Cannazon: Pretty Good Privacy (PGP)


When using Darknet markets you will have to reveal some personal data like a name and address for shipping. Also other information which might not identify you directly, but which is also valuable or should just be kept secret, is exchanged. To make the exchange as secure as possible this information should be encrypted. We do also have to mention at this point that you do not have to encrypt every message. For example simply saying "Thanks" or other non critical messages do not have to be encrypted.

With the encryption program Pretty Good Privacy (PGP) encrypting your messages is pretty easy. Besides encryption, PGP does also support the signing of messages, which can be used to proof ones identity.

Let's see how PGP works.

PGP uses two sorts of keys used to encrypt and decrypt messages:

  • Public key, used for encryption (has to be shared with others)
  • Private key, used for decryption and signatures (must never be shared with others)

The following image illustrates the encryption and decryption of a message:

Pretty Good Privacy (PGP)

To put this in context of our market, you will encrypt your confidential information like the shipping address with the public key of a vendor. This public key can be found either on the vendor's profile or directly when creating an order. The vendor can decrypt your message with his private key. Important about this is that the message can only be decrypted by the vendor as he owns the private key for the corresponding public key with which you have encrypted the message. Another important point is that the plain message is never processed by any third party (as the market), as it is encrypted and decrypted locally. That is also the reason why we do not recommend to use the automatic PGP encryption for orders.

You probably wonder how you can do all of this. Continue with the next section to learn how to use PGP on Tails.


If you are using Tails (which we strongly recommend) you are already ready to start using PGP. Everything you need, is pre-installed and easy to use. In the next chapters you will learn all what you have to know to use PGP on the market.

Besides the tutorials here, have a look at the official PGP documentation for Tails at tails.boum.org


Prerequisite

As a prerequisite please make sure you have setup you persistent storage on Tails, as your keys cannot be saved otherwise. You can find out how to setup your persistent storage in the official Tails documentation at tails.boum.org.

As PGP uses a key pair of a public and private key you have to generate this as a first step.

  1. Click on the clipboard icon on taskbar at the top-right of your screen and select the option “Manage Keys”.
  2. On the new window that appeared, click on “File”  at the top and select the “New…”  option.
  3. From the list of items you can create, choose “PGP Key”  and click “Continue”.
  4. Then you can enter your “Full Name”. Obviously do not use your real one because everyone who has your public key can see that name later. It is advised to choose the same username that you already have on a market because it will make it easier for your vendor. You can leave the field for "Email Address"  blank. Click on “Advanced key options”  and set the “Key strength (bits)”  to 4096. Finally, confirm the data by clicking on “Create”.
  5. You now get asked to set a password which is, in combination with your private key, necessary to decrypt messages that were encrypted with your public key. Make sure to choose a strong password, but do not forget or lose it either. Learn here how to generate and manage your passwords
  6. After you clicked on “OK”  you will have to wait a bit (usually no longer than a few seconds) and you will see your key in the list of GnuPG keys (click on “GnuPG keys”  on the left sidebar).

If you want to use your new PGP key pair, you need to get your public key. Just select your key in the “GnuPG keys” list and press CTRL + C. Now you have your public key copied and can paste it anywhere.

Creating a PGP key pair


Before you can place your first order you have to maintain your public PGP key in you account settings. This is necessary as for example your vendor has to encrypt a message he wants to send to you with it. The next steps explain how to maintain your public PGP key.

  1. Click on the clipboard icon on taskbar at the top-right of your screen and select the option “Manage Keys”.
  2. On the new window that appeared, click on “GnuPG keys”  on the left sidebar. Select your key and copy it with CTRL + C.
  3. Paste the key with CTRL + V in your account settings. Click on “Update Settings”.
  4. Copy the displayed encrypted message with CTRL + C.
  5. The clipboard icon should now show a padlock, meaning that the clipboard contains encrypted text. Click on it and select “Decrypt/Verify Clipboard”  from the menu.
  6. Enter the passphrase for your private key and click “OK”.
  7. The decrypted text appears in a new window. Copy it with CTRL + C.
  8. Paste the code in the input field and save your public key by clicking “Save PGP Key”.

Maintaining your public PGP key in your account settings


To be able to encrypt a message you have to import the public key of your vendor (or whom you want to send a message). The next steps explain how to import the public key of a vendor during the order process. Note, that you can also obtain the vendor's public key from his profile.

  1. Copy the public key that is displayed at the checkout page by clicking in the textbox below “Vendor's Public Key”. Hit CTRL + A to select everything and CTRL + C to copy the public key.
  2. Click on the clipboard icon on your taskbar at the top-right of your screen and select the option “Manage Keys”.
  3. Click on “GnuPG keys”  on the left sidebar and press CTRL + V to paste and import the public key. Click on the “Import button”  in the popped up window.
  4. You should now see your vendor’s public key in the list.

If you get a pop up with the following error: “Could not display ‘Clipboard text’ Reason: Unrecognized or unsupported data”, then there was a formatting problem with the key you copied into the clipboard. Make sure that you are copying all of the key including the five dashes at the beginning and end of the key and the “BEGIN”  and “END”  statements. PGP is very picky about formatting errors.

Importing a public PGP key


Prerequisite

You need to import the public key of the user (e.g. a vendor) you want to send your message first.

To encrypt a message with someone's public key follow the next steps.

  1. Open a text editor (gedit) by clicking “Applications”  and “Text Editor”.
  2. Write your message and press CTRL + A and then CTRL + C to copy the message.
  3. After that click on the clipboard icon and select “Sign/Encrypt Clipboard with Public Keys”.
  4. On the new window, select the public key of the user you want to encrypt the message for (e.g. your vendor) by checking the checkbox in front of the list entry. Click on “OK”  to proceed.
  5. You will get asked if you trust these keys. Click on “Yes”. Then the windows closes automatically and the encrypted message is stored in your clipboard.
  6. Paste the encrypted message e.g. in the order checkout by pressing CTRL + V.

After you encrypted your message you will NOT be able to decrypt it any more. Only the person with the corresponding private key and the password will be able to do it (in this case the vendor).

Encrypting a message


Prerequisite

You need a message that was encrypted with your public key for the next steps.

If you receive an encrypted message there is an easy way in Tails to decrypt it.

  1. Select the encrypted text that you want to decrypt. Include the lines “—–BEGIN PGP MESSAGE—–” and “—–END PGP MESSAGE—–”. Then copy it to your clipboard with CTRL + C.
  2. The clipboard icon should now show a padlock, meaning that the clipboard contains encrypted text. Click on it and select “Decrypt/Verify Clipboard”  from the menu.
  3. Enter the passphrase for your private key and click “OK”.
  4. The decrypted text appears in a new window.

Decrypting an encrypted message


No, you do only need to encrypt messages which contain sensitive information such as a shipping address or packaging details. Other messages which do not contain sensitive information should not be encrypted due to usability and security reasons (every time you use a private key password is a risk).


No, only the user with the corresponding public PGP key you used to encrypt the message with, can decrypt it.


No, not at all. Please never do this as any information entered there cannot be considered as private anymore. Your private key and password might be in the hands of others.