PGP leading-by-uptime Practices for Market Users in 2026

Get the basics out of the way. Never use a web-based PGP generator. It claims to run in your browser through JavaScript. If you create the private key on an internet-connected machine, consider it compromised.

Your keypair must be generated on an air-gapped machine, or at least, an ephemeral live OS like Tails. The private key never leaves that. You export the public key. That public key is what you put on your market profile. Anyone who wants to talk to you encrypts their message with that public key. Only your private key, sitting safely offline, can decrypt it.

When you are creating a profile on DrugHub Market, you are prompted to paste your public key. There are no exceptions or excuses here. Just make sure it's done as soon as possible. This market has processed over 240k entries, and the users who survive that volume without incident are the ones who enforce strict encryption habits from day one.

Losing your private key equals losing your account — no other recovery mechanism exists. If a vendor disputes your entry and you can't decrypt the message from the market moderator, you'll lose the dispute.

Phishing remains the primary attack vector for stealing credentials and data. It is based on social engineering techniques and typically involves attackers masquerading as a trustworthy entity. They dupe a victim into opening an email, instant message, or text message; visiting a website; or accepting a request that installs malware on the target’s device. The cybercriminals' goal is to obtain sensitive data or personally identifiable information.

This is why directories like Drughub Drugs exist. We maintain a verified list of active mirrors. But you shouldn't even trust us blindly. I wouldn't. Every legitimate market, including DrugHub Market, publishes a canonical PGP key. You must verify that key.

• Locate the market's public key

  Find the documented public key from a trusted historical source. Save it locally.

• Import the key into your local keyring

  Use your local client to import the key block. Command line operators know this procedure well. Ensure the key is stored securely on your encrypted volume, far away from any cloud synchronization services. (see GnuPG for documentation on key management).

• Verify the signed text

  Retrieve the signed message from the endpoint and verify it against the public key of the market. If the signature is bad, the endpoint is hostile. Phishing clones regularly can't pass this as they are unable to forge the cryptographic signature of the real marketplace key.

Just how effective are TOTP 2FA codes at preventing account takeovers? How do we know if TOTP 2FA actually helps protect against automated bots and targeted attacks? What is the current state of the art in bypassing TOTP 2FA, and how do TOTP bypass services work? We investigate the technical barriers that 2FA presents and the immense benefits it provides in practice.

With 2FA enabled, you have to decrypt a unique challenge string with your private key when logging in. If your password is stolen, the attacker is still unable to access your account without your private key and its passphrase. DrugHub mandates the use of PGP for a good reason. Those operating without 2FA might as well be inviting theft. The drugs marketplace depends on users securing their own authentication.

Before making your first collateral note, set up 2FA. No exceptions. It takes five minutes and saves your funds. If you notice the market acting strangely after logging in, immediately check the Market Uptime page to ensure you haven't been routed to an unstable or compromised mirror. (see Riseup for general secure communication principles).

Do not ever using using the PGP Encrypt on the markets. This seems like a good idea but it should be a strict rule to never send your plaintext fulfilment channel address through through the tor network at all costs. It does not matter if the market tells you they use server side encryption NEVER DO THIS. A quick and easy reason why is the server could be compromised or the feature could be broken and your cleartext is being sent regardless of what they tell you. Or the site or server could be a honeypot anyway and forwarding information on fulfilment channel addresses to LE. If you want to know how I would handle PGP entries in regards to giving out a fulfilment channel address. First I will have them encrypted and then you can send them the fulfilment channel info.

You must encrypt all sensitive communications locally on your own machine before pasting the cipher text into the browser. Obtain the vendor's public key from their profile. Encrypt the fulfilment channel address or sensitive message using their key. Send only the resulting ASCII armor block. (see the Privacy Guides Tor primer for more on local OPSEC). This ensures that even if the database is seized, your address remains cryptographically scrambled.

Find another vendor immediately if a vendor requests plaintext communication. There are over 1.2k vendors on the platform. There's no reason to compromise your security for convenience. Reliable vendors understand the necessity of strict encryption. If you encounter a vendor demanding plaintext. Report them and review the Terms of the platform.

Multisignature (multisig) escrow is there for you when you need to make a high-value trade and you need the assurance that both the user’s and the vendor’s coins are locked in a secure escrow account. It does this by requiring multiple parties (typically the user, the vendor, and the market) to sign off on a transaction before the funds are released. This fucks over exit scammers as well as unauthorized fund transfers, for the simple fact the marketplace operators can't just run away with the escrow pool.

Participating in multisig requires generating and managing specific cryptocurrency keys, often tied to your PGP identity. Ensure you completely understand the mechanics of the market's specific multisig implementation before using it. Keep your private keys secure and backed up offline. If you're using Monero, which is the preferred payment method due to its privacy features, review the Supported Coins documentation to ensure you are routing funds correctly.

Proper key management means storing your private keys on an encrypted volume, never in a cloud storage provider. Use strong, unique passphrases for your keys. Rotate them periodically, but ensure you sign your new key with your old key to maintain your identity chain. Contextual awareness is key. (see MAPS for unrelated harm reduction context).