PGP Encryption for Darknet: Best Practices Updated

PGP (Pretty Good Privacy) encryption remains the cornerstone of communication security in darknet environments. Whether encrypting shipping addresses sent to vendors, verifying market admin announcements, or enabling two-factor authentication, PGP usage is expected of any security-conscious participant. This article updates the standard guidance with current best practices for 2025.

Key Algorithm Selection: RSA vs Ed25519

Two primary key types are in wide use for PGP in 2025:

• RSA 4096-bit: The traditional choice with broad compatibility. A 4096-bit RSA key provides approximately 140 bits of security against classical computing attacks, which exceeds current practical threat models. RSA keys are larger and signing operations are slower, but the format is supported by virtually every PGP implementation.
• Ed25519 (EdDSA with Curve25519): A modern elliptic curve algorithm offering equivalent security to RSA 3072 with dramatically smaller keys and faster operations. Ed25519 keys are approximately 256 bits in size versus RSA 4096's several kilobytes. Most current GPG versions (2.1+) support Ed25519.

For most darknet users, Ed25519 is the recommended choice for new keys: it is faster, produces smaller signatures that fit more easily in market message fields, and is considered cryptographically stronger per byte. RSA 4096 remains acceptable and may be preferred if compatibility with older GPG installations is a concern.

Key Expiry Settings

Setting an expiry date on PGP keys is a recommended security practice. An expired key cannot be used to encrypt messages (without explicit override), which limits the damage window if the key is compromised without the owner's knowledge. Recommended expiry periods for operational keys are 1-2 years, with the key renewed before expiry. The private key itself does not change during renewal — the expiry date on the public key certificate is simply extended.

A key without an expiry date remains valid indefinitely. If such a key is compromised and the owner does not realize it promptly, the attacker can decrypt any message encrypted to that key for an unlimited period.

Passphrase Strength

The PGP private key stored on disk is protected by a passphrase, which is derived into an encryption key using a key derivation function (KDF). Passphrase strength is therefore critical: a weak passphrase means the private key file can be cracked offline after extraction from the user's device.

Best practice for passphrase selection: use a diceware passphrase of at least 6 words, drawn from a 7776-word list. Such a passphrase provides approximately 77 bits of entropy, which resists offline brute-force attacks even with significant computational resources. Avoid dictionary words used alone, keyboard patterns, and any phrase with personal significance.

Key Management

• Never upload the private key anywhere. The private key should never leave your local machine or air-gapped device. Key servers and market platforms only receive your public key.
• Revocation certificate: Generate a revocation certificate when creating the key and store it separately. If the private key is ever compromised, the revocation certificate allows you to publicly invalidate the key.
• Separate keys per identity: Use different PGP keys for different operational identities. Never reuse a key across platforms or personas.
• Offline key generation: For maximum security, generate keys on an air-gapped machine (ideally Tails OS), export the public key for use, and keep the private key offline.

GPG Software Options

GNU Privacy Guard (GPG/GnuPG) is the standard open-source implementation of the OpenPGP standard. GPG 2.2+ is available on Windows, macOS, and Linux. On Windows, Gpg4win is the recommended package that bundles GPG with the Kleopatra GUI. On macOS, GPG Suite provides a similar integrated experience. Command-line usage is recommended for security-sensitive operations as it reduces the risk of GUI-based key exposure.