Nexus is introducing enhanced PGP verification requirements across several platform functions previously left to user discretion. The changes make PGP-signed communications mandatory for vendor dispatch confirmations, dispute response submissions, and account recovery requests. These requirements do not apply to routine browsing or order placement but become active whenever an action involves information that could be used to compromise an account or transaction if intercepted. This guide explains the requirements, how to set up PGP if you have not already, and best practices for key management.
What Is Changing and Why
The existing PGP requirement applied only to vendor-side communications. The expanded requirement extends mandatory signing to additional workflows based on analysis of account compromise patterns. The most common vector for account takeover identified in 2025 was interception of dispatch confirmation messages that contained delivery information, combined with social engineering of the support team using that information. PGP-signed confirmations are cryptographically unforgeable without the sender's private key, eliminating this vector entirely.
Dispute response submissions now require PGP signing to prevent tampering. In the old workflow, a dispute response was a text submission through a web form. An attacker with temporary access to an account could modify a dispute response after submission if the support system allowed edits. PGP-signed submissions create an immutable record: any modification after signing would invalidate the signature and be detected immediately by the dispute system.
Setting Up PGP: A Practical Guide
If you do not have a PGP keypair, generate one using GPG (GNU Privacy Guard), available at gnupg.org. Generate a 4096-bit RSA or Ed25519 key. Set an expiration date -- 2 years is a reasonable balance between security and convenience. Protect the key with a strong passphrase that you will not forget but do not store digitally. Export the public key and submit it to the platform through the account settings PGP section. Keep the private key in an encrypted file on offline storage -- a USB drive stored separately from your daily devices is the recommended approach.
For routine signing, use GPG through the command line or a graphical front-end such as Kleopatra (Windows/Linux) or GPG Suite (macOS). Compose your message in a text editor, sign it with your private key, and paste the resulting armored output into the relevant platform field. The signing process is: gpg --clearsign message.txt, which produces a .asc file containing both the message and the signature. Detailed step-by-step instructions are available on the Enter Marketplace page where the platform's own PGP key is listed. For a comprehensive guide to using PGP for privacy, see the OPSEC guide.
Key Management Best Practices
Never store your private key on the same device you use to access the marketplace. Never share your private key. If your key is compromised, revoke it immediately using the revocation certificate generated at key creation, and generate a new keypair. Rotate your key every two years as a matter of hygiene. Back up your private key and revocation certificate in at least two physically separate locations. The loss of your private key without a backup is a permanent loss -- there is no recovery mechanism, and accounts requiring PGP verification will become inaccessible.