PGP Encryption Tutorial

Master end-to-end encrypted communication for anonymous marketplace operations

Home โ†’ Security Guide โ†’ PGP Encryption

Understanding PGP

End-to-end encryption that protects your messages from everyoneโ€”including marketplace operators

๐Ÿ”‘ What is PGP?

PGP (Pretty Good Privacy) is an encryption program that provides cryptographic privacy and authentication for data communication. It's used for encrypting, decrypting, and signing messages to ensure security and authentication.

Why PGP is Mandatory for DrugHub Marketplace:

  • End-to-End Encryption: Only you and your intended recipient can read messagesโ€”not even DrugHub administrators
  • Address Protection: Shipping addresses must ALWAYS be PGP-encrypted to prevent compromise
  • Authentication: Digital signatures prove messages came from the real sender, preventing impersonation
  • Non-Repudiation: Signatures provide cryptographic proof of message authorship
  • Data Breach Protection: If DrugHub database is compromised, encrypted messages remain secure
โš ๏ธ CRITICAL: NEVER send your shipping address or sensitive information without PGP encryption. DrugHub marketplace requires PGP for all vendor communications. Unencrypted addresses can be intercepted, logged, or exposed in data breaches.

๐Ÿ” How PGP Works: Public-Key Cryptography

PGP uses asymmetric encryption with two mathematically related keys:

๐Ÿ”“ Public Key

  • Shared publicly with anyone
  • Used by others to encrypt messages to you
  • Used to verify your digital signatures
  • Can be published on DrugHub profile, keyservers, forums
  • Cannot decrypt messages (only encrypt)

๐Ÿ”’ Private Key

  • Kept absolutely secret, never shared
  • Used to decrypt messages sent to you
  • Used to sign messages you send
  • Must be protected with strong passphrase
  • If compromised, all your security is lost

Encryption Process:

  1. Sender obtains recipient's public key (from DrugHub profile, keyserver, or direct exchange)
  2. Sender encrypts message using recipient's public key
  3. Encrypted message can only be decrypted by recipient's private key
  4. Recipient uses their private key to decrypt and read message

Signature Process:

  1. Sender creates message
  2. Sender signs message using their private key
  3. Recipient verifies signature using sender's public key
  4. Valid signature proves message is authentic and unmodified
๐Ÿ’ก Key Concept: What is encrypted with public key can only be decrypted with private key, and vice versa. This mathematical relationship enables secure communication between strangers.

โš™๏ธ Setting Up PGP

Software Options:

  • GPG (GnuPG): Free, open-source PGP implementation. Industry standard, available for all platforms.
  • Kleopatra (Windows): User-friendly GUI for GPG on Windows
  • GPG Suite (macOS): GPG integration for macOS with Mail plugin
  • Tails OS: Pre-installed GPG with automatic clipboard encryption

Installation:

Windows:
  1. Download Gpg4win from gpg4win.org
  2. Install with Kleopatra (GUI component)
  3. Verify PGP signature of download
macOS/Linux:
  1. macOS: Install GPG Suite from gpgtools.org
  2. Linux: Usually pre-installed (command: gpg --version)
  3. Debian/Ubuntu: sudo apt install gnupg

Generating Your PGP Key Pair:

โš ๏ธ Important: Generate keys on a secure, clean system. Use Tails OS for maximum security. Never generate marketplace keys on compromised or work computers.
Using Kleopatra (Windows GUI):
  1. Open Kleopatra
  2. Click "New Key Pair"
  3. Select "Create a personal OpenPGP key pair"
  4. Enter name (can be pseudonym for marketplace use)
  5. Enter email (can be fake/marketplace username)
  6. Click "Advanced Settings":
    • Key Type: RSA
    • Key Length: 4096 bits (maximum security)
    • Valid until: 2 years (best practice to rotate keys)
  7. Click "Create" and enter a very strong passphrase
  8. Key generation complete!
Using GPG Command Line:
# Generate key interactively
gpg --full-generate-key

# Select:
# - Key type: RSA and RSA
# - Key size: 4096
# - Expiration: 2y (2 years)
# - Real name: YourMarketplaceUsername
# - Email: username@marketplace (can be fake)
# - Passphrase: STRONG PASSPHRASE

# Verify key created
gpg --list-keys

# Export public key
gpg --armor --export your@email.com > publickey.asc

# Export private key (KEEP SECRET!)
gpg --armor --export-secret-keys your@email.com > privatekey.asc
โœ… Passphrase Best Practices:
  • Minimum 20 characters (longer is better)
  • Use Diceware method: 6+ random words from wordlist
  • Never reuse passphrases from other services
  • Store in encrypted password manager (KeePassXC recommended)
  • Never store passphrase unencrypted on disk

โœ‰๏ธ Encrypting Messages

Encrypting for DrugHub Vendor:

