Skip to content
Security guide · April 2026

Nexus Secure Usage
PGP, 2FA, and threat modeling

A practical guide to hardening your Nexus account. PGP key generation, two-factor authentication, Tor configuration, and the threat model that shapes every step.

Start reading ↓ Back to basics
Reading time
12 minutes
Code blocks
PGP, GnuPG
Tools covered
7 references
Abstract visualization of cryptographic stealth addresses and key management Best practices updated
PGP-based authentication removes many attack vectors that centralized 2FA cannot prevent.
What you will learn
  • + Tor Browser configuration for Safest mode
  • + PGP key generation and backup strategy
  • + 2FA login flow with encrypted challenges
  • + Password management with KeePassXC
Foundation

Tor Browser hardening

Every Nexus connection routes through Tor. The browser itself is your first layer of defense. Hardening it correctly prevents most attacks that surface in guides written for careless users.

Tor Browser interface with security level indicator and Safest setting
1

Install and verify the binary

Download Tor Browser directly from torproject.org, not from any mirror or search result. The project publishes GPG signatures for every release. Verify the signature before launching the installer. This step takes two minutes and blocks compromised binaries that search ads sometimes serve.

On Linux, the verification command is straightforward: gpg --verify tor-browser-*.tar.xz.asc. On macOS and Windows, use Kleopatra or the native verification tools to confirm the signature before unpacking.

After installation, update Tor Browser on every schedule it suggests. CVEs rotate constantly, and running a release behind is how passive network observers can fingerprint you.

2

Enable Safest security level

Open the shield icon in the toolbar. Set security level to Safest. This disables JavaScript site-wide, blocks most image formats, and closes timing side channels. Nexus runs without JavaScript, so nothing breaks when you enable this. If a site requires JavaScript at Safest level, that is a reason to leave, not a reason to relax the setting.

The moment you lower the security level, you expose yourself to fingerprinting via fonts, JavaScript timing attacks, and plugin exploits. The friction is the point. Stay at Safest.

While in settings, enable letterboxing (window size becomes one of a standard set), confirm bridge configuration is set to direct connection unless Tor is blocked in your region, and disable all plugins entirely. Plugins are attack surface that sandboxing cannot contain.

Tor Browser security settings panel with Safest level selected
Circuit information display showing Tor exit node and guard relay
3

Circuit isolation and exit node awareness

Tor Browser creates a new circuit for every domain by default, which is correct for Nexus. The icon shows your current exit node. Mentally note which countries are running relays for your circuits. If an exit is in a jurisdiction with aggressive surveillance, request a new circuit through the menu. You are not stuck with a bad actor for long.

For sensitive work like logging into Nexus, request a new circuit before you paste a mirror link, then confirm the exit location has not moved. Some users prefer to use Tor bridges to hide the fact that they are using Tor at all. The Tor Project publishes bridge addresses for this purpose.

Never use the same Tor circuit across multiple days. Tor itself handles rotation, but if you plan Nexus sessions that span weeks, clear your browser state between visits and request fresh circuits. This defeats correlation attacks based on timing and IP pairs.

Cryptography

PGP key generation and management

Your Nexus account is anchored to a PGP keypair. Generating, backing up, and protecting this key is the most critical step. Lose it, lose the account.

Step 1: Install GnuPG or Kleopatra

On Linux, install from your package manager: apt install gnupg2 or brew install gnupg. On Windows and macOS, download Kleopatra from gpg4win.org. Kleopatra bundles GnuPG with a GUI, which is easier for key generation than the command line if you have never done this before.

Verify the signature on the Kleopatra installer before you run it. This sounds paranoid, but compromised key management tools are how real attacks happen. The Kleopatra developers sign every release. One extra minute of verification saves you from re-doing this entire process.

Step 2: Generate a 4096-bit RSA key

Open GnuPG or Kleopatra. Create a new keypair. Choose RSA, 4096 bits. Modern hardware generates this in under a minute. Set an expiry date 12 months out. An expiry prevents old keys from leaking into use after your device fails or you abandon this setup.

