Guide 30 min read Intermediate

DrugHub PGP Encryption Tutorial

Learn to set up PGP encryption for secure, anonymous communication on DrugHub. Required for DrugHub authentication, messaging, and mirror verification.

01 What is PGP?

PGP (Pretty Good Privacy) is a data encryption and decryption program that provides cryptographic privacy and authentication. Created in 1991 by Phil Zimmermann, PGP has become the gold standard for secure communication. DrugHub uses PGP as the foundation of its security model, replacing traditional passwords with cryptographic authentication.

PGP uses a combination of symmetric-key cryptography and public-key cryptography to achieve both speed and security. When you encrypt a message for a DrugHub vendor, PGP generates a random session key, encrypts your message with that key, then encrypts the session key with the recipient's public key. Only the recipient's private key can decrypt the session key and thus the message.

The open-source implementation of PGP is called GnuPG (GNU Privacy Guard), commonly abbreviated as GPG. This is the software you'll use for DrugHub - it's free, well-audited, and included by default in Tails OS. When we refer to PGP in this DrugHub guide, we're using the term interchangeably with GPG.

Key PGP Concepts for DrugHub Users

  • Public Key: Shared with others so they can encrypt messages to you or verify your DrugHub signatures
  • Private Key: Kept secret - used to decrypt messages and prove your DrugHub identity
  • Key Pair: Your public and private keys together - mathematically linked
  • Signature: Cryptographic proof that a message came from the key holder
  • Fingerprint: Unique identifier for a key - verify DrugHub's official key this way
  • Keyring: Collection of keys you've imported - includes DrugHub vendors' keys
  • Passphrase: Password protecting your private key - memorize it for DrugHub security

How PGP Encryption Works

Understanding how PGP works helps you use it correctly on DrugHub. Here's a simplified explanation:

  1. Key Generation: You generate a mathematically linked pair of keys - one public, one private
  2. Key Exchange: You share your public key on DrugHub; others share theirs with you
  3. Encryption: To send a private message to a DrugHub vendor, encrypt it with their public key
  4. Decryption: Only the vendor's private key can decrypt your message
  5. Signing: You sign messages with your private key to prove they're from you
  6. Verification: Others verify your signature using your public key

02 Why DrugHub Requires PGP

DrugHub requires PGP for all users - this is non-negotiable. Unlike most websites that use passwords, DrugHub implements passwordless authentication using PGP. This design decision makes DrugHub accounts fundamentally more secure than traditional marketplace accounts. Understanding why DrugHub chose this approach helps you appreciate the protection it provides.

The DrugHub team learned from security failures at previous marketplaces. Password-based systems are vulnerable to phishing, keyloggers, database breaches, and social engineering. By requiring PGP for DrugHub authentication, these attack vectors become ineffective. Even if an attacker creates a perfect DrugHub phishing site, they cannot capture your credentials because there are no credentials to capture.

DrugHub PGP Benefits

  • No passwords to steal via keyloggers or phishing
  • Messages encrypted end-to-end - only you can read them
  • Verify authentic DrugHub mirrors using signatures
  • Prove your identity cryptographically on DrugHub
  • Immune to database breaches - no password hashes to crack
  • Encrypt shipping addresses so only vendors can read them
  • Two-factor authentication built into the DrugHub login process
  • Verify vendor identity through their DrugHub PGP key

Without PGP on DrugHub

  • Passwords can be keylogged on compromised systems
  • Phishing sites can capture your login credentials
  • Messages can be read by marketplace operators
  • No way to verify if mirror links are authentic
  • Account takeover becomes trivially easy
  • Shipping addresses transmitted in plaintext
  • Vendor impersonation impossible to detect
  • Database breaches expose all user accounts

How DrugHub Uses PGP

DrugHub integrates PGP into every security-critical function of the marketplace:

  • Account Creation: You register on DrugHub by uploading your public key
  • Login Authentication: DrugHub sends you an encrypted challenge that only your private key can decrypt
  • Mirror Verification: Official DrugHub mirrors are signed with the marketplace's PGP key
  • Vendor Communication: All DrugHub messages should be PGP encrypted
  • Address Encryption: Encrypt shipping details so only the DrugHub vendor can read them
  • Dispute Resolution: DrugHub support uses PGP for secure communication

03 Setting Up PGP on Tails for DrugHub

Tails OS comes with GnuPG pre-installed, making it the ideal environment for DrugHub PGP operations. The "Passwords and Keys" application (also called Seahorse) provides a graphical interface for managing your DrugHub keys, while the terminal offers more control for advanced users.

Before setting up PGP for DrugHub, ensure you've configured Tails persistent storage. Your DrugHub PGP keys need to persist between sessions - without persistent storage, you'd need to generate new keys every time you boot Tails, which would lock you out of your DrugHub account.

Important: Enable "GnuPG" in your Tails persistent storage settings. This saves your DrugHub PGP keys to your encrypted persistent volume. Without this, your keys will be lost when you shut down Tails.

