Wiki / PGP Encryption & 2FA

🔑 PGP Encryption & 2FA

Advanced ⏱️ 15-20 minutes Required Updated: December 2025

Master PGP encryption - generate 4096-bit keys, encrypt messages, verify signatures, and setup mandatory 2FA authentication on DrugHub Market. This comprehensive guide covers everything from basic concepts to advanced cryptographic operations for secure darknet marketplace communications.

PGP encryption key icon representing secure cryptographic communication on DrugHub Market
⚠️ MANDATORY: DrugHub requires PGP for login and communication. This is non-negotiable. You cannot use the market without it.

🔐 What is PGP?

PGP (Pretty Good Privacy) is encryption software that uses two keys:

  • Public Key: Share with others - they encrypt messages for you
  • Private Key: Keep secret - you decrypt messages meant for you

Why DrugHub Requires PGP

  1. Mandatory PGP Login: Proves you control the private key
  2. Address Encryption: Shipping addresses must be encrypted
  3. Secure Communication: Messages with vendors are encrypted
  4. Signature Verification: Verify you're talking to real admins/vendors

📥 Installing PGP Software

Windows: Kleopatra (Gpg4win)

  1. Download from official site: gpg4win.org
  2. Run installer, select "Kleopatra" component
  3. Complete installation
  4. Launch Kleopatra from Start Menu

macOS: GPG Suite

  1. Download from: gpgtools.org
  2. Run installer package
  3. Complete installation
  4. Launch GPG Keychain

Linux: GnuPG (Usually Pre-installed)

# Check if installed
gpg --version

# Install if needed
sudo apt-get install gnupg2
sudo apt-get install kleopatra # GUI

🔑 Generating Your PGP Key Pair

Using Kleopatra (Windows/Linux GUI)

  1. Open Kleopatra
  2. Click "New Key Pair""Create a personal OpenPGP key pair"
  3. Fill out form:
    • Name: Use pseudonym (e.g., "DrugHubUser2025")
    • Email: Fake email or leave blank (e.g., "user@localhost")
  4. Click "Advanced Settings"
  5. Set:
    • Key Material: RSA
    • Key Size: 4096 bits (REQUIRED by DrugHub)
    • Valid until: Never expires OR 2+ years
  6. Click "OK" then "Create"
  7. Enter strong passphrase (20+ characters, store in password manager)
  8. Wait for key generation (may take 1-2 minutes)

Using Command Line (Linux)

gpg --full-generate-key

# Select: (1) RSA and RSA
# Key size: 4096
# Expiration: 0 (never) or 2y
# Name: DrugHubUser2025
# Email: user@localhost
# Enter strong passphrase
Passphrase Security:
  • Minimum 20 characters
  • Mix uppercase, lowercase, numbers, symbols
  • NOT related to personal information
  • Store in KeePassXC or similar
  • If lost, you lose access to account permanently

📤 Exporting Your Keys

Export Public Key (Share with Others)

Kleopatra:

  1. Right-click your key → "Export"
  2. OR: Right-click → "Copy" → "Copy Public Key"
  3. Paste into DrugHub registration form

Command Line:

# List keys to get Key ID
gpg --list-keys

# Export public key
gpg --armor --export YOUR_KEY_ID

Backup Private Key (CRITICAL)

🚨 CRITICAL: Backup your private key securely. If you lose it, you lose access to your DrugHub account forever.

Kleopatra:

  1. Right-click your key → "Export Secret Keys"
  2. Save to encrypted USB drive or secure location
  3. NEVER upload to cloud or email

Command Line:

gpg --armor --export-secret-keys YOUR_KEY_ID > private-key-backup.asc

Storage Recommendations:

  • Store on encrypted USB drive
  • Use VeraCrypt encrypted container
  • Multiple offline backups in separate locations
  • Never store on cloud (Dropbox, Google Drive, etc.)

