — for example the DarkMatter market link and the DrugHub market link are confirmed against their operators' signed canaries before they're listed. You shouldn't take our word for it, though; the entire reason PGP exists is so you can confirm it yourself without trusting any middleman, us included.
What a Warrant Canary Is
A warrant canary is a PGP-signed statement an operator posts on a regular schedule saying, in effect, "as of this date we haven't been seized, compromised, or served with anything we can't tell you about." Because it's signed, nobody can forge a fresh one. The clever bit is what happens when it stops: if the canary goes stale or the signature suddenly fails to verify, the community reads that silence as the alarm going off, and trust evaporates fast.
For you, the practical takeaway is to check two things, not one. Verify that the signature is valid and that the statement is recent. A perfectly valid signature on a canary from four months ago tells you the key is real but says nothing reassuring about today. Markets that take this seriously re-sign on a tight cadence; a long gap is worth noticing.
The Mistakes That Actually Get People Burned
Eyeballing an onion address is not verification. A clone address can match the real one for the first eight characters and the last four — the human-memorable parts — and be completely different in the middle, where you stopped reading. Your brain fills the gap; the phisher counts on it. Only a signature check catches this.
The other classic is trusting a "Good signature" without checking whose signature. GnuPG will happily report a valid signature from any key you've imported, including a fake key a phisher handed you five minutes ago. The signature being mathematically valid only means the message matches that key — it says nothing about whether the key is the real operator's. That's why confirming the fingerprint against an independent source is the step you can never skip. Valid signature, wrong key, equals zero protection.
And the quiet one: protect the private key and the passphrase like they're the same thing as your funds, because functionally they are. A leaked private key, a passphrase you reused somewhere, or an unencrypted backup on a synced cloud drive undoes everything above. PGP almost never fails because the math broke. It fails because a human got sloppy with the one key that was supposed to stay secret.
How to Use PGP — Frequently Asked Questions
Is PGP hard to use?
Not really. The concepts sound heavy, but the day-to-day actions are click-level once your keys exist: encrypt with someone's public key, decrypt with your private key and passphrase. With a GUI like Kleopatra you can be sending an encrypted message within twenty minutes of installing it. The learning curve is steep for about an hour and then nearly flat.
Do I need PGP for darknet markets?
For two things, yes. You use PGP to verify a market's signed canary so you know an onion link is genuine and not a phishing clone, and you use it to encrypt anything sensitive you send a vendor. Plenty of markets also require PGP to register or log in. Skipping it is the single most common way people get phished.
Kleopatra or GnuPG — which should I use?
Same engine, different front end. GnuPG is the command-line tool that does the actual cryptography; Kleopatra is a graphical wrapper around it. Use Kleopatra if you'd rather click, GnuPG if you'd rather type. On Tails both are already installed, so you don't really choose — you just open Kleopatra and go.
What is a warrant canary?
A warrant canary is a PGP-signed statement an operator posts on a schedule saying they haven't been seized or compromised. Because it's signed, nobody can forge it. If the canary stops updating or the signature fails, the community treats that silence as a warning and stops trusting the site.
Is PGP still secure in 2026?
Yes, when you use modern keys. A current RSA-4096 or an ECC (Curve 25519) keypair from a recent GnuPG build has no known practical break. Most real-world PGP failures aren't broken math — they're a leaked private key, a weak passphrase, or trusting a public key whose fingerprint you never checked.