PGP guide for Tor market users: verify market mirror announcements, sign messages to vendors, encrypt shipping addresses. Beginner-friendly, no jargon.
PGP is two keys. A public key you give people so they can encrypt messages to you. A private key you keep so you can decrypt them. On Tor markets you use PGP for three things: signing messages, encrypting your shipping address so the vendor can read it but nobody else can, and verifying that a mirror announcement actually came from the market and not from a phisher.
Every vendor publishes a public key on their profile page. Copy the whole block (BEGIN PGP PUBLIC KEY BLOCK to END PGP PUBLIC KEY BLOCK). Import it into your PGP client. Encrypt your shipping address with that key. Paste the encrypted block into the order notes. The vendor decrypts it. The market never sees the plain address.
If a vendor tells you to skip encryption "for convenience", move on to another vendor. There is no convenience reason that justifies sending your home address in plaintext through a marketplace.
Markets publish mirror lists on Dread. The post is signed with the market's PGP key. To verify the signature you need the market's public key (linked from the market itself or pinned in a Dread sticky) and a PGP client. Paste the signed message in, the client tells you whether the signature checks out.
A valid signature means the mirror list really came from the market. An invalid signature, or no signature, means treat the list as untrusted, the announcement might be a phisher trying to send you to a fake onion.
On desktop: GPG Suite (mac), Kleopatra (Windows), or the gpg command line on Linux. On mobile: OpenKeychain on Android with a paid PGP-capable email client. Tor Browser does not ship with PGP, you handle keys outside it.
Your private key is the thing somebody would steal to read your messages or impersonate you. Keep it on an encrypted volume, off any machine you use for unrelated things. Back it up offline. If you lose it, you cannot decrypt the messages people sent you, you cannot prove the orders you placed, the only path is to generate a new key and reupload.
Back to the guides hub or the top picks.