🔒 Encrypting Messages

Encrypting for Others (e.g., Shipping Address for Vendor)

Step 1: Import Recipient's Public Key

Copy vendor's public key from their profile → Kleopatra → "Import" → Paste

Step 2: Encrypt Your Message

Kleopatra:

  1. Click "Notepad" icon (Encrypt/Decrypt Notepad)
  2. Type your message (shipping address, etc.)
  3. Click "Encrypt"
  4. Select recipient's public key
  5. Copy encrypted message (starts with -----BEGIN PGP MESSAGE-----)
  6. Paste into DrugHub order form

Command Line:

# Encrypt file
gpg --encrypt --armor --recipient VENDOR_KEY_ID message.txt

# Or encrypt text directly
echo "Your message here" | gpg --encrypt --armor --recipient VENDOR_KEY_ID

Example Encrypted Shipping Address

-----BEGIN PGP MESSAGE-----

hQIMA+9K7xK3VqPeAQ/+MmxKz7TZG4RI8...(encrypted data)...vC2
=abCD
-----END PGP MESSAGE-----

🔓 Decrypting Messages

Decrypting PGP Login Challenge

When you login to DrugHub, you'll receive an encrypted challenge. Here's how to decrypt it:

Kleopatra:

  1. Copy the entire encrypted message from DrugHub (including headers)
  2. Open Kleopatra → Click "Decrypt/Verify"
  3. Paste the encrypted message
  4. Enter your PGP passphrase
  5. Copy the decrypted code (usually 6-8 characters)
  6. Paste code back into DrugHub login page

Command Line:

# Decrypt from clipboard
gpg --decrypt
(paste encrypted message, press Ctrl+D)

✍️ Signing & Verifying Messages

Why Signatures Matter

Signatures prove a message came from the key owner. Always verify admin/vendor signatures to prevent phishing.

Verifying a Signature

Kleopatra:

  1. Copy signed message
  2. Click "Decrypt/Verify"
  3. Paste message
  4. Check result: ✓ Valid signature from [Name]

Signing Your Messages

Kleopatra:

  1. Open notepad, type message
  2. Click "Sign"
  3. Select your key
  4. Enter passphrase
  5. Copy signed message

📱 Two-Factor Authentication (2FA)

Highly Recommended: 2FA adds extra security layer. Even if someone steals your password, they can't access your account without the 2FA code.

Setup 2FA on DrugHub

  1. Login to DrugHub
  2. Navigate to: Settings → Security → Two-Factor Authentication
  3. Click "Enable 2FA"
  4. Scan QR code with authenticator app:
    • Recommended: Authy, Aegis (Android), Raivo (iOS)
    • Avoid: Google Authenticator (no backups)
  5. Enter 6-digit code to verify
  6. SAVE BACKUP CODES - Store in password manager

Using 2FA for Login

  1. Enter username and password
  2. Decrypt PGP challenge
  3. Enter 2FA code from authenticator app
  4. Successfully logged in
⚠️ Backup Codes: If you lose your phone, backup codes are the ONLY way to recover access. Store them securely offline.

🔧 Common PGP Issues

❌ "Invalid PGP Key" on Registration

Cause: Key not 4096-bit or incomplete paste

Solution:

  • Verify key is exactly 4096 bits (check advanced settings)
  • Ensure entire key including headers copied: -----BEGIN PGP PUBLIC KEY BLOCK----- to -----END PGP PUBLIC KEY BLOCK-----
  • Remove extra spaces/line breaks

❌ Can't Decrypt Login Challenge

Causes:

  • Wrong private key selected (if you have multiple)
  • Incorrect passphrase
  • Incomplete encrypted message copied

Solution:

  • Verify you're using the same key pair as registration
  • Copy entire encrypted block including headers
  • Double-check passphrase in password manager

❌ "No secret key" Error

Cause: Private key not imported or missing

Solution:

  • Import your private key backup
  • Verify key ownership with: gpg --list-secret-keys

🎯 PGP Best Practices

Security shield icon representing PGP encryption best practices for DrugHub users
  • ✅ Use 4096-bit RSA keys minimum
  • ✅ Create strong 20+ character passphrase
  • ✅ Backup private key to multiple offline locations
  • ✅ Enable 2FA on DrugHub account
  • ✅ Save 2FA backup codes
  • ✅ Verify signatures on admin/vendor messages
  • ✅ Use different PGP key for DrugHub (don't reuse personal keys)
  • ✅ Test encryption/decryption before first order
  • ❌ Never share private key
  • ❌ Never upload private key to cloud
  • ❌ Never email private key
  • ❌ Never reuse PGP key from clearnet identity

📚 Advanced PGP Concepts for DrugHub Users

Understanding Key Fingerprints

Every PGP key has a unique fingerprint - a 40-character hexadecimal string that acts as the key's digital identity. On DrugHub Market, fingerprints are critical for verifying vendor and admin authenticity. When you receive a message claiming to be from DrugHub support or a vendor, always compare the signing key's fingerprint against their publicly listed fingerprint on the marketplace.

