Signing and Encrypting Messages with GnuPG

This is a short introduction on how to set up KMail's GnuPG (GNU Privacy Guard) support; it gives some hints on the use of GnuPG too. It is written for people who are beginners in this area; if you are familiar with the use of GnuPG, you can skip most of the steps.

Please also check out the FAQ item about GnuPG.


Attachments will not be signed/encrypted if you are using inline OpenPGP. To sign/encrypt attachments, you have to install GnuPG and some necessary libraries. Then, you can decide for each attachment whether it should be signed/encrypted or not.

To set up and use GnuPG support in KMail it is necessary to have GnuPG installed and configured properly. Of course, we cannot give you a full introduction to GnuPG here. We will only mention the steps you must perform to get GnuPG going. For details you should look at The GNU Privacy Handbook.

It is certainly a good idea to study the GnuPG documentation as well as an introduction to public key cryptography. That way you can learn a lot about the basic concepts, which will help you understand what is going on. Also, many security related issues you should know about are discussed there.


KMail expects that your GnuPG binary is called gpg. If this is not the case for you, just make a symlink.

If you have not yet done so, you must generate a key pair (secret and public keys) for your identity. You may do this using KGpg or Kleopatra or at the command line: gpg --gen-key. Or you can ask KMail to create a new key pair when you create a new email account. The identity (normally your name followed by your email address within brackets, such as John Doe <>) and your passphrase are important for the co-operation between KMail and GnuPG.

GnuPG-Related Settings in KMail

Select the Composing tab on the Security settings page. There you will find the following options:

When encrypting emails, always also encrypt to the certificate of my own identity

If this option is off and you want to send an encrypted message to somebody, then you cannot read this message any longer after you have composed and encrypted it. Turn this option on to keep the encrypted messages you send readable for you, too.

Store sent messages encrypted

When this box is checked, sent messages are stored encrypted, as they were sent. This is not recommended, as you will not be able to read the messages any longer if a necessary certificate expires. (Notice that GPG keys do not expire, as a general rule; this caution is primarily relevant for x.509 certificate users.)

Always show the encryption keys for approval

This will always open a dialog that lets you choose the keys used for each recipient when you are sending an encrypted message. If this option is off, KMail will show the dialog only when it cannot find a key for a recipient or when there are conflicting or unset encryption preferences.

When saving as draft, always sign/encrypt as indicated

If this option is on, KMail will automatically encrypt (and / or sign) messages that you save in the drafts folder (when you specify signing / encryption).

Show sign/encrypt indicator in editor

If this option is on, KMail will display an indicator in the composition window to inform you that this message will be signed / encrypted whenever that is the case.

Now that you have set up the encryption tool, you must tell KMail which OpenPGP key you want to use for signing and encrypting messages. To do this go to the Identities configuration and set the key that should be used via the Cryptography tab in the identity configuration dialog.

Now you can sign outgoing messages. To let people send you encrypted messages, and to let them verify your signature, you must send them your public key, or upload your public key to a public GnuPG key server (so people can fetch your key from the server). To send encrypted messages to other people, or to verify their signed messages, you will need their public keys. You can search for public keys on a public GnuPG key server. Or you can ask your friends to send you one or more of their public keys.

Sign your Messages

Compose your message as usual in the composer window. Before you send the message, check the Sign icon on the toolbar of the composer window, or select Options Sign Message. Then, you can send the message. The identity you are using to write the current message needs to be connected to an OpenPGP Key in the Identity section of the Configure dialog. To sign the message, KMail needs to know your GnuPG passphrase. You may be asked to supply it, or, if you have previously given the phrase to KMail, the message will be signed automatically.

Encrypt your Messages

To send an encrypted message to somebody whose public key is on your gpg key ring, simply create the message in the composer window. Before you send the message, check the Encrypt button in the toolbar of the composer window (or select Options Encrypt Message). Then send the message.

If you checked the Encrypt button and KMail cannot find a matching key for a recipient, it will allow you to modify your key ring before trying again. If KMail finds more than one trusted key for a recipient, it will display a list containing all matching keys for this recipient. In either case you can select the key(s) which should be used for encrypting this message for the recipient in question.

If you are using a key for the first time, if there are conflicting Encryption Preferences, or if Always show the encryption keys for approval is selected in the Security section of KMail's configuration dialog, the Encryption Key Approval dialog will appear. You can select different keys for the recipients and can set the Encryption Preference for each recipient. The option, Encrypt whenever encryption is possible (on the Cryptography tab of the SettingsConfigure KMail... dialog), will automatically encrypt your message if there is a trusted key for each recipient.

As mentioned above, you will not be able to read your own encrypted sent messages if you do not check When encrypting emails, always also encrypt to the certificate of my own identity in the settings' Security page.

Send your Public Key

Prepare a message to the person to whom you want to send your public key. Then choose, in the composer window's menu, AttachAttach Public Key. This will attach your public key – the one you are currently using – to the message.

Remember that it is not perfectly safe to just sign the message to ensure that the receiver gets the correct key. There can (possibly) be a "man-in-the-middle" attack: somebody could intercept your message, change the attached key, and then sign the message with that other key. The recipient should verify the attached key by checking the key's fingerprint against the one he received in a secure way from you. Alternatively, just ask him to use the key he received to compose and send an encrypted message back to you. If your secret key decrypts that message, he has a copy of your public key. See the GnuPG documentation for further details.

You received an encrypted Message

All you have to do is to select the message in KMail. You may be prompted for your passphrase. Then, KMail will decrypt the message and show you the plain text if the message was encrypted with your public key. If not, you will not be able to read it. By default, KMail stores messages encrypted, so nobody can read these messages without knowing your passphrase, or, at a minimum, your login password.

Receiving a Public Key

You can receive a public key as an attachment, or via http, ftp, or a floppy. Before you use this key to encrypt a message to the owner of the key, you should verify the key (check its fingerprint or look for trusted signatures); then, you can add this key to your public keyring by typing gpg --import filename at the command line. If the key is not certified with another signature that you have already trusted, you cannot use it to encrypt messages unless you sign (certify) the key with your own key.