Silk Road forums

Discussion => Security => Topic started by: Kind Bud on July 18, 2011, 10:32 pm

Title: PGP Basic Etiquette
Post by: Kind Bud on July 18, 2011, 10:32 pm
PGP Basic Etiquette

Many people are using PGP for the first time.
Here are three simple rules to follow on Silk Road.

1)Label your public block
2)Place your PGP public block at the end of the plaintext message BEFORE encryption.
3)Be explicit about requiring PGP but try to respond to any PGP with PGP

************************
Rule One:
Label your public block:
yourname@fakeORreal.com

How
When you create a PGP it will ask your for a name and or an email. They can be fake, but should start with the username you are using to buy with.

Why
Many Sellers have hundreds or thousands of PGP codes.  To encode back to you they lookup  that user name and if it is there, encode for you. (Faking someone else's username is a non-issue as only the intended recipient can decode.) If you use anonymous@anonymous.com  a seller will not find you in the keyring and you will not get a PGP response. Example kindbud@onlyvalidonsilkroad.com works great (although a good PGPer would only respond on Silk Road with it)

************************
Rule Two:
Place your PGP public block at the end of the message BEFORE encryption.

How:
Plain text message
--senders public code block--
Then encrypt the whole thing

This keeps the whole thing together and is easy to see if a response is required. As an added bounice  and increased security, only the intended recipient can see who the sender was. 

Why:
Some people split their public block as separate from message. This means both that the message can be passed on without the block and that others my be able to see the public block for whom a response was not intended

******************************
Rule Three:
Be explicit about requiring PGP but try to respond to PGP with PGP.

How:
Say at the very top and at the bottom include “respond using PGP only please” if that is important to you. If you are responding to a PGP message, look though your address book for their user name (Rule 1) or it should be at the bottom of the message they sent to you (Rule 2). If you do not have a PGP code for them you may send them a message in cleartext if they were not explicit or notify them that PGP was not possible because of failure of Rule One and Rule Two

Why:
Sellers get a lot of messages from people new to PGP. They may use it for only for their address or make a mistake about Rule One or Rule Two. Speed and responses are valued more than PGP security by most buyers so skipping PGP encryption is the correct choice under most circumstances if the buyer is nor explicit.




Title: Re: PGP Basic Etiquette
Post by: peaceandlove on July 19, 2011, 10:28 am
This is a great post dude.

Rule 1 is so important. I am so pissed trying to figure out who is whom when responding to PGPs. It's very frustrating.

P+L
Title: Re: PGP Basic Etiquette
Post by: mixa on July 19, 2011, 03:25 pm
Anyone got like a guide that shows you how to acquire PGP key and how to use it? Cause a simpleton like me is extremely confused when it comes to PGP. I understand that sellers are very serious about their privacy, so I don't want to be an ass sending unencrypted messages potentially putting them at risk.
Title: Re: PGP Basic Etiquette
Post by: Kind Bud on July 19, 2011, 05:34 pm
GPG is PGP (pgp is a company now, hence the name change)

http://www.gnupg.org

Windows
http://www.gpg4win.org/

Mac
http://www.gpgtools.org/

There are lots of pages about PGP, how to set up etc. download, install, and try it out -it is all pretty easy, but if you have any questions there are piles of dedicated people in the general web that are all about PGP/GPG

"GNU Privacy Assistant" program is bundled and probably the easiest to start out with. You can import new keys from a text, asc or pgp file. You can use the clipboard to encrypt or decrypt.

Title: Re: PGP Basic Etiquette
Post by: MarketMaker on July 25, 2011, 04:47 pm
Is it considered rude if you pm someone nothing at all except your key or do most assume it means you want to talk encrypted and will respond with their key?

And key at the top? I've been putting it at the bottom but I'm extremely new to gpg. 

This is probably a very stupid question but if someone gets hold of my private key can it be easily compromised - easily by LE is what I mean.

One other thing, as far as random passphrases go, could you take an mp3, open it in a text editor  and copy a predetermined amount of characters, lets say 5 lines and use that as a passphrase?  The characters would appear crazy and I'd assume that is  "random" as you didn't determine the characters and you could just roll a die a few times, first roll amount of levels to go down in the file system, second roll amount of "sideways" dirs, third roll file as it appears in that directory while sorting by name,etc.

Would this be a good password?

Would something easily referenced but not remembered or recorded like the 10 horse race earning after a certain date , added to together?

I want my shit like those IRA dudes that they caught and had the FBI on the stand asking if it was impossible. He said no but it would take a long time.  They asked him if it would take over a year, he answered that if all the computers on this planet worked together to break the code everyone in this room would be dead before it were cracked.  Or something along those lines.



Title: Re: PGP Basic Etiquette
Post by: g4bb3r on July 25, 2011, 05:03 pm
If I receive a PM that's just a key, I assume they want to initiate an encrypted conversation and message them back accordingly. And even if your private key is compromised, they still need the passphrase to use it, although iirc I read somewhere that the government can force you to give up your key if you're arrested as a suspect for certain crimes or be charged with obstruction of justice? Not sure how valid that is though.
Title: Re: PGP Basic Etiquette
Post by: MarketMaker on July 25, 2011, 05:24 pm
I've heard it's in the UK and hasn't been attempted in the US yet.  But "heard" means shit, we all "heard" as kids cops had to tell you they were and that is bullshit.

Personally, depending on the crime. I'd rather catch an obstruction charge then a trafficking, specially if it meant fed time over state.  Any day.


quote author=g4bb3r link=topic=1048.msg10190#msg10190 date=1311613432]
If I receive a PM that's just a key, I assume they want to initiate an encrypted conversation and message them back accordingly. And even if your private key is compromised, they still need the passphrase to use it, although iirc I read somewhere that the government can force you to give up your key if you're arrested as a suspect for certain crimes or be charged with obstruction of justice? Not sure how valid that is though.
[/quote]
Title: Re: PGP Basic Etiquette
Post by: joeblow2 on July 25, 2011, 08:21 pm
I have used PGP for some time, but didn't know about the "blind opening" with your key thing.  Point taken. :)

I always put my key below the message the first time out, just so they know there's a message there, not just the key. 