Step 1: Import Vendor's Public Key

Copy vendor's public key from their DrugHub marketplace profile. It looks like:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBGVxDxUBEAC7x...
...
-----END PGP PUBLIC KEY BLOCK-----
Kleopatra Method:
  1. Copy vendor's public key
  2. Kleopatra โ†’ Tools โ†’ Clipboard โ†’ Certificate Import
  3. Verify key fingerprint with vendor (if possible)
  4. Click "Import" to add to keyring
GPG Command Line:
# Save vendor's public key to file: vendor_key.asc

# Import key
gpg --import vendor_key.asc

# Verify key fingerprint
gpg --fingerprint vendor@marketplace
Step 2: Encrypt Your Message
Kleopatra:
  1. Write your message in notepad (include shipping address if ordering)
  2. Copy message to clipboard
  3. Kleopatra โ†’ Tools โ†’ Clipboard โ†’ Encrypt
  4. Select vendor's public key as recipient
  5. Optional: Check "Sign" to also sign with your key
  6. Click "Encrypt"
  7. Encrypted message is now in clipboardโ€”paste to DrugHub marketplace message
GPG Command Line:
# Create message file: message.txt

# Encrypt for vendor
gpg --encrypt --armor --recipient vendor@marketplace message.txt

# Output: message.txt.asc (encrypted)
# Copy contents and send via DrugHub marketplace
โš ๏ธ Critical Mistakes to Avoid:
  • โŒ Encrypting with wrong key (verify vendor identity)
  • โŒ Forgetting to encrypt before sending shipping address
  • โŒ Copying encrypted message incorrectly (missing characters breaks decryption)
  • โŒ Not verifying vendor's key fingerprint (phishing risk)

๐Ÿ“– Decrypting Messages

Receiving Encrypted Messages from Vendor:

Kleopatra:
  1. Copy encrypted message from DrugHub marketplace
  2. Kleopatra โ†’ Tools โ†’ Clipboard โ†’ Decrypt/Verify
  3. Enter your private key passphrase
  4. Decrypted message appears
  5. If signed, you'll see signature verification status
GPG Command Line:
# Save encrypted message to file: encrypted_message.asc

# Decrypt message
gpg --decrypt encrypted_message.asc

# Output shows decrypted message and signature verification (if signed)
๐Ÿ’ก Signature Verification: If vendor signed their message, you'll see:
Good signature from "VendorName <vendor@marketplace>"
This proves the message is authentic and unmodified. Always check signature status!

โœ๏ธ Signing Messages

Digital signatures prove you authored a message and it hasn't been tampered with. DrugHub marketplace administrators use signatures for official announcements.

Creating Signed Messages:

Kleopatra:
  1. Write message
  2. Copy to clipboard
  3. Kleopatra โ†’ Tools โ†’ Clipboard โ†’ Sign
  4. Select your key for signing
  5. Enter your passphrase
  6. Signed message in clipboard
GPG Command Line:
# Sign message (cleartext - message remains readable)
gpg --clear sign message.txt

# Sign message (detached - creates separate signature file)
gpg --detach-sign --armor message.txt

# Sign and encrypt (recommended for vendor communication)
gpg --sign --encrypt --armor --recipient vendor@marketplace message.txt

Verifying Signatures:

Always verify signatures on:

  • DrugHub marketplace official announcements
  • Vendor PGP keys (cross-verify fingerprints)
  • Critical communications (phishing protection)
GPG Verification:
# Verify signed message
gpg --verify signed_message.asc

# Good signature output:
# Good signature from "Username <user@marketplace>"

๐Ÿ”‘ Key Management

Publishing Your Public Key:

  • DrugHub Profile: Add public key to your marketplace profile (required)
  • Keyservers: Upload to keys.openpgp.org (optional, helps vendors find your key)
  • Forum Signatures: Include key fingerprint in forum signatures

Backing Up Keys:

โš ๏ธ CRITICAL: If you lose your private key, you can NEVER decrypt messages sent to you. Back up securely!
Backup Best Practices:
  1. Export private key: gpg --export-secret-keys --armor your@email.com > private_backup.asc
  2. Store on encrypted USB drive (VeraCrypt recommended)
  3. Keep backup in secure physical location (safety deposit box, etc.)
  4. NEVER store unencrypted private key on cloud services
  5. Consider paper backup printed and stored securely

Key Rotation:

Best practice: Generate new keys every 1-2 years for forward secrecy

  1. Generate new key pair
  2. Sign new key with old key (proves continuity)
  3. Update DrugHub marketplace profile with new public key
  4. Announce key change in signed message
  5. Keep old key available for 6 months to decrypt old messages
  6. Revoke old key after transition period

Key Revocation:

If your private key is compromised or you suspect it might be:

# Generate revocation certificate (do this when you create key!)
gpg --gen-revoke your@email.com > revocation_cert.asc

# If compromised, publish revocation certificate to keyservers
gpg --import revocation_cert.asc
gpg --send-keys YOUR_KEY_ID

