Obviously, if your computer is compromised, you're fucked. However, if the vendor is compromised... If messages to the vendor are not also encrypted to yourself, there's no proof you encrypted the message. If they are encrypted to yourself... gpg --throw-keyid That will remove the key id from the message. All the attacker will see is: gpg: encrypted with RSA key, ID 00000000