As to the "forced to give up your password" issue-I just read a very long court case about this.  Nope, didn't save the link, coz I didn't think anyone would want it.  Ha!  But basically it said that in the UK this is part of law, you must give up your password or you can be charged with a certain crime.  I'm sure some of our UK guys will know that crime's name.

In the US it's totally different.  The fifth amendment protects us against that and even though they will stress you to provide it, if you have a whole disc that's done in TrueCrypt and they find it, there is *nothing* legal they can do to make you give up the password.  I'd always thought if that happened I'd say "oh, I used some random generated key thing and then I lost the document with it on it, so I can't get into it.  It's just sitting there waiting to be reformatted".   Of course, they won't believe it, but what's their rebuttal?  :D
Title: Re: PGP Basic Etiquette
Post by: MarketMaker on July 25, 2011, 09:32 pm
That's actually a pretty good defense I think.  I think it's very plausible a person could write out an extremely long passphrase that is random to them on a piece of paper they keep on them at all times.  If that paper were to get lost he really would have no way of getting into it unless he could reconstruct it in ways only he knows.


I'd always thought if that happened I'd say "oh, I used some random generated key thing and then I lost the document with it on it, so I can't get into it.  It's just sitting there waiting to be reformatted".   Of course, they won't believe it, but what's their rebuttal?  :D
Title: Re: PGP Basic Etiquette
Post by: Freeman on August 02, 2011, 09:19 am
KindBud, so are you saying that if I include my public key in the message before encryption that I don't have to send my public key to the recipient separately in an unencrypted message?
Title: Re: PGP Basic Etiquette
Post by: Kind Bud on August 02, 2011, 04:36 pm
@Freeman
Yes
Write it all up including your public key block (needed for a reply) and encoded it ALL using the intended recipient's Public Block.

<start>
Hello Kind Bud message blah blah message blah blah message blah blah message blah blah message blah blah message blah blah message blah blah message blah blah message blah blah message blah blah message blah blah message blah blah message blah blah message
-----BEGIN FREEMAN PUBLIC KEY BLOCK-----
OIHskmesieOIUb&^f75rLkjdcjwd;lwi9Huwpoe
soidfory978dc;wdifp9iefk(*(OJM(*G&6^%E^#%
-----END FREEMAN PUBLIC KEY BLOCK-----
<end>
Title: Re: PGP Basic Etiquette
Post by: Freeman on August 02, 2011, 05:46 pm
Very cool!  This makes things much easier for me.  Thanks!
Title: Re: PGP Basic Etiquette
Post by: Kind Bud on August 05, 2011, 07:34 pm
This part seems to confuse people more than anything else:

You use VENDOR PUBLIC KEY BLOCK to encode FOR the vendor

They use YOUR PUBLIC KEY BLOCK to encode for you.

You give out, but do not use your own Public Key Block.
You can not decode messages you wrote once you encode them.
Title: Re: PGP Basic Etiquette
Post by: un1v4c222 on August 05, 2011, 10:09 pm
What about key signing?  Does anyone do this in this context?
Title: Re: PGP Basic Etiquette
Post by: Kind Bud on August 05, 2011, 10:49 pm
Key signing is used for to prove you are the person in possession of the private key. It is useful to prove you are really you but isn't used as often in normal correspondence.  GreenCo uses signing for continuing customer support, to prove that they really wrote something (like a coupon) without keeping any customer records. Silk Road uses it to prove official statements are really from him.

People are expected to guard their private key, so it is theoretically harder to fake a signature than to hack someone's user account.

There is no harm in using it all the time, just most people do not bother.
Title: Re: PGP Basic Etiquette
Post by: un1v4c222 on August 06, 2011, 04:52 am
kind bud,

Thanks!  What is the best way to encrypt messages without writing the unencrypted message to disk? 
Title: Re: PGP Basic Etiquette
Post by: Kind Bud on August 14, 2011, 06:14 pm
@univac222
GPA (Gnu Privacy Assistant) has a clipboard function that you can write in / encrypt/ decrypt all in RAM
Title: Re: PGP Basic Etiquette
Post by: Slidedaddy on August 15, 2011, 07:48 pm
Anyone up for a test to see if I have this right???   Please...

-----BEGIN PGP PUBLIC KEY BLOCK-----

Version: GnuPG v2.0.17 (MingW32)