Use a passphrase you can recall under pressure, not a password manager entry. The passphrase protects your private key, which is your account recovery mechanism. Make it at least 12 characters. If you can remember your first pet's name and a number, use that pattern.

The generated key will have an email address. Use something anonymous like nexus@protonmail.local — nothing that ties the key to your legal identity. Once generated, export the public key as ASCII armor and paste it into your Nexus profile in plaintext.

gpg --gen-key
# (follow prompts for name, email, passphrase)
gpg --armor --export nexus@protonmail.local > pubkey.asc
# Now paste contents of pubkey.asc into Nexus profile

Step 3: temporarily inaccessible backup of the private key

Export the private key to an encrypted file. Print two copies of the public key fingerprint on paper, tape one to the inside of a notebook, and store the other in a physically secure location. The fingerprint is short — 40 hex characters — and it fits on an index card.

For the private key itself, generate a paper backup using the paperkey utility. This converts your key into lines of text that you can write or print on paper without encryption. Store one copy in a safe deposit box, the other at home. If your laptop dies and your backup USB is corrupted, the paper backup is your recovery mechanism.

gpg --armor --export-secret-key nexus@protonmail.local | paperkey > secret.txt
# Two printed copies, two physical locations
gpg --list-secret-keys
# Note the fingerprint for future reference

Step 4: Protect the private key on disk

Your private key lives in ~/.gnupg/. On Linux and macOS, the directory is already protected by file permissions. On Windows, Kleopatra stores keys in a secure location by default. Do not copy the private key to USB sticks lightly — every extra copy is an extra backup point that could be stolen.

If you use multiple machines, consider moving the key to a hardware security key like a YubiKey. Hardware keys make the private key immovable — it cannot be extracted even if the hardware is stolen. For Nexus specifically, you need to decrypt the 2FA challenge at login time, so a hardware key speeds up the workflow.

Two-factor authentication

PGP-based 2FA login

Unlike password-based 2FA, PGP 2FA binds login to a key you physically hold. Credential stuffing and SIM swaps become irrelevant.

How PGP 2FA works on Nexus

When you log in, Nexus presents a short ciphertext encrypted to your public key. You decrypt it locally using your private key and passphrase, then paste the plaintext into the login form. The session opens. This binds login to the physical possession of your private key — not a phone, not an email, not a recovery code written on paper.

The attack surface is much smaller than TOTP-based 2FA. There is no SMS interceptor, no app compromise, no SIM swap threat. The only vulnerability is if your private key is stolen and your passphrase is cracked. That is why the passphrase matters so much.

Store your Nexus username and passphrase in KeePassXC, a password manager designed for temporarily inaccessible use. Keep the password manager file on an encrypted disk separate from the one holding your private key. If either store is compromised, an attacker still cannot log into Nexus without the other store.

Enable PGP login in your Nexus settings

Log into Nexus through Tor Browser. Go to Settings → Security → Enable PGP Login Challenge. Paste your public key fingerprint (the 40-character string) as confirmation. From that moment, every login starts with a decryption step.

The first time you try this flow, allow 30 seconds. You are copying ciphertext, opening a terminal, running a decrypt command, copying plaintext, and pasting into the form. After five logins, the process becomes automatic.

gpg --decrypt
# (paste the ciphertext from Nexus login form)
# (enter your passphrase)
# (copy the plaintext output)
# (paste into Nexus login form)

Backup and recovery for 2FA

If you lose your private key, you lose access to the Nexus account. There is no recovery email, no support backdoor, no second factor to fall back on. The friction is intentional. This is why the paper backup matters. This is why storing the passphrase separately in KeePassXC matters.

If your laptop dies and you need to recover the account, retrieve the paper backup of the private key, use paperkey to import it on a fresh machine, and decrypt the login challenge as usual. Do a practice recovery every six months to confirm you have the paper backup in a retrievable location.

Password management

KeePassXC for temporarily inaccessible password storage

Password managers solve two problems: they generate strong unique passphrases, and they do not require an internet connection or account recovery phone number.

Why KeePassXC instead of cloud-based managers

KeePassXC stores passwords in an encrypted file on your disk, not a cloud server. There is no recovery email, no master account to breach. The only way to access your passwords is to possess the file and know the master passphrase. This architecture eliminates the attack surface that cloud-based managers introduce.

