PGP leading-by-uptime Practices for Market Users in 2026

PGP keys should not be generated in your daily OS. Windows and macOS are both surveillance platforms and thus unsuitable. Key generation should occur on an air-gapped machine. Tails OS is ideal, and it should be booted from a USB stick. If you know what hypervisor isolation is, you probably want to use Whonix.

Use RSA 4096 or the NIST P-384 elliptic curve. The NIST curves are considered relatively safe and should protect you for the near future. Keep your key directly on a YubiKey or equivalent hardware token. This ensures that it’s impossible to export your private key. The weak point is now your PIN. If you’re really paranoid, generate the key directly on the YubiKey for maximum protection.

gpg --full-generate-key
# Select RSA and RSA (default)
# Keysize: 4096
# Valid for: 1y
      

Make a revocation certificate at once. If you lose your private key, or if it is stolen, you must assume that the identity has been compromised and revoke it. Without a revocation certificate, your PGP key can never be fixed, and is as good as public key signed by someone you wouldn't trust.

Phishing is the hackers' favorite way to target market customers. They create a copy of the front-end, steal your login details, and replace the collateral note addresses. The protection against this is cryptographical verification. There you can not rely on bookmarks and of course not on the hidden wiki link.

Even if you pull a link from this drughub_api, you still need to verify the server's proof of ownership. The market signs a message with the current onion address. You need to verify that signature locally with the known public key of the market.

• Import the Market Key

  Obtain the market's public key from a trusted, independent source. Import it into your local keychain using gpg --import market.asc.

• Inspect the Evidence

  Inspect the downloaded file for the published fingerprint. Use the checksum or signature tools as before. But this time use the local message.txt file to verify it.

• Verify Locally

  Run gpg --verify message.txt. Look for the "Good signature" output. Ensure the primary key fingerprint matches exactly. If it says "Bad signature", burn the OS instance and start over. You are on a phishing site.

plaintext. Not ever. We don't care if there's a "PGP encrypt for me" checkbox on the market. If you check that box, you're trusting the server to encrypt your address. If law enforcement seizes the server and runs it as a honeypot, they log the cleartext before it's encrypted.

All this may seem complicated, but it's quite simple to encrypt any text through a hardware vendor’s key yield ASCII armor block then port it to a marketplace –- a total of only 2 manual actions are needed.

Metadata leaks may seem like a minor issue, but the subject line of a message can often be read unencrypted. entry numbers, tracking requests, or substance names in the subject line can be dangerous (see Riseup.net). Counterintuitively, the more boring and non-descript the subject line, the better. Stick with innocuous pleasantries and buzzwords such as "Latest financials", "Conference invite", or "Deadline reminder". The payload is what matters.

Standard escrow is when the market holds the funds until you finalize the entry. Better than direct release, but you still have to trust the market not to exit scam. Multisig escrow removes this trust requirement.

A 2-of-3 multisig is when a cryptocurrency address is generated that requires two out of three parties (user, Vendor, Market) to sign the transaction before funds can move. This is the most secure multisig possible without adding complexity. The only reason a trusted Vendor would need multisig is if they are trading out of their Monero-preferred wheelhouse and need extra protections. Monero-preferred multisig is highly unlikely, but despite Monero being a superior privacy coin, multisig is sometimes utilized on Bitcoin because the Monero protocol does not support it. This is not recommended because you lose the privacy Monero provides when using Bitcoin. However, if you choose to use multisig, you must understand how to sign a partially signed Bitcoin transaction (PSBT) using your local wallet.

The second signature required to release the funds to the seller guarantees balanced outcomes to disputes. If a dispute arises, the market acts as the arbitrator, providing the second signature to either refund the user or pay the vendor. If the market disappears, the user and vendor can still communicate, agree on a resolution, and sign the transaction together, bypassing the missing market entirely.

Verifying the Directory

Even when relying on a verification directory like drughub drugs, your operational security is your own responsibility. We index the mirrors, check the uptime, and verify the signatures so you don't have to guess. But you still need to verify the final endpoint yourself. We provide the data; you provide the execution. Review our URL Verification guide for the exact commands to cross-reference our indexed addresses against the signed releases.

If your local environment isn't hardened, your encryption is useless. Don't rely on web-based PGP tools. They expose your keys to the browser state. Keep decryption local and air-gapped from your Tor session. If you need a refresher on the underlying protocols, read the documentation (see GnuPG) and review basic anonymity practices (see Privacy Guides).