1. Public and private keys
A PGP keypair consists of a public key that others can use to encrypt messages to you, and a private key that you keep secret and use to decrypt them. Many TorZon vendors publish a public key on their profile or in external forum posts.
If a private key is ever exposed, any messages encrypted to that key should be considered compromised, and signatures made with it can no longer be trusted.
2. Fingerprints and verification
A key fingerprint is a shorter representation of a PGP key that people can compare between websites and messages. TorZon guides often stress that users should check fingerprints from multiple sources before trusting an “official” market or vendor key.
Without fingerprint verification, it is easy for a phishing site or fake forum post to publish its own key and pretend to be legitimate.
3. Encrypting order and support messages
On darknet markets, PGP encryption is used so that even if a database or message queue is seized, outsiders cannot read the contents without the recipient’s private key. This is why TorZon‑related material frequently encourages encrypting sensitive notes.
However, encrypted messages can still reveal metadata such as timing, sender/receiver accounts and subject lines, which are often enough to support investigations.
4. Trusting “official” keys
Many markets publish a PGP key they claim is “official” for announcements or mirror lists. Users are expected to verify that key’s fingerprint using out‑of‑band sources, but in practice this process is error‑prone and can be manipulated.