How to view a key fingerprint in Kleopatra:

  1. Right-click the key in your keyring
  2. Select "Details" or "Certificate Details"
  3. Find the "Fingerprint" field
  4. Compare character-by-character with the official fingerprint
Example fingerprint format:
4A8B 2C7D 9E1F 3G5H 6J8K 0L2M 3N5P 7Q9R 1S3T 5U7V

Key Trust Levels and the Web of Trust

PGP uses a decentralized trust model called the "Web of Trust." While DrugHub doesn't require you to build an extensive trust network, understanding these concepts helps you evaluate key authenticity:

  • Unknown Trust: You haven't verified this key belongs to who it claims
  • Marginal Trust: You have some confidence but not full certainty
  • Full Trust: You have personally verified this key belongs to the claimed owner
  • Ultimate Trust: Your own keys (you trust yourself completely)

For DrugHub operations, treat vendor keys as "Marginal Trust" unless you've verified them through multiple channels (Dread posts, forum signatures, official market listing).

Subkeys and Key Management

Advanced users can create subkeys for different purposes. Your master key pair consists of a primary key used for certification (signing other keys) and subkeys for encryption and signing messages. This separation provides security benefits - if a subkey is compromised, you can revoke it without losing your entire identity.

DrugHub recommendation: For most users, the default key generation creates appropriate subkeys automatically. Only modify subkey settings if you understand the implications fully.

🏗️ PGP Security Architecture on DrugHub

Lock icon representing DrugHub's PGP security architecture and encryption protocols

How DrugHub Implements PGP Authentication

DrugHub Market uses PGP for mandatory two-factor authentication during login. This implementation differs from simple password-based systems and provides cryptographic proof that you control the private key associated with your account. The process works as follows:

  1. Registration: You submit your 4096-bit RSA public key during account creation
  2. Key Storage: DrugHub stores only your public key (never your private key)
  3. Login Challenge: When you attempt login, DrugHub encrypts a random challenge code using your public key
  4. Decryption Proof: Only someone with the corresponding private key can decrypt this challenge
  5. Verification: Entering the correct decrypted code proves you control the private key

This system prevents several attack vectors common on other marketplaces:

  • Phishing resistance: Even if you enter credentials on a fake site, they cannot decrypt your PGP challenge
  • Database breach protection: Stolen password hashes are useless without your private key
  • Session hijacking prevention: Active sessions require ongoing key possession verification

Encrypted Communication Channels

All sensitive information on DrugHub should be PGP encrypted, including:

  • Shipping addresses: Always encrypt with vendor's public key before submission
  • Personal information: Never send unencrypted details in messages
  • Order notes: Sensitive instructions should be encrypted
  • Dispute evidence: Encrypt attachments when privacy is critical

Message Integrity and Non-Repudiation

PGP signatures provide two critical security properties for DrugHub communications:

Integrity: If a signed message is altered in any way, the signature verification fails. This prevents man-in-the-middle attacks where someone intercepts and modifies messages between you and vendors.

Non-repudiation: A valid signature cryptographically proves the message came from the key owner. Vendors cannot deny sending a message they signed, and you cannot deny signing messages with your key. This is essential for dispute resolution.

🛡️ Operational Security with PGP

Secure Key Storage Strategies

Your PGP private key is the most sensitive piece of data in your DrugHub operations. Proper storage prevents account takeover and protects your transaction history:

Hardware Security Keys

For maximum security, consider storing your PGP key on a hardware security device like YubiKey or Nitrokey. These devices:

  • Never expose your private key to the computer
  • Perform cryptographic operations on-device
  • Require physical presence for signing/decryption
  • Protect against malware-based key theft

Air-Gapped Systems

Advanced users may maintain their private key on a computer that never connects to the internet. Messages are transferred via USB for decryption. While complex, this approach provides strong isolation from network-based attacks.

