Basic guide to PGP on Tails

Part 0 – Introduction

Experienced readers already know that PGP is just as essential to survive in the DNM scene as a secure Operating System (OS) setup. However it is not enough to have them, you also need to know how to use them properly.

While there are already guides for using PGP on Windows, OS X and Linux, this guide is specifically for Tails. The main difference between the existing Linux guide and this one is that this guide uses the built-in PGP tool of Tails, so you do not have to install additional software. Any software you install on Tails would get removed any way, since Tails resets all data outside of the persistence directory with every reboot. Furthermore this guide uses the latest version of Tails (v 3.2) to ensure that is as compatible as possible. If you have a newer Tails version you can still follow this guide as there should not be major changes regarding using PGP on Tails. If you are not using the latest version of Tails, please follow the upgrade process before reading further.

Part 1 – Information about PGP and preparing Tails

Pretty Good Privacy (PGP) is an encryption program that provides cryptographic privacy and authentication for data communication. PGP is often used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of email communications. In this guide we will focus on encrypting, decrypting, signing and verifying text.

To get a general understanding of it’s design please take a few minutes to read this.

Wondering what the difference between PGP and GPG is? It is explained here.

Tip: When chatting with a vendor on a DNM, you only need to encrypt messages containing sensitive information such as addresses or tracking numbers. Saying “Thanks!” for example doesn’t need encryption and would only cost the vendor valuable time.

In order to use PGP properly and without loosing any data like your private key, you need to have the persistence volume setup. Here is how to set up the persistence volume; just follow the instructions there and make sure that you select at least the following points when you get asked what data you want to store:

– Personal Data

– GnuPG

For more convenience you can also select Network Connections (if you use WiFi), Browser bookmarks and Bitcoin Client though they are not required for using PGP properly.

Before using the PGP key you create while following this guide in practice, you should reboot Tails to make sure the persistence volume is actually working (i.e. check if you still have your PGP key after the reboot, how you do that will be explained later). Otherwise you may set your new PGP key for a DNM account and enabled 2 Factor Authentication, only to later realize that you do not have your created PGP key any more.

Do NOT forget or lose your persistence password. If you lose it, you also lose access to your whole Tails installation which includes at least your PGP keys.

Part 2 – Generating your key pair

When you create a PGP key, it gives you two unique keys. A public key, and a private key. NEVER ever give anyone your private key. That is for your eyes only. Your public key, however, is able to be given out so others can encrypt messages with your public key, send them to you, and then only YOU can decrypt them with your private key.

This works exactly opposite when buying from vendors. You use their public key to encrypt all your shipping information, etc., then you send the encrypted message. Only the vendor is able to see it as only they possess the private key to decrypt, and read, your message.

Now on to creating your key pair:

1. Click on the clipboard icon on taskbar at the top of your screen and select the option “Manage Keys”.

2. On the new window that appeared, click on “File” at the top and select the “New…” option.

3. Then a list of items shows up that you can create, choose “PGP Key” and click “Continue”.

4. Then you can enter your “Full Name”. Obviously do not use your real one because everybody that has your public key later can see that name. It is best to choose the same username that you already have on a market because it will make it easier for your vendor.

The name has to be at least 5 characters long, if your name is shorter just add some padding with characters like “-“.

After that you can enter your email address. It is not necessary and if you do not have one or do not want to associate it with your PGP key, you can leave it blank. If you decide to enter your email address though, make sure you are still in control over it.

5. Now click on “Advanced key options” and set the “Key strength (bits)” to 4096 and the “Expiration Date” to one or two years in the future.

Note: After a key pair expires it cannot be used to send you encrypted messages any more (i.e. your public key cannot be used) and you cannot decrypt messages any more (i.e. your private key cannot be used). It is a really useful feature because once the key expires, nobody can read the messages any more, which means there will be no usable evidence against you. It is easy to set (just check the option during the creation of the key) and barely adds any extra work (i.e. creating a new PGP key once every year is not much work compared to the enormous OpSec boost you get).

However it is still technically possible to use your private key even after it expires, although not all tools let you do that. So in order to get that OpSec boost, you need to delete your old, expired PGP key after you created your new one and update your DNM account settings with the new key.