For Nexus, store the username and passphrase used to log into the platform. Do not store the PGP private key passphrase in the same file. Separating these two factors means a breach of the KeePassXC database does not give an attacker everything needed to log in.

Setting up KeePassXC

Download from keepassxc.org. Create a new database with a master passphrase you can recall. Create a new entry for your Nexus account. Use the built-in password generator to create a 20-character passphrase with upper, lower, numbers, and symbols. Copy it into the entry and copy it into your Nexus account settings.

Store the KeePassXC database file on an encrypted disk using LUKS on Linux, FileVault on macOS, or BitLocker on Windows. Mount the disk only when you need to access passwords, then unmount it when done. This prevents an attacker with brief access to your machine from extracting the database while it is mounted.

Password rotation for Nexus

Generate a new Nexus passphrase every 90 days. Open KeePassXC, regenerate the password in the Nexus entry, copy it, log into Nexus, and update your account settings. This adds friction compared to cloud managers, but the security tradeoff is worth it. Every successful login is one fewer chance for credential leaks to matter.

Hardened systems

Tails and Whonix for dedicated Nexus access

Running Nexus on a general-purpose operating system means every other application on the machine is a potential leak point. Dedicated systems flip this assumption.

Tails: Amnesia by design

Tails boots from USB and leaves no trace on disk. Every session, you get a clean system. All network traffic routes through Tor automatically. For Nexus access, this means your session is isolated from the rest of your digital life.

Download Tails from tails.net and verify the signature. Create a bootable USB stick using Etcher. Boot into Tails and set up a persistent volume for your .gnupg directory — your PGP keys survive reboot, while everything else vanishes. KeePassXC can also live in the persistent volume if you enable it.

After each Nexus session, ceased operations. On the next boot, you get a fresh system with no history of what you did previously. This defeats most forensic analysis attacks.

Whonix: Separation of concerns

Whonix runs in virtual machines. One VM is the gateway, routing all network traffic through Tor. The other is the workstation, isolated from the host network. If the workstation is compromised, it cannot leak your real IP.

Whonix is stronger for long-lived setups. If you plan to use Nexus regularly over months, Whonix is worth the setup time. You build a stable Nexus workstation, snapshot it, and restore from the snapshot between sessions. The isolation is tighter than Tails because the host machine and the workstation never touch.

Both Tails and Whonix are strong choices. Tails is simpler (one download, one USB stick), while Whonix is more flexible (persistent workstations, multiple VMs).

Comparing the two systems

Feature Tails Whonix
Threat model Forensic evasion on exit IP leak prevention
Persistence Explicit persistent volume Full VM snapshots
Setup time 10 minutes 45 minutes
Suitable for Occasional Nexus access Regular, long-term use
Risk assessment

Threat modeling for your situation

Security is useless if it does not match the risks you actually face. Threat modeling means writing down what you are protecting against.

Threat categories for Nexus users

  • ISP-level monitoring — Your internet provider logs all DNS requests and flow data. Tor routes traffic through their network but hides the destination. They know you are using Tor, not which onion sites you visit. Threat level: medium. Defense: Tor Browser + bridges if needed.
  • Device theft — Your laptop or USB stick is stolen. A thief cannot decrypt your disk or read your passwords without the encryption key and master passphrase. Threat level: high. Defense: encrypted disk + strong passphrase + physical backup security.
  • Credential leaks — Your Nexus password appears in a breach from another site. The attacker tries to log into Nexus. They fail because PGP 2FA requires your private key, which they do not have. Threat level: medium. Defense: unique passphrase for Nexus + PGP 2FA.
  • Malware on your general-purpose OS — Malware steals your passwords, logs keystrokes, or reads your private key passphrase as you type. A dedicated system like Tails prevents this entire class of attack. Threat level: high. Defense: Tails or Whonix for sensitive work.
  • Keylogger via USB device — An attacker intercepts a USB stick and implants spyware. This is paranoid, but physical security of backups is part of the threat model. Threat level: low. Defense: store paper backups, not USB backups only.

