Basic PGP Guide For Kleopatra in Tails - Updated Version : Tails | Torhoo darknet markets
Basics of PGP Keys - Creating, Backing up, Encrypting, Decrypting, and Verifying
NOTE - This guide is meant for people new to PGP. It does not describe advanced techniques such as expiring keys and command line interface (CLI). Latest Update - 28 July, 2024
Part 1 - Configure Persistent Storage in Tails for PGP Key Retention
Part 2 - Creating a Basic Key Pair in Kleopatra
Part 3 - Backing Up Your Secret Key
Part 4 - Exporting Your Public Key To A Backup File
Part 5 - Copying Your Public Key in Cleartext to Post on Other Web Sites or Send to a Vendor
Part 6 - Importing a Public Key Into Your Keyring
Part 7 - Decrypting a Message
Part 8 - Verifying a PGP Signed Message
Part 9 - Encrypting a Message (Encrypting Your Address for a Vendor)
Part 10 - PGP Signing a Message (To prove you have control of your secret key)
Part 1 - Configure Persistent Storage in Tails for PGP Key Retention
Step 1 - In Tails, click Applications - Favorites - Persistent Storage
Step 2 - In the Persistent Storage popup window, scroll down to GnuPG and slide the button to the right. The background will turn blue when it is enabled. I also recommend doing this for Dotfiles, which will come in handy in the future for some users.
Step 3 - Fill out a passphrase if you are prompted.
Step 4 - Once completed, click Save and restart Tails.
Step 5 - In the Welcome to Tails window, fill in your Persistent Encrypted Storage passphrase and click Unlock. You should receive a message the persistent storage is unlocked. If the background turns bright blue, you entered the wrong passphrase. Try again.
Step 6 - Once your persistent storage is unlocked, click Start Tails.
Part 2 - Creating a Basic Key Pair in Kleopatra
Step 1 - Start Kleopatra
Step 2 - Click File - New OpenPGP Key Pair...
Step 3 - In the Create OpenPGP Certificate popup, enter your desired key name on the Name line (should exactly match your username on the site you'll use this key). Leave the EMail address line blank.
Step 4 - Click the checkbox for Protect the generated key with a passphrase.
Step 5 - Click Advanced Settings...
NOTE - You can now create either a [u]standard RSA key[/u], or a newer-technology [u]eliptical key[/u]. If you're uncertain which to use, ask about the key types in
https://torhoo.cc/go.php?u=TDJRdlQzQlRaV009# on dread. I prefer the newer eliptical key.
Step 6 - In the Technical Details popup:
[u]For a standard RSA key[/u]:
Change RSA from 3072 to 4096. Change +RSA from 3072 to 4096 as well.
[u]For an eliptical key[/u]:
Click the dot for ECDSA/EdDSA and leave the default settings - ed25519 for ECDSA/EdDSA, and cv25519 for +ECDH.
Step 7 - Uncheck Valid until:, then click OK.
Step 8 - In the Create OpenPGP Certificate popup, click OK.
Step 9 - In the popup, enter a passphrase in the Passphrase: line, and repeat the passphrase in the Repeat: line, then click OK.
Step 10 - The computer will process for a bit, and then a Success popup should appear, including the Fingerprint for you new private key. Don't be concerned about the fingerprint. Click OK.
Part 3 - Backing Up Your Secret Key
Step 1 - In Kleopatra, scroll through your certificates (aka keys) until you see your secret key (it will be in bold), then right-click on the key.
Step 2 - In the popup, click Backup Secret Keys...
Step 3 - In the Secret Key Backup popup, under Name, click amnesia on the left side, then double-click Persistent in the Name list (right side)
Step 4 - Change the File name: to something you will remember as your backup secret key. I use <keyname>SecretBackup.asc
Step 5 - Click Save
Step 6 - In the popup, enter the passphrase for your secret key, then click OK.
NOTE - Do keep a copy of your passphrase until you memorize it. Forgetting your passphrase will make your key unusable for 2FA and other PGP tasks.
Step 7 - In the Secret Key Backup popup, make sure the backup secret key was created successfully, then click OK.
NOTE - You can copy this saved secret key file to a USB drive to have an offline copy on separate media. You can also use the instructions in
Part 4 to get a text copy of your secret key to store in KeePassXC along with your passphrase and other sensitive information.
Part 4 - Exporting Your Public Key To A Backup File
Step 1 - In Kleopatra, find your secret key (it will be in bold text).
Step 2 - Right click on the key, then find and click on Export
NOTE - Do not click Export Secret Keys as already done in
Part 3.
Step 3 - In the Export OpenPGP Certificates popup, click Amnesia on the left side of the window, then double-click Persistent in the Name list on right side.
Step 4 - Rename the File name: to something you will remember. I use <keyname>PublicKey.asc (Make it simple so you can easily spot the file).
Step 5 - Click Save.
Part 5 - Copying Your Public Key in Cleartext to Post on Onion Sites or Send to a Vendor
Step 1 - Open Applications - Favorites - Files, then click on Persistent in the list on the left side of the window.
Step 2 - Right click the <keyname>PublicKey.asc file, then click Open With...
Step 3 - In the Select Open File popup Under Related Applications, find and double-click on Text Editor. This opens a new Text Editor window with your keyfile in cleartext.
NOTE - If you have another Text Editor window active, the file will open as a new tab.
Step 4 - In Text Editor, click on the <keyname>PublicKey.asc tab.
NOTE - If you want, delete any Comment: lines at the top of your public key. This will make the key acceptable to some markets that require no comment lines. Do remember to leave a blank line between -----BEGIN PGP PUBLIC KEY BLOCK----- and the first line of random characters in the key.