๐Ÿ›ก๏ธ PGP Security Best Practices

โœ… Do This:

  • Generate keys on secure, clean system (Tails recommended)
  • Use 4096-bit RSA keys
  • Create strong passphrase (20+ characters)
  • Back up private key securely
  • Verify key fingerprints through multiple channels
  • Always encrypt sensitive communications
  • Verify signatures on critical messages
  • Rotate keys every 1-2 years
  • Generate revocation certificate immediately
  • Use separate keys for different identities

โŒ Don't Do This:

  • Never share your private key
  • Never store private key unencrypted
  • Never use weak/short passphrases
  • Never send shipping address unencrypted
  • Never trust keys without verifying fingerprints
  • Never generate keys on compromised systems
  • Never reuse keys across identities
  • Never ignore signature verification failures
  • Never upload private key to keyservers
  • Never forget to back up private key

โš ๏ธ Common PGP Mistakes

1. Sending Unencrypted Shipping Address

Risk: Marketplace operators, law enforcement with database access, or hackers can see your address.
Solution: ALWAYS encrypt addresses with vendor's public key before sending.

2. Not Verifying Key Fingerprints

Risk: Phishing attacks where scammers impersonate vendors with fake keys.
Solution: Cross-verify key fingerprints from multiple sources (marketplace profile, forum, vendor's signed message).

3. Using Weak Passphrases

Risk: Private key can be brute-forced if passphrase is weak.
Solution: Use 20+ character Diceware passphrase or random string.

4. Losing Private Key

Risk: Cannot decrypt messages sent to youโ€”permanently lost.
Solution: Backup private key on encrypted USB drive immediately after generation.

5. Encrypting with Wrong Key

Risk: Wrong person can decrypt your message (shipping address goes to stranger).
Solution: Double-check recipient key before encrypting. Verify key email/name matches vendor.

๐Ÿ“‹ PGP Workflow for DrugHub Marketplace

For Buyers:

  1. Setup: Generate PGP key pair, add public key to DrugHub profile
  2. Ordering: Import vendor's public key from their profile
  3. Encrypt Address: Encrypt shipping address with vendor's public key
  4. Send Order: Paste encrypted address into DrugHub marketplace order form
  5. Receive Messages: Decrypt vendor communications with your private key
  6. Verify: Check signature on vendor messages to confirm authenticity

For Vendors:

  1. Setup: Generate PGP key pair, publish public key on profile
  2. Receive Orders: Decrypt buyer shipping addresses with your private key
  3. Respond: Encrypt updates with buyer's public key
  4. Sign Messages: Sign all communications to prove authenticity
  5. Protect Keys: Keep private key on secure system, never share

๐ŸŽ“ Advanced PGP Topics

Web of Trust

PGP's decentralized trust model where users sign each other's keys to verify identity. Rarely used in marketplace context but important for understanding key verification.

Subkeys

Advanced users can create subkeys for different purposes (encryption, signing) while protecting master key offline. Provides better security if subkey is compromised.

Key Servers

Public repositories of PGP keys. keys.openpgp.org is recommended (requires email verification). Never upload private keys!

PGP Smartcards

Hardware devices (YubiKey, etc.) that store private keys securely. Prevents key extraction even if computer is compromised. Advanced OPSEC for high-risk users.

๐Ÿ’ก PGP Quick Reference

Common GPG commands you'll use for DrugHub marketplace operations.

Key Management:

# List all keys in your keyring
gpg --list-keys

# List your secret keys
gpg --list-secret-keys

# Delete a public key
gpg --delete-key "Key ID"

# Delete a secret key (be careful!)
gpg --delete-secret-key "Key ID"

Encryption & Decryption:

# Encrypt a message for someone
gpg -e -a -r recipient@email message.txt

# Decrypt a message
gpg -d encrypted_message.asc

# Sign and encrypt in one step
gpg -se -a -r recipient@email message.txt

Signature Operations:

# Create cleartext signature
gpg --clearsign message.txt

# Verify a signature
gpg --verify signed_message.asc

Keep this reference handy when working with DrugHub marketplace communications. Practice these commands before you need them.

๐Ÿšจ If Your PGP Key is Compromised

  1. Stop all activity immediately on DrugHub Market using that key
  2. Publish revocation certificate to keyservers
  3. Generate new key pair on a clean, secure system
  4. Update DrugHub profile with new public key
  5. Notify trusted contacts about key change
  6. Assume past encrypted messages are readable by attacker

This is why creating a revocation certificate immediately after key generation is critical. Without it, key revocation becomes much harder.

๐Ÿ”— PGP Resources

๐Ÿ“– Related Guides

๐Ÿ›ก๏ธ Security Fundamentals ๐Ÿง… Tor Network ๐ŸŽญ OPSEC Principles ๐Ÿ’ฐ Monero Privacy