Guide to PGP-encryption in Tails

Guide to PGP-encryption

What is PGP?

PGP is a popular way of encrypting so only the designated recipient is able to see the encrypted contents. This method can be used to encrypt more than just communications, such as an entire hard drive – but we’re not doing that today.

Pretty Good Privacy (PGP) was created in 1991 by Phil Zimmermann and was the world’s first data encrypt- and decryption program using public cryptography.

This guide assumes that you’re a person of normal intellect using a PC of normal intelligence and possess a normally intelligible understanding of “computering”.

If you insist on learning more about the nuts and bolts in PGP and what Zimmermann eats for breakfast, google is you friend.

Zimmermann – he’s our man!

Click here to learn about the technical design of PGP.

Or hang around and learn to encrypt messages with PGP to up your online ninja skills.

How does PGP work?

When using PGP encryption for communicating you have two encryption keys:

  • A public key
  • A private key

Both keys are created by the person using them.

You can showcase the public key to your little heart’s content.

The public key is the key another person has to use if they’re sending you an encrypted message. So the public key is used to encrypt messages to you. You’ll need your private key to decrypt the messages.

If you’re sending an encrypted message to someone else, you’ll need their public key to encrypt the message before sending it.

Such logic, much sense, Wow.

This means that the private key is super secret and not to fall in to the wrong hands – which is any hands other than your own!

So how does it work?

When you have someone else’s public PGP encryption key and want to send them a message, you’ll need to write the message before running it through some software that encrypt the message to pure gibberish using the recipients public key.

The exchange of public keys can take place however you want but if you’re communicating via PGP it’s an idea to exchange them beforehand. If you’re messaging a person you either don’t know or don’t have the opportunity the give your public key to, put it in the message. The recipient will get your public key when they use their private key to decrypt the message.

It’s important to note that when downloading a “random” public key, there’s a chance that it isn’t connected to the person that uploaded it. Therefore you should always seek to verify that the public key you’re downloading actually belongs to the person you want to communicate with.

Verifying the recipient’s identity isn’t always possible, like if you’re using PGP-encryption to contact buyers or sellers at darknet markets. Lucky for us these markets are often rating based, so you can generally trust buyer and seller.

It’s also important to note that the PGP encryption isn’t more secure than the hard-/software it’s run on. So of your device has been compromised by hackers, trojans, malware or other software that picks up keystrokes or monitors your RAM while using the device, PGP won’t help you.

We naturally recommend using a non-persistent operating system such as Tails (or another well-updated, well-renowned in regard to user security OS). You can check out our guide on Tails before continuing here.

It could be the latest version of iOS on your iPhone or an Android phone from one of the larger brands where you’ve ensured to keep it up to date with the latest security updates from the manufacturer.

How do I use PGP?

Many clients have implemented PGP encryption as standard or has the ability to turn it on.

In this guide we’ll use the built-in PGP software in Tails.

Since PGP encryption works on all known platforms and there are countless free Open Source tools for en- and decrypting PGP messages, you should be able to use this guide to install and use PGP on other platforms than Tails.

This also means that your choice of platform doesn’t matter in regard to whether a recipient can read your PGP encrypted messages.

In order to use PGP correctly and to not lose any data, like your private key, you need to make a “persistent volume” in Tails. This is an encrypted file container which can only be opened with your personal passphrase.

You can read more on this in our guide to Tails (which you should really read before proceeding. Yeah, strike two but we promise not to mention it again in this guide!).

It’s important that the persistent volume has the following functions for PGP to run:

  • Personal Data
  • GnuPG

Once you’ve created your private and your public PGP keys, it’s important to restart Tails to ensure that they’ve been saved to the encrypted container (persistent volume).

Alrighty! Let’s get jazzy and send some secret messages!

How do I create PGP keys?

  1. Run Tails.
  2. Get a cup of coffee.
  3. Yell at your computer.
  4. Calm the shit down, Kemosabe.
  5. Pet your cat.
  6. Click the “clipboard” icon at the top right of the Tails desktop and then Manage Keys“.

  7. Click “file” then “new…” in the pop-up.

  8. Select “PGP Key” from the list and click “continue.

  9. You could enter your full name in the next step but you could definitely not do it too. It depends on what you’re going to use your PGP keys fors. If you’re using them to buy and sell at the deep web markets, we suggest you use the same name for your PGP keys as the name you’re using at the markets. It just makes things easier for all parties.

    The name must be at least 5 characters but if your name is shorter, you can just add some dashes or whatever you feel like.

    Then you can enter your email address. We obviously don’t recommend that, unless you’re creating PGP for your private email address that has nothing to do with darknet. In the image below we’ve entered no@way in the email address bar:

  10. Click “advanced key options” and set “key strength (bit)” at 4096 and the “expiration date” to one or two years from now.

    Note: when a pair of keys have expired your public key can no longer be used to send you encrypted messages and your private key can no longer be used to decrypt messages. This is really useful in evidence terms as no one will be able to read the messages, should they and your keys be intercepted after the expiration date. It’s easy to set and doesn’t require any extra work worth mentioning AND creating a new set of PGP keys every year or twice a year is a huge OpSec boost compared to the amount of time you spend doing it.