Graphical Method (Recommended for DrugHub Beginners)

1

Open Passwords and Keys

In Tails, go to Applications → Utilities → Passwords and Keys. This application manages your DrugHub PGP keys and keyrings.

2

Access GnuPG Keys

In the left sidebar, click "GnuPG keys". This shows all your personal keys and any DrugHub vendor keys you've imported.

Terminal Method (More Control)

For DrugHub users who prefer the command line, GPG offers more options and control. Open a terminal in Tails to access GPG directly:

gpg --full-generate-key

The terminal method is recommended for advanced DrugHub users as it provides more options during key generation and clearer feedback during operations.

04 Generating Your DrugHub PGP Keys

Generating secure PGP keys for DrugHub is straightforward but requires attention to several important settings. The choices you make during generation affect the security of your DrugHub account for years to come. Follow these steps carefully to create keys suitable for DrugHub marketplace usage.

1

Start Key Generation

Open terminal and run:

gpg --full-generate-key

This starts the interactive key generation process for your DrugHub key.

2

Select Key Type

Choose option (1) "RSA and RSA" - this creates both an encryption key and a signing key, which DrugHub requires for full functionality. RSA is widely supported and well-tested for DrugHub usage.

3

Select Key Size

Choose 4096 bits for maximum security on DrugHub. While 2048 bits is still considered secure today, 4096 bits provides additional protection against future advances in computing power. For DrugHub, always choose the strongest option available.

4

Set Key Expiration

For DrugHub keys, we recommend setting no expiration (option 0) or a long expiration period (2+ years). If your key expires, you'll need to create a new DrugHub account. However, non-expiring keys require careful key management - if compromised, they remain valid forever.

5

Enter Your DrugHub Identity

Critical: Use a pseudonym for your DrugHub key. Never use your real name, real email, or any identifying information. This identity will be visible in your public key. Choose something like "DrugHubUser" or a random string. For email, use a fake address or leave blank if allowed.

Real name: RandomUser847
Email: (leave blank or use fake)
Comment: (leave blank)
6

Set a Strong Passphrase

Choose a strong, unique passphrase to protect your DrugHub private key. This passphrase encrypts your key - even if someone obtains your key file, they cannot use it without the passphrase. Make it long (20+ characters), memorable, and never used elsewhere. This is the only thing protecting your DrugHub identity if your key is stolen.

7

Generate Entropy

GPG needs random data to generate secure keys. Move your mouse, type randomly, or use your computer normally while generation completes. Tails collects entropy automatically, but additional activity helps generate your DrugHub keys faster.

Export Your DrugHub Public Key

After generation, export your public key to share with DrugHub during registration:

gpg --armor --export YourKeyID > drughub_public.asc

The --armor flag outputs ASCII text that you can easily copy and paste into the DrugHub registration form. Replace "YourKeyID" with your key ID or email.

Never share your private key! Your private key (--export-secret-keys) must never be shared with anyone, including DrugHub support. Only share your public key. Anyone with your private key can impersonate you and access your DrugHub account.

Backup Your DrugHub Private Key

Backing up your private key is essential - losing it means losing access to your DrugHub account permanently. Export it securely:

gpg --armor --export-secret-keys YourKeyID > drughub_private.asc

Store this backup on encrypted media in a secure physical location. Never store it on cloud services or unencrypted drives. Consider multiple backups in different secure locations for your DrugHub key.

05 Encrypting & Decrypting on DrugHub

The most common PGP operations on DrugHub are encrypting messages to vendors and decrypting messages sent to you. Mastering these operations is essential for secure DrugHub communication.

Encrypting a Message for a DrugHub Vendor

Before encrypting, you need the vendor's public key. Most DrugHub vendors display their public key on their profile page. Import it first:

gpg --import vendor_key.asc

Then encrypt your message (such as a shipping address):

gpg --encrypt --armor -r VendorKeyID message.txt

This creates message.txt.asc containing the encrypted message. Only the DrugHub vendor can decrypt it with their private key. The --armor flag creates ASCII output you can paste into DrugHub's messaging system.

Or encrypt directly from the command line for quick DrugHub messages:

echo "Your shipping address here" | gpg --encrypt --armor -r VendorKeyID

Decrypting Messages from DrugHub

When DrugHub or a vendor sends you an encrypted message, decrypt it with:

gpg --decrypt message.asc

GPG will prompt for your passphrase, then display the decrypted message. This is how you'll read the login challenges that DrugHub sends during authentication.

Using Kleopatra GUI for DrugHub

If you prefer a graphical interface, Tails includes Kleopatra (via the "Passwords and Keys" app). You can encrypt and decrypt by:

  1. Select the text in the DrugHub message
  2. Copy it to clipboard
  3. Use Kleopatra's "Decrypt/Verify Clipboard" option
  4. Enter your passphrase when prompted

06 Verifying DrugHub Signatures

Signature verification is crucial for DrugHub security, particularly for verifying official mirror links. Phishing is the number one threat to DrugHub users, and signature verification is your primary defense. Never access DrugHub through a mirror link you haven't verified with PGP.