mQENBE5JKOUBCADR+RzddMYkrExvdl+XLdYvpARmcn8+htQRpVswOb/od1s3klgW

c/7xbB1fnbb9DqMGo7S8nSO/Yn3mrru7Wb1KiYZnvWrEixoLjk2pEDWKQmmo3nYz

yQ0wg7a1TYWzFcfcU+XU/S7kwoy75hK8PYuBjTK+UlLqsCOXRnKUjLXkWXA3Nief

+ndjGWBYMYpSa8aqyFftTihTkJWLrlybsl/Uiq0gj5WNij3CHbNJkkac/YzUiT7w

iUQ0YG13XmjNIKa23p7p8rjb72UHeJCMShTTYsEXvThT3YQkqPvVNlylTcGHI5fI

T9u0oNa5FD2UgOvenePNX3R6uBdEyZWYyRchABEBAAG0IVNsaWRlZGFkZHkgPFNs

aWRlZGFkZHlAZ21haWwuY29tPokBOAQTAQIAIgUCTkko5QIbAwYLCQgHAwIGFQgC

CQoLBBYCAwECHgECF4AACgkQ6GmEA+dIJc8ogQgA0DbvTAFdxnS2sQEtnyg9nDas

l3+SDKLoKWJHefSLI7FAJGB/2AUL1I+PKVa5Ro8f+4jj4ZuL3FxBdGX0wAx1PGvr

5eWgDAbV8pdxTpoFnFs0WKMQHBOewaOJuSAvTgYkFQEbRLtwVgp67IecUwVTuYdN

SnV15gzfgnYAibt2dxEYQo//K+3mCopO4Nksg3S+O7xtMqhwx6/SAGM/gyGL2Egj

C291ZTUyNi9pC7x72qvxQy2YQ6IURuif/RML5xNTKRk4bYPl/QTWCcN6o9Iac4oy

gMJayiGPnvkBUqS+8c7xyzEWPPZAuJ3eV/0l/m21A7t72kuWyQ17Zi8WBoAUmbkB

DQROSSjlAQgA0a82cK0sVhV6EwNQs5csjsseReJFxlEttH+KMQdCiIWUGEn80LzY

f6b9KJq0D1In+wLZH7eSuK2N/xH8MQAISzu5Bre+BIfA3CC5greyj8b+9dJktV6R

f7/zPp+7TaCbtXjF0iUo3IYtKRCGIPovh15J0ApxMpcCwUJXxuiHFORMQGMdSgX4

dcJnePwQO433BjibdpFV2cwlirIbslzqJtBoEKKG/Walz6SpoV22ki+XhRIPiMGH

eVBI3+JSzZBKK4ItaUWWmWn/rZ+2y71+2MpC6wTs/P9E796CqyH4ZLf3kWStRX4g

JrV+3G+RQFW8ILT6F3qvankaXOMIzweHIwARAQABiQEfBBgBAgAJBQJOSSjlAhsM

AAoJEOhphAPnSCXPtvwH/j7Z4IX2D/Rp45uAJZst+zk8GDDaNjWYN6rmBFuYZxD4

AQ38v83CNAfIoqi3ZHV2ZoIYxeLPkjGifhsq4xp9QIpjUJ4JLPCzcXgz/O+B13i8

PRYqOXJiySwUwBgr6fINyKWGmujxZI/9TG0vcJ5J3qgcMUZS6goil2CBpjD7/zmm

Fz3JtROrQQ384pW90g2gNvMCStwtW88TfIjeZvIMm5sttNFwOd6DO1lZL+yNW/Ne

7fTtT0XOiHcnNHxV8ZYFOyysBWFRGi/ZjK/tmYUu55hQl/+xJHbmrYKLWeEouUVl

NbYAA7dx0fyuA8jyYM5iI9K/lN1LtLl98ZpeNm95hWE=

=MPXz

-----END PGP PUBLIC KEY BLOCK-----
Title: Re: PGP Basic Etiquette
Post by: Calistoner on August 15, 2011, 07:55 pm
nope you did it wrong...



it should look like this 


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.17 (MingW32)

mQENBE5IUaABCADJzup1XLbk5K3gpzdhnNWrBnkvodnKKmE3TK2Hhsal+TODhwyW
huBcsj84EwDbi+5wTnPfdk7+J2kp/1NqCzXQdESdSb57Al4Odw0p7yd9TLo2mBW5
9ODrA0V/ISfFA0HDCX535mkrILgzAYP+7cwHJjH8tWOddyJ8feGaDgMODogM5eFi
+oaP+ro+3IbuFjp2ZvBVP0NuTgGIuNKg/oSy7J09TVxQ1gVGHyM7J7qYj8zVP0T+
3LVATVySrafRAFDcDtAL2o8Igd0Mms6wRlSv0IbFLMuyGIAawAzESEJt9Duvd+iu
poHiSArZyOqNSRi0nYaRz8fQkj48+6uWw62JABEBAAG0LUNhbGlzdG9uZXIgPHN0
b25lZHN0b25lcmlzc3RvbmVkQGx1bHpzZWMuY29tPokBOAQTAQIAIgUCTkhRoAIb
AwYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQIScZ8kvYz4t/AQf/c+5RO+N4
SUGErSk/7F9pAnyT8Zk8yGLM8PKCTj7qU/3aOZkmxVEHKfBNGqL+r+muxkVIZzr5
9pyOIIem5/646QvMY/gO4sTG9DGTjT8jujpYy08XsOG7g0kp0FLN3uJcbmDZBYYL
C7Ic9dzZHJLmm6+Y0YfKvPBT4VRBtpBxmCoVjiveEhv6Q/Qc/BQtBskgCTAL1G0r
LK6LQ63UTMsDucm27kGD3tQqZqwFXXMPSIlzKUFXNDcHobfhSUy0j0Y0ndbjWEHh
2q5URSOmjyOBS9rMxPIN3nBCcoVnRnvNbtf5tnxkyk3jA+pI8AHY8E+SZ6hHf58O
cbQiGpxmt/zU4rkBDQROSFGgAQgA8qS60p/xLUAnHrdG5r7BTRjy9KFR+HWUJWA9
nuXXLd6OfBHLZujmTJ1CasgKa+nrm6gNFzh9yA07+1basWQw5VpZ7zvIJLco5brJ
jdz0zXGvmvUrYDa4Bv72IRxflNr5/HD2D/Lpx/sYc7fPIT7cdkn/MBB3Gzv/aFn5
moNI3geT/Olhps1HcqzcWyMWgWGml6RFJXm9Sz7kSIRMxdz1ov+RIBKFcWfmB7k9
vTxydmMiGMHglpKWaP8wa0Xg2Ha/BEw9adDlfArj/C6a78pFu4JU95oAW3vFLybG
+G1Mqk/vLOd35NG9YOPhDaAMBoooFV0qZ4aWP7hl2L8ndaRX2wARAQABiQEfBBgB
AgAJBQJOSFGgAhsMAAoJECEnGfJL2M+LZPQH+wbhJmhrCqUbYAB+qW8CxSdVmEr5
672v90Xjbkjp4AYyp3y9E9pBhPMK3kuTGo6IOPcN8+Ij1UKWRK68srEo72iaUYGL
EBgRD0/aN5W068CPAcr0kkaJiypaezOuHp1MSMY2ZHce54NiwLeTguJ9oDF5RFx6
51wNprzqHf30n0q0Y60clHWezON9kB9Hgz1Xs0oGUbaRMg0+ZMlsgP12dGAXrJwF
apZDrd8VDXDudf44uLVmfiiiFJVVESPnFgd4w1UqOZ7J9U2h3s/EHt6sdQIY77n5
uBShLNAGc54mdxZlyGceRXKAX9uh6qXbgJnZ7vh2kfNOiCNNRkv/uvwZXdg=
=m1QZ
-----END PGP PUBLIC KEY BLOCK-----

just right click your name copy it, then paste it here


try to message me using pgp once you add me
Title: Re: PGP Basic Etiquette
Post by: Freeman on August 15, 2011, 08:31 pm
I've had some problem with vendors saying that they do not see my SR username in my PGP key.  I created a new one.  Could someone check and tell me what name/email appears for the key?