    It is still technically possible to use your private keys after they’ve expired, though not all tools allow it. So in the name of the highest level of OpSec delete your old and expired PGP keys after creating new ones and update your public key where you’ve posted it especially the deep web markets.
    Confirm by clicking “Create”.

  11. You’ll now be asked to set a passphrase which, in conjunction with your private key, you’ll need to decrypt files encrypted with your public key.
    Create the strongest passphrase you can think of. We’ve linked the article on creating a secure passphrase before but will gladly do it again:

    And don’t use the same passphrase all the time!

  12. After clicking “ok” allow a while – a few minutes, tops, depending on your CPU – for the keys to be generated and show up in the list of GnuPG keys in the left sidebar.

    Congrats! You have now created your very own set of PGP keys! Nice.

Alright, that’s pretty cool! But how do I use them?

Then you gotta be a fast typer! Or at least be able to press CTRL + C at the same time. For starters.

Export your public key

Select your key at the top of the list of “GnuPG keys” by clicking it.

Press CTRL + C on your keyboard. You’ve just copied your public key and can paste it wherever you like.

Let’s try it with a blank text document because you can. Go to Applications ▸ Accessories ▸ Text Editor from the top bar most to the left.

Once you’ve opened the text editor it’s time to utilize the many years you’ve spent in school, CTRL + V. And dang, look at that glorious display of useless crap! Fantastic. It’s just what we wanted.

Your screen will obviously show different characters since no one has the same public or private key (thank you Captain Obvious).

Import a public key

To send an encrypted message to someone else you need to import their public key. You can acquire one of those in numerous ways, in our example we’ve copied one from an online market.

Start copying from the first five dashes “—– BEGIN PGP PUB…” until the last five dashes at the end of the key “…PUBLIC KEY BLOCK—–“.

Copy the key from the site to your clipboard, go back to your “GnuPG keys” list, press CTRL + V and click “import” in the pop-up.

The public key is now on the list of all your other keys. In this case we can see that the name connected to the public keys is “SuperNarkoHash” (“SuperNarcoHash” for the non-Danish speakers…):

If an error message reading “Could not display ‘Clipboard text’ Reason: Unrecognized or unsupported data,” pops up, you have a formatting issue with the copied key. Try again!

Encrypt a message

Note: you need to import a public key before you can encrypt a message and send it to the key’s owner.

To encrypt the message using PGP, you need to type the message in a text editor. Never EVER use an online PGP encryption tool, or generally typing things in your browser that you don’t want anyone to see. There are various malicious Java and JavaScripts that run in a browser and pick up anything you type without you knowing.

Run the text editor we used before and type a secret message:

“Thank you for your order. Your 11 tons of hash will be shipped with DHL Express tomorrow. Hugs from the Freedom Activist”

Mark the entire message and press CTRL + C (yup, we’re copying it).

Click the “clipboard” icon in the top right corner of Tails and then “Sign/Encrypt Clipboard with Public Keys”:

This opens a new window, select the public key / user that you want to send the encrypted message to by ticking the box next to the name. You can send the encrypted message to more than one recipient from the list, in this case tick the box next to whomever you want to receive it. The result is still one encrypted message but the ones you have selected from the list will be able to decrypt it.

Once you’ve chosen the recipient(s) you have to “sign message as” in the bottom of the window and pick the key you want to send from. Remember to make sure the “hide recipients” box isn’t ticked.

Then click “OK” and the screen will ask if you trust these keys. Click “yes” and enter the passphrase for your private key. Click “OK”.

The window will disappear and the encrypted message will be in your clipboard. Go back to the text editor and press CTRL + V. You should see something reminiscent of this:

After encrypting your message you CAN’T decrypt it. Only the recipient(s) you picked when encrypting the message can decrypt it using their private keys.

If you need to remember what you wrote in the message, save it in a regular text file in the encrypted container in Tails.

All you have to do now is go to the Deep Web market, you email client or whatever platform you’re using to send the encrypted message, paste it in and press “send”.

When this is done, close the text editor and click “close without saving”.

Decrypting a message

Almost done!

When you receive a reply, or just receive a PGP encrypted message, you probably want to read it. To do so you’ll need to copy the encrypted message. Include the lines “–BEGIN PGP MESSAGE–” and “–END PGP MESSAGE–“.

So, CTRL + C, and the “clipboard” icon at the top right should display a padlock now since you just copied an encrypted message to the clipboard.

Click the padlock and then “Decrypt/Verify Clipboard” from the drop-down.

One of the following things will happen:

  • If the passphrase for your private key isn’t saved, a pop-up like the one below will appear (pop up):
    “Please enter the passphrase to unlock the OpenPGP secret key for USER…”
    Enter the passphrase and click “OK”.


  • If no private key in your “GnuPG key” list matches the public key the message was encrypted with, you’ll get an error message on failed decryption. If this is the case send a message to the sender, tell them there’s been an error and include a copy of your public key so they’re sure to have the right one. Pro-tip: encrypt that message as well 🙂

If you enter the passphrase correctly, and the message was for you, a new window with the decrypted message will pop up.

Very nice. Great success.

And now you can use PGP to en- and decrypt in- and outgoing communications.