Signing and Encrypting Messages with GnuPG

This is a short introduction on how to setup KMail's GnuPG (GNU Privacy Guard) support; it gives some hints on the use of GnuPG too. It is written for people who are beginners in this area; if you are familiar with the use of GnuPG, you can skip most of the steps.

Please also check out the FAQ item about GnuPG.


Attachments will not be signed/encrypted if you are using inline OpenPGP: to sign/encrypt attachments, you have to install GnuPG and some necessary libraries; then, you can decide for each attachment whether it should be signed/encrypted or not.


KMail has to rely on GnuPG's output; this output is often different between different versions of GnuPG, so it is important that you test if encryption really works with your setup before you start using it seriously. KMail might not warn you if something fails -- enable Show signed/encrypted text after composing.

To setup and use GnuPG support in KMail it is necessary to have GnuPG installed and set up properly; of course, we cannot give you a full introduction of GnuPG here. We will only mention the steps you have to do to get GnuPG going. For details you should have a look at the The GNU Privacy Handbook.

It is certainly a good idea to study this documentation as well as an introduction into public key cryptography: there you can learn a lot about the basic concepts, which will help you to understand what is going on; also, many security related issues you should know about are discussed there.

Now, let us start.


KMail expects that your GnuPG binary is called gpg. If this is not the case for you, just make a symlink.

If you have not done so, you have to generate a key pair (secret and public key) for your identity. Either do that using KGpg or Kleopatra or do this at the command line: gpg --gen-key: KMail has no internal support for gpg's key generation at this time. The identity (normally your name followed by your email address within brackets, such as John Doe <>) and your passphrase are important for the co-operation between KMail and GnuPG.

GnuPG-Related Settings in KMail

Select the Composing tab on the Security settings page; there you will find the following options:

When encrypting emails, always also encrypt to the certificate of my own identity

If this option is off and you want to send an encrypted message to somebody, then you cannot read this message any longer after you have composed and encrypted it. Turn this option on to keep sent encrypted messages readable for you too.

Store sent messages encrypted

When this box is checked, sent messages are stored encrypted like they were sent. This is not recommended, as you will not be able to read the messages any longer if a necessary certificate expires.

Always show the encryption keys for approval

This will always open a dialog that lets you choose the keys used for each recipient when you are sending an encrypted message; if this option is off, KMail will show this dialog only when it cannot find a key for a recipient or when there are conflicting or unset encryption preferences.

Automatically encrypt messages whenever possible

If this option is on, KMail will automatically encrypt messages with the built-in OpenPGP support or the PGP/MIME-Plugin provided that, for every recipient, a trusted PGP key is found in your keyring and you did not tell KMail not to encrypt messages sent to certain recipients. If in doubt, KMail will ask whether the message should be encrypted or not.

Now that you have setup the encryption tool you have to tell KMail which OpenPGP key you want to use for signing and for encrypting messages; to do this go to the Identities configuration and set the key that should be used on the Cryptography tab of the identity configuration.

Now you are able to sign outgoing messages; to let people send you encrypted messages and to let them verify your signature you must send them your public key or upload your public key to a public GnuPG key server so that they can fetch your key from there. To send encrypted messages to other people or to verify their signed messages you will need their public keys; you can store your public key(s) on a public GnuPG key server.

Sign your Messages

You can compose your message as usual in the composer window of KMail. Before you send the message, check the Sign icon on the toolbar of the composer window; then, you can send the message. The identity you are using to write the current message needs to be connected to an OpenPGP Key in the Identity section of the Configure dialog. To sign the message, KMail needs to know your GnuPG passphrase: if you did not select Keep passphrase in memory in the Security section, KMail will ask you for it; otherwise, if you have already given the phrase to KMail, it will sign the message without any further prompt.

Encrypt your Messages

To send an encrypted message to somebody whose public key you have, you simply create the message in the composer window. Before you send the message, check the Encrypt button in the toolbar of the composer window; note that you might not have to check the button if Automatically encrypt messages whenever possible is selected in KMail's configuration (see above). Then send the message.

If you checked the Encrypt button and KMail cannot find a matching key for a recipient, it will display a list containing all available keys in the Encryption Key Selection dialog; if KMail finds more than one trusted key for a recipient, it will display a list containing all matching keys for this recipient. In both cases you can select the key(s) which should be used for encrypting this message for the recipient in question. Using the Remember choice checkbox you can save your selection for future messages.

If you are using a key for the first time, there are conflicting Encryption Preferences, or if Always show the encryption keys for approval is selected in the Security section of KMail's configuration dialog, the Encryption Key Approval dialog will appear; here, you can select different keys for the recipients and can set the Encryption Preference for each recipient. The default option, Encrypt whenever encryption is possible, will automatically encrypt your message if there is a trusted key for each recipient.

As mentioned above, you will not be able to read your own encrypted sent messages if you do not check When encrypting emails, always also encrypt to the certificate of my own identity in the settings' Security page.

Send your Public Key

Prepare a message to the person to whom you want to send your public key; then, choose, in the composer window's menu, AttachAttach My Public Key: this will attach the public key you defined for the current identity to the message. Now you can send the message.

Remember that it is not safe at all if you sign the message to make sure that the receiver will get the correct key: there can be a man-in-the-middle attack, as somebody can change the key and sign the message with that other key. That is why the recipient should verify the attached key by checking the key's fingerprint against the one he received in a secure way from you; have a look at the GnuPG documentation for further details.

You received an encrypted Message

All you have to do is to select the message in KMail. You will be prompted for your passphrase; then, KMail will try to decrypt the message and show you the plain text if the message had been encrypted with your public key: if not, then you will not be able to read it. KMail stores the messages encrypted, so nobody can read these messages without knowing your passphrase.

Receiving a Public Key

You can receive a public key as an attachment or via http, ftp or a floppy. Before you can use this key to encrypt a message to the owner of the key, you should verify the key (check its fingerprint or look for trusted signatures); then, you can add this key to your public keyring by typing gpg --import filename at the command line. If the key is not certified with a trusted signature you cannot use it to encrypt messages unless you have signed the key with your key.