PGP key management is one of the most critical yet frequently misunderstood aspects of secure marketplace participation. This guide covers the full key lifecycle from generation to rotation, based on best practices documented by the cryptography and security research communities.
Key generation should happen offline on a secure system — ideally Tails OS or an air-gapped machine. Generate a 4096-bit RSA key pair or a Curve25519 elliptic curve key pair. The latter is smaller and faster while providing equivalent security. Attach a strong, unique passphrase — this passphrase is the last line of defense if your private key file is ever exposed.
The public key should be uploaded to the marketplace and shared broadly with vendors and other contacts. The private key must be kept secret and backed up securely. Create multiple encrypted backups of the private key — on encrypted USB drives stored in physically separate locations. Never store the private key in cloud services, email, or any internet-connected system.
Key rotation is recommended annually or after any suspected compromise. Generate a new key pair, sign the new public key with your old private key (creating a cryptographic chain of trust), upload the new public key to the marketplace with the signed announcement, and begin using the new key for all communications. Do not immediately revoke the old key — maintain a transition period to allow vendors to update their records.
Revocation certificates should be generated at key creation time and stored securely. A revocation certificate allows you to publicly announce that a key should no longer be trusted, even if you no longer have access to the private key. This is critical if a key is compromised — publish the revocation certificate immediately to prevent the compromised key from being used for phishing impersonation.