1
Generate your PGP key
Desktop: GPG4Win/Kleopatra → New keypair → RSA 4096 → Real name + fake email.
gpg --full-generate-key
gpg --full-generate-key
Torzon PGP workflow
Generate your keypair → Import Torzon master key → Verify mirrors.txt signature → Encrypt vendor messages.
Your role
Verify + encrypt
Torzon role
Sign + decrypt
2
Import Torzon master FP
Every legit torzon onion publishes PGP public key at /pgp.txt. Copy fingerprint (first 8 + last 8 chars critical).
ABCD 1234 EF56 7890 ABCD 1234 EF56 7890 ABCD 1234 EF56
3
Verify mirrors.txt
Download mirrors.txt + mirrors.txt.asc from torzon onion → Kleopatra "Verify" → Must show "Good signature".
gpg --verify mirrors.txt.asc mirrors.txt
Vendor PGP encrypt
Copy vendor public key → Import → Encrypt message (address/stealth instructions) → Send armored block.
PGP mistakes
- Trusting screenshots (anyone can fake)
- Wrong fingerprint (check 1st+last 8 chars)
- Reusing keys across markets
- Unsigned mirror announcements
Quick commands
gpg --list-secret-keys
gpg --armor --export youremail
gpg --encrypt --recipient VENDOR message.txt