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.17 (MingW32)

mQENBE5JgY0BCACbPDF0sNDx2y0577PGUeXYlplKieV29wlIfMtC1qLU6yNX3+kL
LAEI+AwgRE0SoSt+hxJjZfcvq7l4amn67VFJEJeO4JuLA2n2Y0I6GcwvhJXNIr0j
+ymY8fUy4POZq7fNuNzKOdbmVmN75PYWXB1/f0gGNoQ5a2vExJIyhzuFbq2+6+RB
IPCT4XFLRaRBwAA0IAIKMQsp7BWAmEHjHNRYTM7vMfbhUv8fSTXl8LFffX9ylHbe
BaQUZ7aC+bY+klWNqcKwzm6sFvJTusaJSzii/y8pM+0yTKgNOD2nYeuPrBWpaHm6
cTSP/+iCloKEVrmWKOJY0ujDgnT5vZFYd5VfABEBAAG0JkZyZWVtYW4gKEZyZWVt
YW4pIDxmcmVlbWFuQGZyZWVtYW4ucnU+iQE4BBMBAgAiBQJOSYGNAhsPBgsJCAcD
AgYVCAIJCgsEFgIDAQIeAQIXgAAKCRBp+6VoX5Spd3MfB/4n4Ybs2Ii+BmC9To7s
xhYG3n6EouUPGkqdpDTNtjB6E0U+v26vuZUbh3pNuyKl8bUI6pcPrwbHFudWP+qm
X6mCVkuFqpjQ6cxEnoQTy9De+fjj/OM7DOCyRoFrPzuFy/R5xffdpAdVm/agMh6m
tTcyUNJOvVKmOI5faAypCkJMn7zfVFG1asOjoPZ/C9dpToNmSkkJQfViErYougo0
37lu3bjKHvpfEDSfJUgMFc5DZ5xgd+VTtdW6OEh7dosDmlfr9gueRfhmKPSy0XR+
EXhI1cW/dwspp0/B3B2898/myQToJzu66+FUh8fLnkL6mnhsl7eCMHUVqUMjS0Yc
PQ+Q
=+Khk
-----END PGP PUBLIC KEY BLOCK-----
Title: Re: PGP Basic Etiquette
Post by: Coherence on August 15, 2011, 08:49 pm
pub  2048R/5F94A977 2011-08-15 Freeman (Freeman) <freeman@freeman.ru>

Looks good Freeman!
Title: Re: PGP Basic Etiquette
Post by: Freeman on August 16, 2011, 10:00 am
pub  2048R/5F94A977 2011-08-15 Freeman (Freeman) <freeman@freeman.ru>

Looks good Freeman!

Thank you! :D
Title: Re: PGP Basic Etiquette
Post by: herpiusderpius on August 17, 2011, 10:20 am
Hey,
I'm fairly new here and would just like to say this thread helped me out when getting used to PGP. This thread helped reinforce and reword the information in the GPG4Win compendium as well as the text instructions here (http://p3lr4cdm3pv4plyj.onion/). Mad thanks to the creator of each of these resources. I look forward to many successfully encrypted messages and hopefully transactions here on silk road.
Title: Re: PGP Basic Etiquette
Post by: nicette on August 19, 2011, 03:07 pm
 :) Kind Bud thanQ so much for this post, it helped bunches! Trying to get one's "ducks in a row" before making a purchase has proved to be quite "taxing" but thanks to members such as yourself, who can actually explain in LAYMAN'S terms has made this process a little bit easier! Could someone please recommend what PGP program is the "preferred means" on this site? And also would it be possible, as soon as I trust myself to be able to actually SEND and encrypted message, for some1 to just let me test my newly acquired PGP skills by just accepting a test message? Many thanks in advance to the Sr. members and Newbies who take the time to explain these things. It must be really irritating to keep answering the same questions over and over but we really do appreciate!
Title: Re: PGP Basic Etiquette
Post by: Kind Bud on August 19, 2011, 04:23 pm
Some programs have different features like automatic email encryption/decryption
For people new to PGP I recommend the program GPA

The easiest to use is GPA Gnu Privacy Assistant 

You paste other peoples keys directly into the main application window.
There is a clipboard you can use to copy/paste/encode/decode/or sign any text.

Linux
http://www.gnupg.org
Or ubuntu open terminal and write :sudo apt-get install gpa
(caution apt-get does not use Tor)

Windows
http://www.gpg4win.org

Mac
http://www.gpgtools.org
Title: Re: PGP Basic Etiquette
Post by: Aldous.Huxley on February 25, 2012, 03:25 am
Hello all, first off let me thank you for all the great info on security and for all the technical tutorials.

Okay, so I read the tutorial for GPGtools, authorized it so I can use it in the menus and went on to create my own key. So far so good. I get back to the browser and select someone's key (tried with the -----BEGIN PGP PUBLIC KEY BLOCK----- thing and without it, don't really know where the key starts), try to import it but it says 0 keys in the gigatools pop up thing. I'm surely missing a step here. Also tried to encrypt something, no luck.
Can someone give me hand on this? Thanks
Title: Re: PGP Basic Etiquette
Post by: kmfkewm on February 25, 2012, 03:34 am
my rule:

if your key doesn't have the same nym that you have on the forums, don't be surprised when I totally ignore you.

I know a lot of vendors who follow the same basic guideline. STOP NAMING YOUR KEY RANDOM THINGS, WE DO NOT KNOW WHO THE FUCK IT BELONGS TO.
Title: Re: PGP Basic Etiquette
Post by: Aldous.Huxley on February 25, 2012, 04:13 am
Breakthru. I think I got it to work, at least within the text editor.

In the remote possibility someone actually comes back to this post and check on things, I have another issue, it is not related to pgp, but I guess there's no need to open a new thread over it. Often when browsing with Tor, here or anywhere else, I get reverted to the onion.to disclaimer, not sure why but it makes it a painful experience to travel around. Any info on this?
Title: Re: PGP Basic Etiquette
Post by: treesplease on June 03, 2012, 04:23 pm
This should be a sticky.  :)
Title: Re: PGP Basic Etiquette
Post by: vlad1m1r on June 15, 2012, 12:19 pm
I'm just going to bump this topic for the sake of newer users to say one more thing:

If you use a Live OS like TAILS and you generate a key pair, it will disappear after being used for the first time. Similarly if you decide to switch to another system like Liberte your private key will not automatically be copied over.