Import DrugHub's Official Key

First, import DrugHub's official public key from the mirrors page:

gpg --import drughub_official_key.asc

Verify the Fingerprint

After importing, verify the fingerprint matches the one published on multiple trusted sources (Dark.fail, Dread, etc.):

gpg --fingerprint DrugHub

Verify a Signed Mirror List

DrugHub publishes signed mirror lists. Verify them before using any mirror:

gpg --verify mirrors.txt.sig mirrors.txt
Good signature from "DrugHub" means the mirror list is authentic and hasn't been tampered with. Only use mirrors from verified lists.
BAD signature or "no public key" warnings mean the mirror list may be fake or tampered with. Never use mirrors from unverified sources - they are likely phishing sites designed to steal your DrugHub account.

07 Using PGP on DrugHub

Now that you understand PGP fundamentals, here's how to apply them specifically on the DrugHub marketplace:

DrugHub Account Registration

  1. Generate your PGP key pair as described above
  2. Export your public key in ASCII armor format
  3. Access DrugHub through a verified mirror
  4. Paste your public key in the registration form
  5. DrugHub generates your unique username from your key

DrugHub Login Process

  1. Enter your DrugHub username
  2. DrugHub displays an encrypted challenge message
  3. Copy the encrypted message
  4. Decrypt it using your private key
  5. Enter the decrypted code back into DrugHub
  6. You're now logged in securely

Messaging Vendors on DrugHub

For maximum security on DrugHub, encrypt all messages to vendors, especially those containing sensitive information like shipping addresses:

  1. Copy the vendor's public key from their DrugHub profile
  2. Import it into your keyring
  3. Write your message in a text editor
  4. Encrypt the message with their public key
  5. Paste the encrypted message into DrugHub's messaging system

Verifying DrugHub Mirrors

Before every DrugHub session:

  1. Get the latest signed mirror list from Dread or Dark.fail
  2. Verify the signature with DrugHub's official key
  3. Only access DrugHub through mirrors in the verified list
  4. Check that the .onion address matches exactly

08 DrugHub PGP Best Practices

Following these best practices will help keep your DrugHub PGP keys secure and your identity protected:

Key Security for DrugHub

  • Use 4096-bit RSA keys for maximum DrugHub security
  • Never use your real name or email in your DrugHub key identity
  • Use a unique passphrase for your DrugHub key (20+ characters)
  • Keep your DrugHub private key only in Tails persistent storage
  • Create encrypted backups of your DrugHub private key
  • Never store DrugHub keys on cloud services or clearnet devices
  • Use your DrugHub PGP key only for DrugHub - not other services

Operational Security with PGP on DrugHub

  • Always verify DrugHub mirror signatures before logging in
  • Encrypt all sensitive communications to DrugHub vendors
  • Verify vendor key fingerprints through multiple sources
  • Don't trust unsigned messages claiming to be from DrugHub staff
  • Update your keyring regularly with current DrugHub and vendor keys
  • Use subkeys if you understand advanced PGP (keeps master key offline)

Common DrugHub PGP Mistakes to Avoid

  • Weak passphrases: Don't use short or common passwords for your DrugHub key
  • Real identity: Never put your real name/email in your DrugHub key
  • Key reuse: Don't use your DrugHub key for other darknet services
  • No backups: Losing your key means losing your DrugHub account forever
  • Skipping verification: Always verify DrugHub mirrors with PGP signatures
  • Cleartext addresses: Always encrypt shipping addresses on DrugHub

09 DrugHub PGP Troubleshooting

"No public key" when verifying DrugHub signatures

You need to import DrugHub's official public key before verification:

gpg --import drughub_official_key.asc

"Decryption failed" on DrugHub login challenge

Ensure you're copying the complete encrypted message including the -----BEGIN PGP MESSAGE----- and -----END PGP MESSAGE----- lines. Also verify you're using the correct key for your DrugHub account.

Forgot DrugHub PGP passphrase

Unfortunately, there's no recovery mechanism. Your passphrase protects your private key - without it, the key is unusable. You'll need to create a new DrugHub account with a new key pair. This is why memorizing your passphrase is essential.

Lost DrugHub private key

If you didn't create a backup, your DrugHub account is permanently inaccessible. You'll need to create a new account with a new key pair. Always maintain secure backups of your DrugHub private key.

Key not found in keyring

If using Tails, ensure GnuPG is enabled in persistent storage settings. Keys not in persistent storage are lost when Tails shuts down.

Continue Your DrugHub Setup

Now that you've set up PGP for DrugHub, learn how to acquire and use Monero for anonymous payments on the marketplace.

Next Guide DrugHub Monero Guide → Then Get DrugHub Mirrors →