Step 5 - Click in the cleartext key, then press Ctrl+A to highlight the entire key. Press Ctrl+C to copy the highlighted key.
Step 6 - Go to the site or message you want to copy your key into, then click in the message/PGP Public Key area and press Ctrl+V to paste the copied key.
Part 6 - Importing a Public Key Into Your Keyring
Step 1 - Highlight the key from -----BEGIN PGP PUBLIC KEY BLOCK----- to -----END PGP PUBLIC KEY BLOCK-----, then press Ctrl+C to copy the key into the clipboard.
Step 2 - In Kleopatra, click Tools - Clipboard - Certificate Import
Step 3 - In the You have imported a new certificate (public key) popup, you are given the opportunity to mark the certificate as valid. If the certificate is from a trusted source, such as Dread, a vendor on a DNM, etc., click Import. NOTE: You will almost always want to Certify the key you Import.
NOTE - If you receive a Certificate Import Result popup, you already have the certificate in your keyring. You will see Total number processed: 1, Imported 0, and Unchanged 1 in the detailed results. You are done importing the key.
Step 4 - In the Certify Certificate: <keyname> popup, set the Certify with: selection to your secret key name, then press Certify.
Step 5 - Enter your secret key passphrase if you are prompted, in the Passphrase: line, then click OK.
Step 6 - In the Certification Succeeded popup, click OK. You are done importing the key.
Part 7 - Decrypting a Message
Step 1 - Highlight the message starting with -----BEGIN PGP MESSAGE----- and through -----END PGP MESSAGE-----, then press Ctrl+C to copy the message.
Step 2 - In Kleopatra, click Tools - Clipboard - Decrypt/Verify. Enter your secret key passphrase if prompted.
Step 3 - Click Applications - Accessories - Text Editor to open a blank Text Editor window.
Step 4 - Click anywhere in the window, and press Ctrl+V to paste the decrypted message.
Step 5 - Read the message
Part 8 - Verifying a PGP Signed Message
Step 1 - Highlight the PGP signed message, beginning with -----BEGIN PGP SIGNED MESSAGE----- and ending with -----END PGP SIGNATURE-----, then press Ctrl+C to copy the message into the clipboard.
Step 2 - In Kleopatra, click Tools - Clipboard - Decrypt/Verify
Step 3 - In the Decrypt/Verify E-Mail popup, under All operations completed, look for a message with a tinted background. If the background is green go to Step 4. If the background is red go to Step 5. If the background is white go to Step 6.
Step 4 - If the background is green-tinted, look for Valid signature by <name>, then look below that for the message The signature is valid and the certificate's validity is ultimately trusted. Then click Finish. The signed message is verified as good. Any links in the message may be trusted.
Step 5 - If the background is red-tinted, the message will say Invalid signature, and the bottom line will say The signature is invalid: Bad signature. This means the signed message has probably been altered and the signature is bad. Click Finish and do not trust the message or links in the message.
Step 6 - If the background white, you might not have the key from the signing certificate (aka the vendor's Public Key) in your keyring, or you might not have certified that key. Check your keyring for the certificate name, and if you can't find it go to
Part 6 - Importing a Public Key Into Your Keyring. If you do find it but the User-ID is not certified. Right click the certificate Name, click Certify, and perform Steps 4, 5 and 6 in
Part 6
Part 9 - Encrypting a Message (Encrypting Your Address for a Vendor)
NOTE - This Part presumes you have imported the recipient's/vendor's Public Key as described in
Part 6 - Importing a Public Key Into Your Keyring. If you haven't imported the message receiver's Public Key, go to
Part 6.
Step 1 - Click Applications - Accessories - Text Editor to open a blank Text Editor window.
Step 2 - Write the message you want to send in the Text Editor window, such as your name and address for a vendor when placing an order.
Step 3 - Press Ctrl+A to highlight the completed message, then press Ctrl+X to cut the message from the window and into the clipboard.
Step 4 - In Kleopatra, click Tools - Clipboard - Encrypt
Step 5 - In the Encrypt Mail Message popup, click Add Recipient...
Step 6 - In the Certificate Selection popup, scroll through the list of certificates by name to find the receiver's certificate, click on the certificate name to highlight it, then click OK.
NOTE - You can choose more than one certificate to encrypt for if you want or need to such as when you're messaging multiple people, or using your own certificate in a dispute.
Step 7 - In the Encrypt Mail Message popup, check the name(s) in the Recipient list, then click Next.
Step 8 - Check the Results popup for Encryption succeeded, then press OK.
Step 9 - Go to the message you're sending, or to the Messages/Notes for an order. Click in the blank area and press Ctrl+V to paste the encrypted message.
NOTE - You can paste the encrypted message in the open Text Editor window if you're not ready to send it yet.
Part 10 - PGP Signing a Message (To prove you have control of your secret key)
Step 1 - Click Applications - Accessories - Text Editor to open a blank Text Editor window.
Step 2 - Write the message in the Text Editor window.
Step 3 - Press Ctrl+A to highlight the completed message, then press Ctrl+X to cut the message from the window into the clipboard.
Step 4 - In Kleopatra, click Tools - Clipboard - OpenPGP Sign
Step 5 - In the Sign Mail Message popup, click Change Signing Certificates...
Step 6 - In the Select Signing Certificates popup, set the OpenPGP Signing Certificate: to your secret key in the drop-down list, then click OK.
NOTE - You might have more than one secret key to select from, so know which key you're using and select the correct key.
Step 7 - Click Next.
Step 8 - Enter your secret key passphrase, then click OK.
Step 9 - You should see a message in blue saying Signing succeeded. Click OK.
Step 10 - Navigate to the place you want to post the PGP signed message, click once in the blank area, then press Ctrl+V to paste the PGP-signed message into the desired spot.
