Online PGP Key Creation Tools: Are There Risks?

Updated on:
An overview of online PGP creator tools and the risks associated with them.

Using Pretty Good Privacy (PGP) as the information encryption standard is a necessity on the dark web. In fact, PGP should be used a whole lot more than currently is the norm—emails sent without PGP are easily intercepted and it is highly probable that all law enforcement has fast, simple methods for taking hold of these messages.

Day to day life may not “need” PGP per se, but we should actually be using it for inane tasks as a method of “clouding the water,” especially within the current debate about “going dark.”

There are many ways to create and store a PGP key, but the easiest are not necessarily the best.

Online services will generate your public and private keys; however, is this “online” method of PGP key creation trustworthy? Should we be entrusting something as important as our PGP private key to these online services?

Pretty Good Privacy

The encryption standard PGP has been in the news lately after a security scare. Regardless of this, the backbone itself is still solid, and you should still trust PGP to take care of any communications.

Dark Web News has a full guide to help you get you started using PGP if you are unsure how to secure your messages.

Your TOR usage is being watched

It’s an important skill that you’ll likely need if you’re communicating with anyone on the dark web, and it can also sign and encrypt files too.

The normal “offline” method for generating PGP keys is the one we describe in our guide: it should be done on your computer and the process for creating the keys, storing the private key files, is all local.

Local PGP Key Creation

There is a good operational security reason for creating your PGP keys offline in a shell. It’s the same reason that depending on your calculated risk level, you probably wouldn’t be too keen on storing your passwords for any dark web marketplace accounts on major cloud providers’ servers, like Google Drive.

These cloud services are essentially a computer that is not in your control. Granted, you might have the keys to the castle, but you’re just a tenant, and the landlord can change the locks at any time (even with your stuff in it).

Regardless of who you are, it would not be wise to store passwords this way. It is always safer to store passwords locally.

Online: Fast and Easy Methods

Using Pretty Good Privacy (PGP) as the information encryption standard is a necessity on the dark web.

It takes seconds to do a quick online search to find multiple “PGP key generators.” It takes only a few more seconds to complete the job: hit enter and you’ve got your public and private key waiting for you to just cut, paste and save.

No hidden key folders and messing about in a shell window. There is even one online PGP service marketed directly towards dark web users.

Each of these online key generators follow the same basic JavaScript function (based on the page sources).

They all promise that “no logs are kept” and there are “no third-party trackers,” which is all well and good to promise, but trust is the single most important factor when interacting with any online service. How can we really trust these services to protect us from any snooping?

We further examined the basic code behind one of these sites. The key generation at a relatively high-ranking PGP generator is entirely client side—running the algorithmic process within the confines of the browser you’re using.

The active process itself embedded in the site’s source does show that the form completes its function browser side.

This then may not be a question of trusting a site that completes the task of key generation for you, but rather, a question of trusting the browser you’re using.

The issue of trusting an online PGP generator can quickly move to the issue of trusting your browser.

The whole thing melts into a puddle on the ground, because well, how long is that piece of string?

The Browser: Powering the Action

Web browsers see it all. They are the core “requester” and “receiver” of information when you interact online.

They therefore are constantly poked and prodded, and sometimes entirely ripped apart by security researchers and hackers alike.

The recent wave of malware that likely affects users of the dark web in the most significant way would be the cryptojacking malware from cross-site scripts.

Scripts are called from your browser, requesting maximum output of a victim’s CPU to mine the cryptocurrency Monero (a cryptocurrency which suits this type of mining due to the algorithm selected by the coin’s developers).

When there are so many ways to pop a browser, regardless of what operating system you’re on, is it really worth trusting the browser to complete this particular job?

Do you really want the browser—the window primarily used for everything you do online—to be the thin line between your real-life identity and the one used on the dark web?

PGP for users of the dark web is a necessity. It’s something that is required whenever you only want to communicate with whoever you perceive to be on the other end.

Dark web sites do not use certificates to create https connections between your machine and the site’s secure database. You need to take the task of encryption into your own hands, and in doing so, you can truly be securing yourself.

We know that messages encrypted with PGP is out of reach of even the most powerful “alphabet” agencies on earth.

Risk to Cost Ratio: Good OpSec

It seems like such a minute difference between the browser and an internal shell performing a straightforward key generation.

Yet there is a significant benefit in removing the risk and vulnerability of performing the PGP generation function using a browser.

Why bother? Well, why bother using an alias on a dark web marketplace for a username? Why bother communicating using PGP when sending sensitive information like a real address? Why bother using Tails or Whonix?

Layers. Layers of an onion, just like Tor. Tor uses multiple computer networks to obscure the origin of the server request when your request leaves the Tor network and connects to a website.

One step back from that, the connection is made using the Tor browser, within Tails. Tails is within a virtual machine, and the computer hardware you’re using was bought with cash and used only to browse anonymously.

Every piece counts. Every layer counts. Why then add this unnecessary, simple and lazy risk by exposing your private PGP keys to a web browser and website (despite their policies: what if they’re hacked, for example?).

Don’t use these online services. Generate your keys yourself. It’s all fun and games now, but PGP might become an essential communication tool as the face of the internet changes, and the wallpaper put up by Google, Apple, Amazon and Microsoft starts peeling away, revealing the true power of the surveillance machine built around “our” playground.



Con's education background is law, where he's published on crypto-currency regulation. His opinion editorials range across the relationships between people and technology and the societal challenges it presents. His passion is for information security and the intertwining legal issues
Write for us


The articles and content found on Dark Web News are for general information purposes only and are not intended to solicit illegal activity or constitute legal advice. Using drugs is harmful to your health and can cause serious problems including death and imprisonment, and any treatment should not be undertaken without medical supervision.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.