Building your threat model

Write down: What are you protecting? (Nexus account access). Who are the potential attackers? (ISP, malware, casual theft, law enforcement). What resources do they have? (ISP: network monitoring; malware: system access; theft: physical device access; law enforcement: legal authority + subpoena power).

Once you list the threats, you pick defenses. ISP monitoring → Tor. Device theft → encrypted disk + strong passphrase. Credential leaks → PGP 2FA. Malware → Tails. Every control you add introduces friction, so match the friction to the threat.

If you live in a jurisdiction where Tor use is monitored, bridges become essential. If you are concerned about device forensics, Tails is necessary. If your threat level is low, Tor Browser + PGP 2FA + KeePassXC might be sufficient.

Common questions

Security setup and maintenance

Nine questions covering key management, recovery, and ongoing practice.

What is the minimum passphrase length for a Nexus PGP key?

There is no enforced minimum, but use at least 12 characters. The passphrase protects your private key, so stronger is better. Avoid dictionary words. If you can recall it under pressure, it is strong enough.

Can I use Tails with a persistent volume for my PGP key?

Yes. Set up a persistent volume for your .gnupg directory. Tails handles the encryption automatically. Your PGP keys survive reboot, while everything else vanishes. This balances security and convenience.

How do I verify my GnuPG installation is not compromised?

Run gpg --version from the terminal. Compare the fingerprint of the official binary against the signature published on gnupg.org. Take time over this — a compromised GPG binary defeats everything downstream.

What happens if I forget my PGP passphrase?

Your account is unrecoverable. There is no recovery option. This is why the paper backup exists. If you have a paperkey printout, you can regenerate the key on a fresh machine and restore access within the hour.

Can I store my KeePassXC database in the cloud?

Yes, but only if it is encrypted before upload. Store an encrypted KeePassXC database in Google Drive or Dropbox. The encryption key stays on your local machine. This gives you backup redundancy without cloud service access to passwords.

Should I use a hardware security key like YubiKey for Nexus?

Yes, if you have one. Hardware keys make the private key immovable. It cannot be extracted even if the hardware is stolen. For Nexus, you decrypt the 2FA challenge locally, so hardware key support depends on your OS and tooling. Yubico publishes compatibility lists.

How often should I test my recovery procedure?

Every six months. Retrieve your paper backup of the PGP key, use paperkey to import it on a test machine, generate a test 2FA challenge on Nexus, and verify you can decrypt it. Practicing recovery now prevents panic if you ever need it in an emergency.

What is the difference between a signature and encryption in PGP?

Signature proves identity and integrity — I created this message and it has not been modified. Encryption keeps secrets — only the holder of the private key can read it. Nexus 2FA uses encryption. Mirror verification uses signatures. Both use your key, but in different ways.

Can law enforcement decrypt my Nexus 2FA?

No. Law enforcement can force you to provide your passphrase and unlock your key, but they cannot decrypt PGP messages without your key. This is exactly why the threat model matters. If you live in a jurisdiction with compulsory disclosure, that is a consideration for your backup strategy.

Further reading

External references and tools

Authoritative sources for Tor, PGP, and privacy tools referenced in this guide.

Tor Project

Official Tor Browser downloads, documentation, and network status. The canonical source for Tor security updates.

GnuPG

Free implementation of the OpenPGP standard. Full documentation for key generation, encryption, and signing.

KeePassXC

temporarily inaccessible password manager with no cloud dependency. Stores encrypted databases on your disk.

Tails

Live operating system focused on privacy and amnesia. Boot from USB, leave no trace.

Whonix

Virtual machine operating system with gateway and workstation VMs. Complete IP isolation.

Privacy Guides

Comprehensive guides to privacy tools. Covers Tor, VPNs, messengers, and threat modeling fundamentals.

CryptoNote Protocol

Technical overview of ring signatures, stealth addresses, and privacy properties of Monero.

Signal

End-to-end encrypted messaging. Useful for vendor communication outside Nexus if needed.

Ready to proceed

Secure access to Nexus Market

Your Tor Browser is hardened. Your PGP key is generated and backed up. Your 2FA is enabled. The next step is accessing a verified mirror.

Back to first steps View mirrors