What is PGP and how is it used on Tor markets?

Pretty Good Privacy (PGP), and its free-software equivalent GnuPG, are tools that implement the OpenPGP standard for asymmetric encryption and digital signing. On Tor marketplaces PGP appears in three places: encrypting an order note to a vendor, verifying that a mirror-rotation announcement came from the marketplace operator, and signing your own messages so that a counterparty can prove they came from you.

Encrypting an order note

Each vendor publishes a public key on their profile page. Import it into your PGP client. Encrypt your shipping address against the vendor’s key, paste the encrypted block into the order notes. The marketplace operator never sees the plaintext — only the vendor can decrypt it.

Verifying a mirror announcement

Operators publish endpoint rotations as detached-PGP-signed messages on Dread. Import the operator’s public key once. Paste a signed announcement into your PGP client; if the signature validates, the announcement came from the operator. If the signature does not validate, treat the announcement as untrusted regardless of how convincing the formatting looks.

Which client to use

Desktop: Kleopatra (Windows; ships in Gpg4win), GPG Suite (macOS), gpg command-line (Linux, BSD, macOS). Mobile: OpenKeychain on Android. Tor Browser does not bundle PGP; key management is handled outside the browser process.

Key hygiene

Your private key is the credential. Keep it under a passphrase on a volume that you do not use for unrelated browsing. Back up the revocation certificate offline at the moment of generation; a revoked key cannot be unrevoked, and a lost private key cannot be regenerated.

See also