PGP Key Management Guide

Why PGP Key Management Matters

When using darknet markets like Torzon, Nexus, or Kerberos, PGP encryption is essential for protecting sensitive communications. However, poor key management can compromise your security even with strong encryption.

This comprehensive guide covers everything you need to know about generating, storing, backing up, and managing PGP keys securely. Learn more about PGP in our GnuPG guide.

Generating Strong PGP Keys

The foundation of PGP security starts with proper key generation:

Key Length and Algorithm

• Minimum 4096-bit RSA keys - Never use anything less than 4096 bits
• Consider Ed25519 - Modern elliptic curve algorithm, smaller keys with equivalent security
• Avoid DSA/ElGamal - Older algorithms with known weaknesses

Key Generation Steps

1. Use GnuPG or Kleopatra for key generation
2. Set a strong passphrase (20+ characters, random)
3. Use a pseudonymous identity (never real name for darknet use)
4. Set appropriate expiration date (1-2 years recommended)
5. Generate revocation certificate immediately

Secure Key Storage

Your private key is the most critical piece of data to protect:

Primary Storage Options

• Encrypted USB drive - Store on LUKS/VeraCrypt encrypted device
• Hardware security key - YubiKey or similar for maximum security
• Air-gapped computer - Dedicated offline machine for key operations
• Never on cloud storage - Avoid Dropbox, Google Drive, etc.

Operational Security

• Use separate keys for different identities/markets
• Never share private keys with anyone
• Keep keys off internet-connected devices when possible
• Use Tails OS for maximum isolation

Backup Strategies

Losing your private key means losing access to encrypted messages and your market identity:

3-2-1 Backup Rule

• 3 copies - Original plus two backups
• 2 different media types - USB drive + paper backup
• 1 offsite location - Secure physical location away from primary storage

Paper Backup Method

1. Export private key to ASCII armored format
2. Print on paper using offline printer
3. Store in fireproof safe or safety deposit box
4. Consider splitting key using Shamir's Secret Sharing

Key Rotation and Expiration

Regular key rotation limits damage from potential compromise:

• Set expiration dates - Forces regular key updates
• Rotate annually - Generate new keys every 12-24 months
• Extend vs Replace - Extend existing keys or create new ones based on threat model
• Announce transitions - Notify contacts when changing keys

When to Immediately Rotate

• Suspected device compromise
• Passphrase potentially exposed
• Key uploaded to public keyserver by mistake
• Market exit scam or law enforcement action

Revocation Certificates

Generate revocation certificates immediately after key creation:

• Allows you to invalidate compromised keys
• Store separately from private key
• Upload to keyservers if key is compromised
• Create multiple copies in secure locations

Market-Specific Considerations

Different markets have different PGP requirements:

Torzon Market

• Mandatory PGP for all communications
• Auto-encryption available but manual preferred
• Verify vendor PGP keys through multiple sources

Kerberos Market

• Built-in PGP key management
• Supports key upload and verification
• 2FA integration with PGP signatures

See our market comparison for detailed PGP feature breakdown.

Common Mistakes to Avoid

• ❌ Using weak passphrases
• ❌ Storing keys on compromised devices
• ❌ Uploading private keys to keyservers
• ❌ Reusing keys across different identities
• ❌ No backup strategy
• ❌ Ignoring key expiration dates
• ❌ Not verifying vendor key fingerprints

Advanced: Subkeys

Use subkeys for enhanced security:

• Master key stays offline in cold storage
• Subkeys used for daily encryption/signing
• Compromised subkey can be revoked without losing identity
• Separate subkeys for encryption vs signing

Tools and Resources

• GnuPG - Command-line PGP implementation
• Kleopatra - GUI for Windows PGP management
• GPG Suite - macOS PGP tools
• Tails OS - Includes pre-configured PGP tools
• Mailvelope - Browser extension for webmail PGP