PGP Encryption for Tor Users

Tor protects your network identity, but it does not encrypt the content of your communications at the application layer (beyond the Tor circuit itself). If you send an unencrypted email or message, the content is visible to the exit node (for clearnet connections) or the recipient's server. PGP encryption ensures that only the intended recipient can read your message, regardless of what happens in transit.

PGP also provides authentication through digital signatures. When someone signs a message with their PGP key, you can verify that the message was not altered and that it came from the holder of that key. This is essential in Tor communities where impersonation is a real threat — anyone can claim to be anyone when identities are pseudonymous.

For Tor hidden service operators, PGP is the standard method for proving identity continuity. If your .onion address changes (due to key compromise or server migration), a PGP-signed announcement allows your users to verify that the new address was published by the same entity that controlled the old one.

Use GnuPG (GPG), the open-source implementation of PGP, to generate your keys. On Linux, install it with sudo apt install gnupg. Run gpg --full-generate-key and select RSA 4096-bit or Ed25519 (Curve25519) for the strongest security. Ed25519 keys are shorter and faster while providing equivalent security.

When prompted for a name and email, use your pseudonym and anonymous email address — never your real identity. The name and email in a PGP key are not verified by anyone; they are simply labels. You can also leave the email field blank if you prefer.

Generate your keys on an air-gapped computer or inside Tails/Whonix for maximum security. Export your public key with gpg --armor --export your@email and share it through Tor-based channels like a .onion website, a keyserver accessible over Tor, or directly through encrypted messaging.

To encrypt a message for someone, import their public key with gpg --import theirkey.asc. Then encrypt your message: gpg --armor --encrypt --recipient their@email message.txt. The --armor flag produces ASCII output that can be pasted into emails or chat messages.

To sign a message (proving it came from you): gpg --armor --sign message.txt. To both sign and encrypt: gpg --armor --sign --encrypt --recipient their@email message.txt. Always sign your encrypted messages so the recipient can verify authenticity.

For verifying a signed message from someone else: gpg --verify message.txt.asc. GPG will tell you whether the signature is valid and which key was used. Be cautious about key verification — anyone can create a key with any name. Use the Web of Trust or out-of-band verification to confirm key ownership before trusting a public key.

For organizations or teams that need PGP key infrastructure, AnubizHost provides offshore VPS hosting where you can deploy a private PGP keyserver as a Tor hidden service. Run SKS, Hockeypuck, or keys.openpgp.org software on servers in Iceland, Romania, or Finland with full root access and no third-party oversight.

A self-hosted keyserver over Tor gives your team a trusted place to publish and retrieve PGP public keys without relying on public keyservers that may be monitored or compromised. Combined with VPN plus Tor, your key management infrastructure remains fully anonymous.

AnubizHost accepts Monero, Bitcoin, and other cryptocurrencies. No KYC, no identity verification required. Our NVMe SSD storage and DDoS protection ensure your keyserver stays fast and available. Deploy your PGP infrastructure today with AnubizHost's Tor hosting plans.