6. Confirm the data by clicking on “Create”. You now get asked to set a password which is, in combination with your private key, necessary to decrypt messages that were encrypted with your public key. Make sure to choose a strong password but do not forget or lose it either.

After you clicked on “OK” you will have to wait a bit (usually no larger than a few minutes) and you will see your key in the list of GnuPG keys (click on “GnuPG keys” on the left sidebar).

Congratulations, you now created your own PGP key pair!

Part 3 – Obtaining your public key

If you want to actually use your new PGP key pair, you need to get your public key. Just select your key in the “GnuPG keys” list and press CTRL + C. Now you have your public key copied and can paste it anywhere.

Your public key should look like this when you paste it with CTRL + V in a text editor for example:

The gibberish part in the middle will look different and is probably a bit longer though.

#Part 4 – Importing a public key

To be able to send someone an encrypted message (e.g. your address to a vendor), you need their public key. In order to get a vendor’s public key you have to visit his profile and look out for a link that is named “PGP key” or “Vendor public key”. Sometimes it is also featured directly on the vendor’s profile page. Here is an example:

Now copy that public key and go to your “GnuPG keys” list. Then press CTRL + V, click on the “Import button” on the popped up window and you should see your vendor’s public key in that list.

If you get a pop up with the following error: “Could not display ‘Clipboard text’ Reason: Unrecognized or unsupported data,” then there was a formatting problem with the key you copied into the clipboard. Make sure that you are copying all of the key including the five dashes at the beginning and end of the key and the BEGIN and END statements. PGP is very picky about formatting errors.

Part 5 – Encrypting a message

Note: You first need to import the public key of the user (e.g. a vendor) that you want to message, so you can encrypt messages that you want to send to him.

To encrypt messages with PGP you first have to type that message in a text editor (e.g. gedit). Then press CTRL + A and CTRL + C to copy it.

After that click on the clipboard icon and select “Sign/Encrypt Clipboard with Public Keys”.

On the new window select the public key of the user you want to encrypt the message for (e.g. your vendor) by checking the checkbox in front of the list entry. You can also encrypt one message for several users. It will still give you one single encrypted message later, but all the users who you selected in the list will be able to decrypt it. Then select your key on the drop down list on the right of “Sign message as:” and make sure that the “Hide recipients” option is unchecked.

When that is done, click on “OK” and you normally get asked if you trust these keys. Click on “Yes” and enter your password for your private key. Then the windows should close automatically and the encrypted message is stored in your clipboard. To confirm that it encrypted your message properly go back to your text editor and press CTRL + V. You should see something that looks like this:

Note: after you encrypted your message you will NOT be able to decrypt it any more. Only the person with the corresponding private key and the password will be able to do it (in this case the vendor). If you need to backup the message content, store the plain text somewhere in a file before encrypting the message. However as long as you still have your own private key and remember your password you set for it, you can always decrypt the messages that you got in the past (i.e. that were encrypted with your public key). This is assuming that your key has also not expired yet.

Now all you have to do is go to the market or email website, paste the clipboard content into the relevant text field and send the message or email.

After you did this please close the text editor and if it asks you if the changes should be saved, select “Close without saving”.

Part 6 – Decrypting a message

Almost done! Now when you get a PGP encrypted response, you probably want to read it. To do that, select the encrypted text that you want to decrypt. Include the lines “—–BEGIN PGP MESSAGE—–“ and “—–END PGP MESSAGE—–”. Then copy it to your clipboard with CTRL + C. The clipboard icon should now show a padlock, meaning that the clipboard contains encrypted text. Click on it and select Decrypt/Verify Clipboard from the menu.

Now one of two cases should happen:

– If the password for the corresponding private key is not already cached in memory, a dialog box appears with the following message: You need a passphrase to unlock the secret key for user. Enter the passphrase for this secret key and click OK.

– If no secret key for which the text is encrypted is available in your keyring, an error message appears that mentions decryption failed: secret key not available. In this case you should message the one who sent you the encrypted message and ask him to please send his message again but to make sure he encrypts it with your public key. You can also include your public key again in case he may have lost it. Tip: encrypt that message too.

If the password typed in is incorrect, an error message appears that mentions decryption failed: bad key. If the typed-in password is correct, the decrypted text appears in a new window:

Congratulations, you can now use PGP properly to send and receive encrypted messages!