How do you extract an email address from a PGP public key?

Investigators extract email addresses by de-armoring the PGP block and parsing the User ID Packet (Tag 13), which contains the self-asserted identity string.

What is a PGP Fingerprint pivot?

A PGP Fingerprint pivot uses the unique 40-character SHA-1 hash of a public key to query external repositories like Keybase.io to find linked social media profiles.

PGP Keys as Digital Fingerprints: How Encrypted Identities Leak Metadata

DATE CREATED: 2026-01-14 READ TIME: 6 min read

KEY INTELLIGENCE: PGP is often viewed as an unbreakable wall. In reality, it is a forensic goldmine. By deconstructing PGP "packets," investigators can extract hidden email addresses, creation timestamps, and software signatures to unmask anonymous actors.

In the world of anonymous dark markets and encrypted messaging, PGP (Pretty Good Privacy) is the gold standard for staying hidden. For decades, it has been the shield that allows individuals to communicate without being heard by anyone else.

However, a shield only works if you know how to hold it. In many investigations, PGP is not a dead end, it is a digital fingerprint. Every PGP key contains a trail of metadata, timestamps, and software signatures that can bridge the gap between an anonymous alias and a real-world identity.

Today, we are breaking down how PGP works, how those with poor operational security (OPSEC) and expose themselves, and how the Digital Shadow PGP Inspector turns raw machine code into a professional forensic report.

1. What is PGP and How is it Created?

At its simplest level, PGP is a way to lock a message so that only one specific person can open it. It uses a system called Asymmetric Encryption, which relies on two different keys:

The Private Key: This is your secret password. You never share it. It stays on your computer.
The Public Key: This is your "Digital Business Card." You give this to everyone so they can lock messages meant for you.

When a user creates a PGP key, they use software like GnuPG (Kleopatra) or ProtonMail. During this process, the user can attach a name and an email address to the key. This information is then bundled into "Packets," which are standardised blocks of data that contain the mathematical "ingredients" of the identity.

Once these packets are created, they exist as raw binary code, a format that computers understand but most communication platforms do not. If you tried to paste raw binary into an email or a forum post, it would appear as broken, garbled nonsense.

To solve this, PGP uses ASCII Armor. This process takes that raw binary data and "wraps" it in a protective layer of printable text characters. It is easily identified by the familiar headers:

-----BEGIN PGP PUBLIC KEY BLOCK-----

Why is it there? ASCII Armor acts as a universal translator. It ensures that your key can be copied, pasted, and sent across any platform, from a darknet forum to a standard Gmail account, without a single bit of data being corrupted or lost. Without this "Armor," the complex digital signatures we rely on would break the moment they were sent over the wire.

2. The OPSEC Failure: Criminal Marketplaces

On a lot of criminal marketplaces such as dark web markets, PGP is mandatory. Vendors use it to protect shipping addresses and payment details. However, poor OPSEC (Operational Security) often turns these keys into a liability.

The Common Mistake: "Identity Bleeding"

Imagine a vendor named ShadowOperator. They create a PGP key to use on a marketplace. Because they are not familiar with PGP, they use their real name, email address or an alternate online persona, not knowing it is embedded into the public PGP key block when they generate the key.

Even if they delete the email address from the "Armor" (the text-based block you see), the UID Packet (Tag 13) buried deep inside the machine code still contains that original data. An investigator using a tool like our PGP Inspector can peel back those layers and find the original email address, providing an immediate link to a real-world account.

Digital investigators will know that pivoting from one data source to another is a key aspect to effective OSINT investigations. To do this with PGP, we must first understand where these keys are stored.

Since a Public Key is meant to be shared, users upload them to Key Repositories. You can think of these as global, searchable "phonebooks" for digital identities.

Standard Keyservers: Sites like keys.openpgp.org act as basic directories. They allow you to find a key if you have an email address, but they don't offer much in the way of "identity."
Keybase.io: This is a specialised identity platform. Unlike a standard keyserver, Keybase is designed to link a cryptographic key to a human being.