Encrypted Containers

At minimum, store your key backup in an encrypted container:

  • VeraCrypt: Create encrypted volume on USB drive
  • LUKS: Linux unified key setup for full disk encryption
  • BitLocker: Windows built-in encryption (use with TPM)

Key Rotation and Expiration

Security best practices recommend periodic key rotation. However, on DrugHub this presents challenges since your account is tied to your key. Consider these approaches:

  • Long-term key with strong security: Use a key that never expires, but protect it extremely well
  • Periodic account migration: Create new account with new key every 1-2 years
  • Subkey rotation: If using subkeys, rotate encryption subkey while maintaining master key

Emergency Procedures

Plan for potential security incidents:

If You Suspect Key Compromise:

  1. Immediately login to DrugHub and change all security settings
  2. Withdraw any funds to a secure wallet
  3. Contact DrugHub support to flag your account
  4. Generate new key pair on a clean system
  5. Create new DrugHub account with new key
  6. Revoke the compromised key (generate revocation certificate beforehand)

💬 PGP for Vendor Communication

Encrypting Shipping Addresses

One of the most critical uses of PGP on DrugHub is encrypting your shipping address. This ensures that only the intended vendor can read your delivery details:

  1. Navigate to the vendor's profile page on DrugHub
  2. Locate and copy their PGP public key
  3. Import the key into Kleopatra or your PGP software
  4. Verify the key fingerprint matches what's displayed on their profile
  5. Compose your address in a text file or Kleopatra's notepad
  6. Encrypt the text using the vendor's public key
  7. Paste the encrypted message into DrugHub's order form
Example encrypted shipping address format:

-----BEGIN PGP MESSAGE-----

hQIMA+9K7xK3VqPeAQ/+N2FbzP3vG8... (encrypted data)
=XXXX
-----END PGP MESSAGE-----

Verifying Vendor Identity

Before placing orders, especially with new vendors, verify their PGP key authenticity:

  • Check if the vendor has posted their key on Dread or other forums
  • Compare fingerprints across multiple sources
  • Look for signed messages from the vendor proving key ownership
  • Be suspicious if a vendor's key suddenly changes without announcement

Secure Message Templates

For efficiency, create message templates that you encrypt before each use:

--- SHIPPING INFO ---
Name: [Full Name]
Street: [Street Address]
City: [City]
State/Province: [State]
Postal Code: [ZIP/Postal]
Country: [Country]
Phone (optional): [Phone]
Special Instructions: [Notes]
---

❓ Frequently Asked Questions

Q: Why does DrugHub require 4096-bit keys specifically?

A: 4096-bit RSA keys provide security margins well into the 2030s against known attack methods. While 2048-bit keys remain technically secure, DrugHub enforces 4096-bit to ensure long-term protection of user accounts and encrypted communications.

Q: Can I use elliptic curve keys instead of RSA?

A: Currently, DrugHub requires RSA keys. While Ed25519 and other elliptic curve algorithms offer equivalent security with smaller key sizes, RSA remains the standard for maximum compatibility. Future updates may support additional algorithms.

Q: How do I know if my PGP software is secure?

A: Use only well-audited, open-source implementations: GnuPG (command line), Kleopatra (Gpg4win GUI), or GPG Suite (macOS). Avoid online PGP tools or browser extensions - these can leak your private key.

Q: What happens if I lose my PGP passphrase?

A: Without your passphrase, your private key is unusable. This means you cannot login to DrugHub or decrypt any messages. There is no recovery - you must create a new DrugHub account with a new key pair. Store your passphrase in a password manager.

Q: Should I sign my messages to vendors?

A: Signing is optional but recommended for important communications. It proves the message came from you and wasn't modified. For routine orders, encryption alone is sufficient.

Q: How long does PGP encryption add to the ordering process?

A: Once you're familiar with your PGP software, encrypting a shipping address takes under 30 seconds. The security benefits far outweigh this minimal time investment.

← Back to Wiki Hub Next: Monero Guide →