As such do make sure you keep a back up of your public and private key somewhere safe such as on an encrypted USB stick.

I don't mean to moan but several times in the past week I've been asked to resend messages to people who've lost their private key - in one case no less than six times to the same person.

If anyone needs any help with this, please let me know, I'd be more than happy to show you how to do this.

All the best,

V.
Title: Re: PGP Basic Etiquette
Post by: vlad1m1r on June 16, 2012, 04:26 pm
I'm just going to bump this topic for the sake of newer users to say one more thing:

If you use a Live OS like TAILS and you generate a key pair, it will disappear after being used for the first time. Similarly if you decide to switch to another system like Liberte your private key will not automatically be copied over.

As such do make sure you keep a back up of your public and private key somewhere safe such as on an encrypted USB stick.

I don't mean to moan but several times in the past week I've been asked to resend messages to people who've lost their private key - in one case no less than six times to the same person.

If anyone needs any help with this, please let me know, I'd be more than happy to show you how to do this.

All the best,

V.

Backing Up Your PGP Keys in Tails
===========================

Tails is a wonderful Linux distribution aimed at the security-minded. One of its security features is the fact that when Tails is powered-down, all data created during your Tails session is erased. This is fabulous for those who do not wish to leave traces of their activities for others to find.

However, that poses a problem for anyone using PGP in Tails, as any keys that are created  (or other people's keys that are added to your PGP keyring) during your Tails session are lost when the session ends.

Accordingly, it is necessary to backup your PGP keyrings to a USB stick BEFORE shutting-down Tails. Here's how:

* Double-click on the folder labeled "Amnesia's home" on the Desktop.

  A new window will open up, with two panes: the left-most pane will contain a list of places that are accessible.

* Plug-in your USB stick that you wish to backup your PGP keys to.

  Within a few seconds, you'll see an new entry in the left-most pane; this will be your USB flashdrive.
 
  Press F3 to open-up an extra pane; key Control + H to make the hidden files visible.
 
  You will now see the contents of the 'amnesia' folder in both panes.
 
* Click on the entry for your USB stick in the left-most pane.

  You will now see the middle pane with the contents of your USB stick.
 
In the right-most pane, locate the .gnupg folder (Note the dot "." in front of gnupg)

Drag-and-drop the .gnupg folder to the middle pane (i.e. to your USB stick).

Your PGP keyrings, GPG configuration file, and trust database are now all backed-up to your USB stick.

* When you go to use Tails again, repeat this process, only this time, you drag the .gnupg folder from your USB stick to the amnesia folder, thus restoring your PGP keyrings. (In other words, you drag the .gnupg folder from the middle pane (your USB stick) to the right-most pane, the Tails Amnesia folder).

Guru

Thanks Guru as ever you're a lifesaver +1

V.
Title: Re: PGP Basic Etiquette
Post by: KarmaComa on June 16, 2012, 10:00 pm
good backup info
Title: Re: PGP Basic Etiquette
Post by: MixM8 on June 16, 2012, 11:30 pm
Am I supposed to put my PGP encrypted address in the address box at checkout, or leave that box empty and PM the seller my encrypted address? I'm trying to take more steps to be safe.
Title: Re: PGP Basic Etiquette
Post by: TreyWingo104 on June 16, 2012, 11:46 pm
Am I supposed to put my PGP encrypted address in the address box at checkout, or leave that box empty and PM the seller my encrypted address? I'm trying to take more steps to be safe.

Encrypt the address using the vendors public key and definitely put the encrypted address in the address box during checkout  because that info is deleted from the servers once the order is marked in transit by the vendor.  There is no way it can be recovered, and the PGP encryption keeps it extra safe until it is marked in transit.  You should never pm it to the vendor :) encrypted or not, no need to.  By using the address field its safest because of how it gets permanently deleted , plus  it keeps everything neat and concise for the vendor so they know what item/amount to send to the corresponding address you provide (after they decrypt it). 

I also ask buyers to leave their public key beneath their address (encrypted of course) so I can provide them with updates securely.  This is always a good thing to do in the event the vendor wants to get in touch with you and confirm the address, inform of you of tracking, etc.

Nice to see people being pro-active about PGP, I get so many unencrypted orders.....its ridiculous :X...keep up the research and safety driven mindset and you're good to go :)
Title: Re: PGP Basic Etiquette
Post by: TreyWingo104 on June 16, 2012, 11:51 pm
Am I supposed to put my PGP encrypted address in the address box at checkout, or leave that box empty and PM the seller my encrypted address? I'm trying to take more steps to be safe.
doesn't make a difference since your vendor is the only person that can read with your gpg'd address anyway

It definitely makes a difference.  We dont want to have to go through messages to find the address for someones order when everything should be under the orders section. 
The address section is there for a reason....if SR wanted people PM'ing addresses to the vendor (which they obviously do not) then they would not put the address box  into the checkout section...
More importantly, whatever is entered into the address field during checkout is delted forever once the order is marked in transit. In other words, even SR cant go back and confirm what was/wasn't there....This is an integral security feature for both the vendor and the buyer and is intended to be used for entering the address.

 PM's are not.....If you're talking about being as safe as possible then you would not want your address hanging around in someones inbox,  encrypted or not.... In the event that vendor gets caught or the personal messaged  address gets intercepted  (MITM attack or otherwise): There are a number of ways the key could be revealed and the address then revealed....
Title: Re: PGP Basic Etiquette
Post by: jameslink2 on June 17, 2012, 09:44 pm
The easiest to use is GPA Gnu Privacy Assistant 

You paste other peoples keys directly into the main application window.
There is a clipboard you can use to copy/paste/encode/decode/or sign any text.

Linux
http://www.gnupg.org
Or ubuntu open terminal and write :sudo apt-get install gpa
(caution apt-get does not use Tor)

Seems that it is not available on the repos for Fedora, However I use kgpg which comes with Fedora if you install the KDE interface and it is wonderful.

I have seen some people using privnote (sp?) The site is not on the onion network, it is a normal .com I am not sure i would trust the site.

If you dont use pgp or gpg, I suggest you take the time to learn. There is a wealth of knowledge in this thread!
Title: Re: PGP Basic Etiquette
Post by: manic01 on June 30, 2012, 06:17 am
Thanks to everyone for their help in explaining this to me, could someone tell me if I am doing this right so a)only the vendor can see my address and b)the vendor can communicate with me to send tracking info, questions,etc?

