Mail Encryption with PGP or GnuPG

You can encrypt outgoing e-mail with KMail. To encrypt your e-mail, first generate a key pair as described in Chapter Chapter 14, Encryption with KGpg. Then log out and log in again.

Go to Settings -> Configure KMail… -> Security -> Crypto Plugins -> Configure to specify when and with which method your e-mail messages should be encrypted. First, activate the respective module, usually openpgp. Under Location, enter the file name of the crypto library: for OpenPGP, select /usr/lib/cryptplug/ and, for smime, select /usr/lib/cryptplug/ An asterisk must appear in the Active column of the displayed table. Also determine whether an alert should be displayed when you send unencrypted e-mail. To encrypt the attachments as well, select Encrypt all message parts in Settings -> Configure KMail… -> Security -> Crypto Plugins -> Configure.

Once the preferences have been set, click Identities (under Configure KMail). Select the identity with which encrypted or signed messages should be sent and choose Change. Select the Advanced tab in the dialog that opens. Clicking Change for the OpenPGP key entry displays a selection box from which to choose the keys. Confirm with OK. The encryption system is now ready.

The public key must be made available to recipients of a signed message so they can verify its authenticity. It also needs to be accessible to enable others to send encrypted messages to the owner of the key. Public keys can be stored on a public PGP key server, such as

Signing Messages

Create your messages as usual. Before sending the message, click the corresponding icon (second to last) in the toolbar of the window or choose Options -> sign message. The message can then be sent. To sign it, KMail must know your PGP password. However, if you have already provided the password, KMail signs the message without requesting any further information. The results of the PGP signing process can be reviewed in the Sent Messages folder (or in the outbox if you did not use Send now). There, your e-mail should be marked with the notice that it was signed by you.

Checking the Signature of a Received Message

If KMail is able to verify the signature of an e-mail, a green frame with the key ID is displayed. If the signature cannot be verified, a yellow frame with an alert is displayed. This means that you do not have a suitable public key for the signature.

Sending Public Keys

Create a message for the person who should receive your public key. Choose Attach -> Attach Public Key. The mail can then be sent. There is no guarantee that the recipient of a signed message receives the correct key. It is possible that the mail is intercepted on the way to the recipient and is signed with another key. Therefore, the recipient should check the attached key by comparing the finger print with a previously received value. Further information about this can be found in the PGP and GnuPG documentation.

Decoding Encrypted Messages

In KMail, select the message to decrypt. Enter your password when prompted. KMail attempts to decrypt the message. If it was encrypted with your public key, KMail displays it in clear text. If not, you cannot read the e-mail message. KMail saves these e-mail messages encrypted to prevent anyone from reading them without your password.

Encrypting Your Own Messages

To send an encrypted message to a recipient for whom you have the public key, simply write the message in the Create Message window. Before sending the message, click the red key icon in the window's toolbar. Now, the message can be sent. If KMail cannot find a key for the recipient, a list with all available keys is shown. Select the appropriate one from the list or abort the process. KMail also informs you if errors occur during the encryption process. You cannot read encrypted messages if you did not click Always encrypt to self in the Security tab.