Why and How People Use Keybase

In an era of "sock-puppet" accounts and online impersonation, proving you are actually "you" is difficult. Keybase solves this by allowing a user to "claim" their social media identities.

To "verify" an account, Keybase asks the user to post a specific, signed message directly onto their X, Reddit, or GitHub profile. Because only someone holding the matching Private Key could have generated that signature, it creates a "Chain of Trust." When you see that receipt on a GitHub profile, you know that the owner of that GitHub account is the same person who owns that PGP key.

4. Cross Platform Linking using PGP

In a digital investigation, a PGP key is rarely an isolated island of data. If a subject is active in technical or privacy-focused communities, it is possible to pivot from a public key directly to verified social media profiles; this is most commonly achieved through Keybase.io.

How to pivot:

Extract the Fingerprint: Take the anonymous PGP block and run it through a tool such as Digital Shadow's PGP Inspector. These tools are able to extract the Key Fingerprint from within the public key. The fingerprint is a unique, 40-character string linked to that specific PGP Key Pair.
Query the Repositories: Take that Fingerprint and query the various key repositories such as Keybase. The goal is to determine if this specific fingerprint has been used to "claim" any other online accounts.
Corroborate: If the user has a Keybase account where they claim to control a specific Reddit account, review that profile to identify if the signed message appears.

5. Digital Shadow’s PGP Inspector

The PGP Key Analyser and Reporting Tool was designed to bridge the gap between complex cryptographic data and actionable investigative intelligence. Most standard PGP decoders provide a raw dump of technical data that is difficult to interpret. Digital Shadow's PGP Inspector was designed to be user friendly and capable of being used by first time investigators

Automated Analysis and Parsing

The Inspector is engineered to automatically parse the public key to identify the most critical markers for an investigation. Instead of requiring a manual search, the tool automates lookups against multiple public key repositories, including keybase.io, simultaneously. The results are then consolidated into a clean, intuitive interface that highlights three primary areas:

Cryptographic Fingerprinting: The unique 40-character Fingerprint is extracted. This serves as the permanent "Digital DNA" of the key, allowing investigators to track the same identity across different platforms even if their profile name changes.
Software and Environment Profiling: By analysing "Cipher Preferences", the specific sequence of algorithms a key is configured to use, the tool can potentially identify the creator's technical environment. This helps distinguish between keys generated on desktop suites like GnuPG (Kleopatra) and those created via web-based services like ProtonMail.
Temporal Information: The tool extracts the precise creation timestamp from the key’s internal packets. This metadata is vital for establishing a timeline of events and correlating the key's creation with other digital footprints, such as server logs or forum activity.

Bridging the Communication Gap

In many investigations, the greatest challenge is not finding the data, but explaining it. Technical evidence involving PGP packets and hexadecimal offsets is notoriously difficult to communicate to non-technical stakeholders, such as management or legal teams.

This tool addresses that challenge by generating a comprehensive PDF report. This document is designed to translate machine-level data into a narrative that is easy to understand without sacrificing technical accuracy.

Each report includes:

Decode Key Information: A plain-English summary of information contained within the public key.
Evidence Stream: The raw data, including hexadecimal offsets, which allows any independent examiner to verify the tool's findings bit-by-bit using standard forensic methods.
Corroboration Data: Details on the specific repositories and methods used during the automated lookup, ensuring the process is transparent and repeatable.

By providing the raw evidence alongside the interpreted results, the tool ensures that the findings are not just a "black box" output, but a verifiable forensic record that provides confidence in the final attribution.

6. Summary: Technology as a Witness

In digital investigations, PGP keys are often overlooked, but for those with the right tools, they can be a wealth of information. Whether it’s a timestamp, a naively exposed email address, or a Keybase link, the metadata inside a PGP key can be a crucial pivot point.

Where others see encryption, make sure you see into the digital shadows it leaves behind.

HOME