Here's what I know to do

Step 1. Copy the vendor's public key to GPA
Step 2. Open clipboard and write my message and address, then encrypt and paste into the address box

Here's my main question, should I copy my public key (has my correct SR name) along with my address and encrypt the entire message (including my public key)? I assume when the vendor decrypts my address they will also then have my public key. If that is true, how will the vendor be able to send a message to me? Sorry if this is a dumb question, but I am a bit confused as to how the vendor is able to contact the buyer with tracking info or other info. Thanks for the help.
Title: Re: PGP Basic Etiquette
Post by: manic01 on June 30, 2012, 06:36 am
Thanks to everyone for their help in explaining this to me, could someone tell me if I am doing this right so a)only the vendor can see my address and b)the vendor can communicate with me to send tracking info, questions,etc?

Here's what I know to do

Step 1. Copy the vendor's public key to GPA
Step 2. Open clipboard and write my message and address, then encrypt and paste into the address box

Here's my main question, should I copy my public key (has my correct SR name) along with my address and encrypt the entire message (including my public key)? I assume when the vendor decrypts my address they will also then have my public key. If that is true, how will the vendor be able to send a message to me? Sorry if this is a dumb question, but I am a bit confused as to how the vendor is able to contact the buyer with tracking info or other info. Thanks for the help.

It's a good idea to include your PGP public key, just to save time for the vendor, so they have it right to hand.  Write your message and, after a blank line, include your public key. Encrypt the whole message (including your public key) with the vendor's key, as well as one of your own if you want to be able to decrypt the message later.

Guru

Thanks for the answer. The other question I have is once the vendor has my public key, how do they message me back? Through my SR inbox, email, or is there some other way I'm not seeing?
Title: Re: PGP Basic Etiquette
Post by: vlad1m1r on June 30, 2012, 07:38 am
Thanks to everyone for their help in explaining this to me, could someone tell me if I am doing this right so a)only the vendor can see my address and b)the vendor can communicate with me to send tracking info, questions,etc?

Here's what I know to do

Step 1. Copy the vendor's public key to GPA
Step 2. Open clipboard and write my message and address, then encrypt and paste into the address box

Here's my main question, should I copy my public key (has my correct SR name) along with my address and encrypt the entire message (including my public key)? I assume when the vendor decrypts my address they will also then have my public key. If that is true, how will the vendor be able to send a message to me? Sorry if this is a dumb question, but I am a bit confused as to how the vendor is able to contact the buyer with tracking info or other info. Thanks for the help.

It's a good idea to include your PGP public key, just to save time for the vendor, so they have it right to hand.  Write your message and, after a blank line, include your public key. Encrypt the whole message (including your public key) with the vendor's key, as well as one of your own if you want to be able to decrypt the message later.

Guru

Thanks for the answer. The other question I have is once the vendor has my public key, how do they message me back? Through my SR inbox, email, or is there some other way I'm not seeing?

I usually message my customers back via the same way they contact me so if they do it via SR I just reply via their inbox. I imagine as a buyer this is the only way they'd be able to get in touch with you anyway unless you included your e-mail address in the message?

V.

Title: Re: PGP Basic Etiquette
Post by: ewoki on July 21, 2012, 01:51 pm
**UPDATED**

Great info here. Before I read this thread I was just going to include 2 blocks on my first purchase.  1st block would have been my address, second block my public key.  Well, I tried to encrypt my public key along with my address, but my gpg doesn't seem to want to do it or it's just taking an extreme amount of time to complete.   Encrypting my address is instantaneous after I select the recipient(s).

My question is, is it normal for it to take a long time to encrypt a message that size?  And if it is not going to work would it just be okay to include the message block(address) and my public key block?

Oh, and one more question.  In another post it says you can't decrypt a message unless you add your own key when you select recipients, but I tried that exact thing a few days ago and I was able to decrypt a message that I didn't select myself as a recipient.  Does this mean my gpg app isn't working correctly?

A bit concerned before I put my name and address out there.

Thanks in advance for any input!

EDIT : It seems the recipient selection window had popped up beneath another open window.   :P   I hope this will help others that may have a similar issue.
Title: Re: PGP Basic Etiquette
Post by: LouisCyphre on July 21, 2012, 03:04 pm
Great info here. Before I read this thread I was just going to include 2 blocks on my first purchase.  1st block would have been my address, second block my public key.  Well, I tried to encrypt my public key along with my address, but my gpg doesn't seem to want to do it or it's just taking an extreme amount of time to complete.   Encrypting my address is instantaneous after I select the recipient(s).

My question is, is it normal for it to take a long time to encrypt a message that size?  And if it is not going to work would it just be okay to include the message block(address) and my public key block?

Encryption time varies according to a number of factors, usually the number of keys a message is encrypted to, the size of the message being encrypted and the processing power of computer doing the encrypting.  In general it should not take very long to encrypt a text file of 50Kb or less to a couple of 4096-bit keys.  A message of a few paragraphs plus a public key will be a lot less than 50Kb.

Oh, and one more question.  In another post it says you can't decrypt a message unless you add your own key when you select recipients, but I tried that exact thing a few days ago and I was able to decrypt a message that I didn't select myself as a recipient.  Does this mean my gpg app isn't working correctly?

It may just mean that you have it configured to automatically encrypt everything to yourself.  This is a common recommended setting.

If you're concerned, I suggest you head over to Pine's PGP Club thread to practice: http://dkn255hz262ypmii.onion/index.php?topic=30938.0
Title: Re: PGP Basic Etiquette
Post by: parapsy on August 22, 2012, 08:58 pm
Hi, I'm new here, and just learning things one by one. i wanted to check if my PGP is working fine and if my public keys are fine and if i can encrypt and decrypt properly. I just need to try doing with someone who is willing to take my stupidities, so that i dont trouble the vendors out there.  Thanks guys. Only after this i can go ahead....so please people
Title: Re: PGP Basic Etiquette
Post by: strangemagic on August 23, 2012, 01:19 am

Hi Parapsy, I've sent you a PM containing an encrypted message.

Feel free to send me one back, if you want to.

