Chapter 3. Menu Reference

File Menu

FileNew Certificate... (Ctrl+N)

Creates a new key pair (public and private) and allows to send the public part to a certification authority (CA) for signing. The resulting certificate is then sent back to you, or stored in an LDAP server for you to download into your local keybox, where you can use it to sign and decrypt mails.

This mode of operation is called decentralized key generation, since all keys are created locally. Kleopatra (and GpgSM) do not support centralized key generation directly, but you can import the public/secret key bundle that you receive from the CA in PKCS#12 format via FileImport Certificates... (Ctrl+I) .

FileLookup Certificates on Server... (Ctrl+Shift+I)

Searches for, and imports, certificates from certificate servers into the local keybox. See the section called “Searching and Importing Certificates” for details.

You need to have key servers configured for this to work. See the section called “Configuring Directory Services” for more details.

FileImport Certificates... (Ctrl+I)

Imports certificates and/or secret keys from files into the local keybox. See the section called “Searching and Importing Certificates” for details.

The format of the certificate file must be supported by GpgSM/GPG. Please refer to the GpgSM and GPG manuals for a list of supported formats.

FileExport Certificates... (Ctrl+E)

Exports the selected certificates to a file.

The filename extension you choose for the export file name determines the format of the export file:

  • For OpenPGP certificates, gpg and pgp will result in a binary file, whereas asc will result in an ASCII-armored file.

  • For S/MIME certificates, der will result in a binary, DER-encoded file, whereas pem will result in an ASCII-armored file.

Unless multiple certificates are selected, Kleopatra will propose fingerprint.{asc,pem} as the export file name.

This function is only available when one or more certificates have been selected.


This function exports only the public keys, even if the secret key is available. Use FileExport Secret Keys... to export the secret keys into a file.

FileExport Secret Keys...

Exports the secret key to a file.

In the dialog that opens, you can choose whether to create a binary or an ASCII-armored export file (ASCII armor). Next click on the folder icon at the right hand side of the Output file text box and select folder and name of the export file. When exporting S/MIME secret keys, you can also choose the Passphrase charset. See the discussion of the --p12-charset charset option in the GpgSM manual for more details.

This function is only available when exactly one certificate has been selected, and the secret key for that certificate is available.


It should rarely be necessary to use this function, and if it is, it should be carefully planned. Planning the migration of a secret key involves choice of transport media and secure deletion of the key data on the old machine, as well as on the transport medium, among other things.

FileExport Certificates to Server... (Ctrl+Shift+E)

Publish the selected certificates on a keyserver (OpenPGP only).

The certificate is sent to the certificate server configured for OpenPGP (cf. the section called “Configuring Directory Services”), if that is set, otherwise to

This function is only available if at least one OpenPGP (and no S/MIME) certificates have been selected.


When OpenPGP certificates have been exported to a public directory server, it is nearly impossible to remove them again. Before exporting your certificate to a public directory server, make sure that you have created a revocation certificate so you can revoke the certificate if needed later.


Most public OpenPGP certificate servers synchronize certificates amongst each other, so there is little point in sending to more than one.

It can happen that a search on a certificate server turns up no results even though you just have sent your certificate there. This is because most public keyserver addresses use DNS round-robin to balance the load over multiple machines. These machines synchronize with each other, but usually only every 24 hours or so.

FileDecrypt/Verify Files...

Decrypts files and/or verifies signatures over files.

FileSign/Encrypt Files...

Signs and/or encrypts files.

FileClose (Ctrl+W)

Closes Kleopatra's main window. You can restore it from the system tray icon at any time.

FileQuit (Ctrl+Q)

Terminates Kleopatra.