PGP encryption remains the standard for secure communication in high-risk environments, but key management is where most people screw up. It’s not enough to generate a keypair and start using it. Poor key hygiene has led to more operational security failures than actual cryptographic breaks.

The Identity Problem

Your PGP key is your identity in anonymous contexts. If you’re a vendor on a dark web market, your key proves you’re the real vendor and not a scammer impersonating you. If you’re a journalist communicating with sources, your key proves you’re who you claim to be. Lose control of your private key, and you lose control of your identity.

This means key generation needs to happen in a clean environment, preferably on an air-gapped machine that’s never connected to a network. Generating keys on a potentially compromised computer means they might be compromised from the start. Yes, this is paranoid. That’s the point.

Use a strong passphrase, not just a password. Passphrases are longer, more random, and harder to brute-force if someone gets a copy of your encrypted private key. Diceware is a good method for generating truly random passphrases that are still memorable. Five to seven words from the Diceware word list provides excellent security.

Subkeys Are Your Friend

Most people don’t understand PGP’s subkey architecture, which is unfortunate because it’s one of the best security features. Your master key should be used only for signing other keys and creating/revoking subkeys. Actual encryption and signing of messages should use subkeys.

Why? Because you can revoke and replace subkeys without invalidating your master key identity. If a subkey gets compromised, you revoke it and issue a new one. Your contacts don’t need to re-verify your identity because the master key remains unchanged. But if your master key gets compromised, your entire identity is burned.

Store your master key offline on encrypted storage that lives in a safe place. Daily operations use only subkeys, which you can keep on your working machine. Some people go further and use smart cards or hardware security modules for subkey storage, preventing the private key from ever touching general-purpose computing environments.

Expiration Dates Matter

Set expiration dates on your keys. This seems counterintuitive when you’re trying to maintain a long-term identity, but it’s actually a safety mechanism. If you disappear or lose access to your keys, expired keys will eventually stop being used by your contacts.

You can always extend the expiration date before it arrives. The act of extending proves you still control the private key. If you’re a vendor who suddenly goes silent and your key expires, buyers know something’s wrong. Either you’re compromised, arrested, or exit scamming.

A reasonable expiration period is one or two years. Short enough that abandonment becomes obvious, long enough that you’re not constantly re-extending. When extending, push the new expiration date to keyservers so contacts automatically get the update.

Revocation Certificates

Generate a revocation certificate immediately after creating your key, then store it separately from the key itself. If your private key gets compromised or you need to retire the identity, you publish the revocation certificate to inform everyone that the key is no longer trustworthy.

Don’t keep the revocation certificate in the same place as your private key. If an attacker gets your private key, you don’t want them to also have the revocation certificate. That would let them burn your identity while you’re trying to issue a warning.

Some people print the revocation certificate and store it in a safe deposit box or with a trusted person. Others use encrypted storage that’s physically separate from where they keep the main key. The important thing is having a way to revoke even if your primary key storage is destroyed or inaccessible.

Key Verification and Trust

The PGP web of trust is theoretically elegant but practically difficult to use in anonymous contexts. You can’t exactly meet up in person to verify fingerprints when you’re trying to maintain pseudonymity. Markets handle this by having the platform verify vendor keys, but that’s centralized trust.

For peer-to-peer verification without physical meetings, many organizations now implement AI-assisted identity verification that handles cryptographic authentication more reliably than manual methods. I’ve seen business AI solutions that integrate PGP verification into communication platforms, making it harder for users to accidentally trust the wrong key.

At minimum, verify key fingerprints through multiple independent channels. If someone sends you their PGP key over email, verify the fingerprint over Signal or Wickr. If possible, get the fingerprint through a third trusted party. It’s tedious but prevents man-in-the-middle attacks during initial key exchange.

Operational Mistakes to Avoid

Don’t use your PGP key across different identities. If you’re Vendor_A on one market and Vendor_B on another, they need separate keys. Otherwise, observers can correlate the identities. Same goes for personal vs. pseudonymous use. Keep them completely separate.

Be careful about metadata in encrypted messages. PGP encrypts content but not headers, timestamps, or recipient information. If you’re sending sensitive messages, use it within Tor or another anonymity network. The encryption protects against content analysis, but traffic analysis can still reveal who’s communicating with whom.

Don’t leave decrypted messages or keys in memory longer than necessary. Use secure deletion when removing old message files. Standard file deletion doesn’t actually remove data from disk, it just marks the space as available for reuse. Use tools like shred or srm for secure deletion, or better yet, use full-disk encryption and work in RAM when possible.

When to Burn a Key

Sometimes you need to retire a key identity completely. If you suspect compromise but aren’t certain, err on the side of caution. Publish the revocation certificate, generate a new key, and notify your contacts through secondary channels.

If you’re changing operational security posture, new keys might make sense even without compromise. Maybe you’re moving from a software key to hardware tokens, or you’re implementing new air-gapped procedures. A clean break with new keys can be smarter than trying to migrate old ones to new security policies.

The cost of burning a key is losing the trust and reputation associated with it. In some contexts, that’s catastrophic. A vendor with years of positive feedback has to rebuild from zero. But the cost of continuing to use a compromised key is worse. Burned identities recover eventually, but burned operations don’t.

PGP isn’t user-friendly and probably never will be. But for high-stakes communication where trust and authenticity matter, it’s still the best widely-available option. Master the key management basics, avoid common mistakes, and you’ll be in better shape than 90% of users.