By the way, I found your public key in the relevant forum thread by doing a search, but you can make it slightly easier for others if you include a link to it in your Forum Signature (to edit it, mouse over the Profile button and click ForumProfile in the drop-down menu). In your case the URL would be this one:
   http://dkn255hz262ypmii.onion/index.php?topic=174.msg425380#msg425380

Good luck
Title: Re: PGP Basic Etiquette
Post by: dementyev6969 on October 17, 2012, 01:52 am
This part seems to confuse people more than anything else:

You use VENDOR PUBLIC KEY BLOCK to encode FOR the vendor

They use YOUR PUBLIC KEY BLOCK to encode for you.

You give out, but do not use your own Public Key Block.
You can not decode messages you wrote once you encode them.

I wondering this very thing when I stumbled across this thread.  Thanks!
Title: Re: PGP Basic Etiquette
Post by: SantaClause1 on December 27, 2012, 03:40 pm
This was very helpful. Thank You.
Title: Re: PGP Basic Etiquette
Post by: peeweed on December 27, 2012, 10:42 pm
Extremely helpful thread...

I really like the tip in Rule 2, I love those great ideas that are so simple... encrypt your public key!  Genius!


Don't want to step on the OP's toes, but I found this tutorial that was very simple and easy... 32yehzkk7jflf6r2.onion/gpg4usb/

Thing I love about it, the tool doesn't have an installer runs completely from a folder, as the name says great for running off USB.  And it is very simple...
Title: Re: PGP Basic Etiquette
Post by: quale on January 05, 2013, 10:45 pm
I just sent my "first" message to my vendor

I included my key and then the message ....

And I encrypted the message with both his and my key.


Am I doing it wrong ? :)
Title: Re: PGP Basic Etiquette
Post by: astor on January 05, 2013, 10:56 pm
You're doing it right, quale.
Title: Re: PGP Basic Etiquette
Post by: pestlepete on January 09, 2013, 02:44 am
@quale: You don't need to encrypt to yourself, except when you want to check to make sure the right data got encrypted; once you're comfortable that you're doing the process correctly, you only need to select the vendor's key when encrypting (this will save you a tiny amount of time in the long run). Note: I'm not saying you're making a mistake, just taking an extra step.

@thread:
How about, when sharing your public key, also share the first 18 ASCII characters of ciphers addressed to you? It appears to me that the first 18 characters are always the same for a given recipient. I believe this first portion of data would just be your "name" and email or key fingerprint, but I'm not sure (any experts want to weigh in?). I can't think of any security holes with this method (anyone who gets your key can figure out your first 18 immediately), and this makes it so people sending you messages can quickly self-test their encryption without having to wait for a reply from you.

Example: for the test pair Testy Teste (teste@tes.ty), the first 18 characters are always "hIwDfNaI6o1RN6sBA/". This means that when someone encrypts a message for Testy, all they have to do is check that those first 18 characters match up, and they'll at least know they got the recipient correct (thus avoiding "error: unknown recipient", which can sometimes delay transactions by a full day or more).

Therefore, at the end of Testy's profile, he would write something like:

"
Please encrypt all sensitive messages, including shipping address, using my PGP key below:

First18: hIwDfNaI6o1RN6sBA/
(when encrypting messages to me, please make sure the first 18 characters match above before sending)

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.17 (MingW32)

mI0EUOzStQEEAK2Tx6N21SSTyJFxJ9h6/o1WSj/7LxtlwKpc7s/uNAyoCr92n1it
7gFYbQ9aBJykTueVTLzmvAiLhFJTxHrKetedlEaypYD1W+vMuQ1w9DCpLLrlTChs
ke+JHI+C1ht4/1Nx3UtFgqpQo+Rmuwh09Xx2SFRc4Il+xkaJjNLBp6HJABEBAAG0
GlRlc3R5IFRlc3RlIDx0ZXN0ZUB0ZXMudHk+iLgEEwECACIFAlDs0rUCGwMGCwkI
BwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEBv7J+jY7+5evtcEAIBdl7dIPMWdhvTk
4b/IakLAkT7hwh72Cbd/YOx6c7ETjm7teO/NpComZfTX4W5Y0r0g6wJ1OPUjmjIV
/hl4om2yyAM1H0y0QUocx64K/MAComblqb/DU0IkUd9dofeKRxv3mylpLjDSvB2n
skaEHDC30petlfA7NGvLyztwyGztuI0EUOzStQEEAKusa3Q2C1OcAVN7M+NQ6POY
aNPMoWCRb0qrRnihEL0yajImwKD2BOpd8Vmb3YE3+w4AOsKE6IH620qukX2HAiQl
HSNOQbELWX4xDiNT8YiAvMpELjyz4Y2JZmwtiyOBigJzynQlWrZYzK9UiOGUIpS/
FHtmqFmA2Y9qfpr3vhPHABEBAAGInwQYAQIACQUCUOzStQIbDAAKCRAb+yfo2O/u
Xmx6A/9ZDaIeByl2kkK10PhGGw2eUOlokobu3iEx8kjxJbx+Ib5LRcVkf8FaFCE/
raQr/QTxuf4RP80SOS5A9DZuQbSrCTUoei77VDKX2m3wq4x3TrjvXrm7JCOsaA6T
xa9rg66c0YuFcPx+tx7GNZb3eOs3M92OYX8y1L0VsIWwUdSjKw==
=iAq5
-----END PGP PUBLIC KEY BLOCK-----
"

(I included the key so you can try it yourself - or, just try on one of your own keys)
(note: this is an RSA 1024 key for compactness, but it still seems to be 18 characters for longer algorithms like RSA 3072)

To the more experienced SR/PGP users - if you can think of any reason why this is insecure or won't work (e.g. perhaps the first 18 chars are not sufficiently specific) please share, or if you think this warrants a new thread, let me know and I'll make one. Or, if you like this idea and own one of the PGP tutorial threads, copy and paste at will!

Peace
Title: Re: PGP Basic Etiquette
Post by: Nightcrawler on January 09, 2013, 02:57 am
@quale: You don't need to encrypt to yourself, except when you want to check to make sure the right data got encrypted; once you're comfortable that you're doing the process correctly, you only need to select the vendor's key when encrypting (this will save you a tiny amount of time in the long run). Note: I'm not saying you're making a mistake, just taking an extra step.

@thread:
How about, when sharing your public key, also share the first 18 ASCII characters of ciphers addressed to you? It appears to me that the first 18 characters are always the same for a given recipient (I have checked with a few of my keys and it seems to always be 18). I believe this first portion of data would just be your "name" and email or key fingerprint, but I'm not sure (any experts want to weigh in?). I can't think of any security holes with this method (anyone who gets your key can figure out your first 18 immediately), and this makes it so people sending you messages can quickly self-test their encryption without having to wait for a reply from you.

Example: for the test pair Testy Teste (teste@tes.ty), the first 18 characters are always "hIwDfNaI6o1RN6sBA/". This means that when someone encrypts a message for Testy, all they have to do is check that those first 18 characters match up, and they'll at least know they got the recipient correct (thus avoiding "error: unknown recipient", which can sometimes delay transactions by a full day or more).

Therefore, at the end of Testy's profile, he would write something like:
"
Please encrypt all sensitive messages, including shipping address, using my PGP key below:

First18: hIwDfNaI6o1RN6sBA/
(when encrypting messages to me, please make sure the first 18 characters match above before sending)

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.17 (MingW32)

mI0EUOzStQEEAK2Tx6N21SSTyJFxJ9h6/o1WSj/7LxtlwKpc7s/uNAyoCr92n1it
7gFYbQ9aBJykTueVTLzmvAiLhFJTxHrKetedlEaypYD1W+vMuQ1w9DCpLLrlTChs
ke+JHI+C1ht4/1Nx3UtFgqpQo+Rmuwh09Xx2SFRc4Il+xkaJjNLBp6HJABEBAAG0
GlRlc3R5IFRlc3RlIDx0ZXN0ZUB0ZXMudHk+iLgEEwECACIFAlDs0rUCGwMGCwkI
BwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEBv7J+jY7+5evtcEAIBdl7dIPMWdhvTk
4b/IakLAkT7hwh72Cbd/YOx6c7ETjm7teO/NpComZfTX4W5Y0r0g6wJ1OPUjmjIV
/hl4om2yyAM1H0y0QUocx64K/MAComblqb/DU0IkUd9dofeKRxv3mylpLjDSvB2n
skaEHDC30petlfA7NGvLyztwyGztuI0EUOzStQEEAKusa3Q2C1OcAVN7M+NQ6POY
aNPMoWCRb0qrRnihEL0yajImwKD2BOpd8Vmb3YE3+w4AOsKE6IH620qukX2HAiQl
HSNOQbELWX4xDiNT8YiAvMpELjyz4Y2JZmwtiyOBigJzynQlWrZYzK9UiOGUIpS/
FHtmqFmA2Y9qfpr3vhPHABEBAAGInwQYAQIACQUCUOzStQIbDAAKCRAb+yfo2O/u
Xmx6A/9ZDaIeByl2kkK10PhGGw2eUOlokobu3iEx8kjxJbx+Ib5LRcVkf8FaFCE/
raQr/QTxuf4RP80SOS5A9DZuQbSrCTUoei77VDKX2m3wq4x3TrjvXrm7JCOsaA6T
xa9rg66c0YuFcPx+tx7GNZb3eOs3M92OYX8y1L0VsIWwUdSjKw==
=iAq5
-----END PGP PUBLIC KEY BLOCK-----
"

(I included the key so you can try it yourself - or, just try on one of your own keys)
(note: this is a 1024 key for compactness, but it still seems to be 18 characters for longer algorithms like 3072)

To the more experienced SR/PGP users - if you can think of any reason why this is insecure or won't work (e.g. perhaps the first 18 chars are not sufficiently specific) please share, or if you think this warrants a new thread, let me know and I'll make one. Or, if you like this idea and own one of the PGP tutorial threads, copy and paste at will!

Peace

If you want to verify which key was used to encrypt an encrypted message, then try decrypting it -- PGP/GPG will inform you which key-id was used to encrypt a message, e.g.:

 -----BEGIN PGP MESSAGE-----

hIwDfNaI6o1RN6sBBACckfLPO848eV+wbbv+lMyKwOyM9DFZpbUCFzNRTLtE/q9/
0JLDIJGcBoacGP3KqMAIA+FU6VkcvsjBlx4630RMrxhAx+BllPK1uUC/bx0jBMAY
VlRT2I5bho9V68DD0FTqLIMgAsROvToApPKj+fCVRPETEX6wAPoqEsNtU547dNJc
Ac/xkQtl90dEI2V7asx9NHIywR2VuNWzxH8KaJOQlZpMwy8T3lFELdmm9wI0/BS1
yUATvCTzuLb3IHrjb2+tpyMiSYbuKGtU0r5OYAlp8JGV4TN/eoHwJ4qJmqY=
=XEd0
-----END PGP MESSAGE-----

gpg --decrypt decrypt_test
gpg: public key is 8D5137AB
gpg: using subkey 8D5137AB instead of primary key D8EFEE5E
gpg: encrypted with 1024-bit RSA key, ID 8D5137AB, created 2013-01-09
      "Testy Teste <teste@tes.ty>"
gpg: decryption failed: secret key not available

Nightcrawler <Nightcrawler@SR>
PGP-Key: 4096R/BBF7433B 2012-09-22
Key fingerprint = D870 C6AC CC6E 46B0 E0C7 3955 B8F1 D88E BBF7 433B
http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090
Title: Re: PGP Basic Etiquette
Post by: pestlepete on January 09, 2013, 10:54 pm

How about, when sharing your public key, also share the first 18 ASCII characters of ciphers addressed to you?


If you want to verify which key was used to encrypt an encrypted message, then try decrypting it -- PGP/GPG will inform you which key-id was used to encrypt a message, e.g.:


Cool, thanks, NC, but that doesn't appear to work if you have not imported the public key (e.g. if a buyer just tries to send you their address, accidentally encrypts it to themself, and has not given you their key yet, you will only get the subkey ID, not the name). Also, it only seems to work in terminal, not via any GUIs I've tried (I assume most buyers will be using a GUI).

Also, it requires an extra step before sending the message (in the case that a newer PGP user wanted to verify before sending).

My intention was to make this self-check available at a glance, especially for beginning users who don't know keys from ciphers; this is also to help such users learn basic encryption without having to ask for help ("did I do this right?" - now they can check for themselves).