In this guide we explain the basics of what PGP is and everything you need to know to use Kleopatra, one of the most widely used applications for GnuPG. This includes creating a key pair, importing certificates & public keys, signing & encrypting messages, decrypting messages, and verifying signed messages.
I. What is PGP?
An encryption program first developed in 1991, PGP is short for “Pretty Good Privacy.” It uses series of cryptographic algorithms and techniques to create a key pair, consisting of a private and public key. A modern analogy for PGP would be cryptocurrency keys, where a private key is needed to spend coins sent to an address which is ultimately derived from a corresponding public key. The ways in which keys are generated are different but the concept remains the same: the private key is used to verify ownership of the public key.
PGP is used not only to encrypt messages for selective viewing by an intended recipient but also to sign messages as a way of proving content was written by a specific individual or entity. One of the most commonly used and widely available PC applications for PGP is Kleopatra, a free and open-source program for Windows and Linux. The GnuPG software suite, of which Kleopatra is a core application, is free software that was created to help give computer users privacy and advanced control over their computer operations.
To use PGP for sending, receiving, and signing encrypted messages, you will first need to use Kleopatra to generate a PGP key pair as a certificate stored in the application. Each PGP key pair consists of two keys:
- Public key. This is your public-facing key that others can use to encrypt messages to be read only by you. Others can also use your public key to verify messages sent by you signed with the corresponding private key.
- Private key. This is your secret key that is used to decrypt messages encrypted with your public key and sign messages, proving you are the owner of the key pair.
Even using the default encryption settings in Kleopatra, PGP encryption is considered to be very secure, with no known instances of private keys having been reverse-engineered from public keys. This makes PGP an extremely valuable utility for anyone who values online privacy.
II. Installing Kleopatra
Kleopatra is available for Windows and Linux:
If you are a MacOS user, there is a rough equivalent of Kleopatra called Gnu Privacy Assistant (GPA) which can be downloaded here. For the purposes of this guide, we will be installing the Windows version. For Windows, Kleopatra is part of a set of utilities known as GnuPG (Gnu Privacy Guard for Windows, or gpg4win). The entire install package is about 28 MB, and you will need at least 101 MB of disk space to extract it. The current version of gpg4win as of January 2023 is 4.1.0.
- After clicking on the Windows download link, the installation file will begin downloading on to your PC. After the download has finished, double-click the file to begin installation. A popup will appear on your screen which asks, “Do you want to allow this app to make changes to your device?” Click “Yes” to proceed.
- You will then be asked which language you want to install GPG, set to English by default. After selecting your language, click “OK”. A welcome screen will be displayed for the installation.
- Click “Yes” to proceed. You will then be asked which components of the package you wish to install on your PC. We recommend sticking with the default installations.
- Press “Next” to continue. You will now be asked to choose a location for the installation. We recommend using the default installation path.
- Press “Install” to continue. The entire installation process should take less than 30 seconds. Press “Next” after receiving the “Installation Complete” message. You will then be brought to a screen indicating installation has completed. Leave the “Run Kleopatra” box checked if you want to begin the process of creating or importing PGP keys, then press “Finish”.
III. Creating a PGP Key Pair
The first time you open Kleopatra, your list of Certificates will be blank. When you install new versions of Kleopatra, pre-existing certificates will be shown in this area, which is displayed upon opening by default. To create a PGP key pair, follow these steps:
- If this is your first time using Kleopatra, you will see the following button in the middle of the Certificates screen which can be used to create a new key pair:
- Click on “New Key Pair” to get started. Alternately, you can click on the File tab and select “New OpenPGP Key Pair”.
- Selecting either of these options will open a PGP key creation popup.
The Name is set to your computer account name by default. You will probably want to change it to something else. This name will be associated with your PGP public key. Also displayed is the option to associate an email address with the account. Both fields are optional. For those who share access to their computer with others, checking the box to protect the key with a passphrase might be a good idea, but you of course must remember this passphrase, or you will be locked out of your key pair.
For most purposes, the Advanced Settings do not need to be changed, but you may want to change the expiration of your key pair. Clicking on “Advanced Settings” reveals the following options set by default:
Notice the key is set to be generated using ECDSA ed2219 and cv25519 by default. This is a highly secure key generation method, meaning the chances of your private key being cracked or colliding with another user’s pre-existing key are almost non-existent. It is not recommended you adjust the Key Material settings unless absolutely required. You may, however, want to extend the period of validity for your key, or make it non-expirable. You can adjust the expiry date beyond or short than one year as desired or remove expiry altogether by unchecking the box next to “Valid until:”.
Doing this means you will never have to change the end of the validity period, but you may want to leave the key as expirable, depending on the reasons for which you will be using it. Press “OK” if you are satisfied with your key creation settings. Then press “OK” again from the main creation popup to begin creating your key pair.
- After a few seconds, you will see a new popup informing you that the key pair has been created, and it will be added to the list of certificates in Kleopatra.
- Press “OK” to close the popup. You have now created your first PGP key and can begin signing and decrypting messages.
IV. Importing a PGP Key Pair
These instructions are for users who already have a PGP certificate and want to import it into Kleopatra. To do this, complete the following steps:
- Click on the “File” menu option and then select “Import”.
- Next, select the certificate file from your computer which you wish to import. It will usually end with a suffix of .asc, .cer, .cert, .pgp, and will be visible to Kleopatra as a selectable option. Upon opening the file, you will see the following popup:
If you are sure this is your certificate, click “Yes, It’s Mine” to proceed. The key will then appear in your list of Imported Certificates in the Certificates menu.
Press “OK” to close the popup. You can now decrypt and sign messages with this certificate.
V. Locating Your Public Key
To find your PGP public key for a newly-created or imported certificate, hover over it and double-click it. This will bring up basic details of the certificate.
Click the “Export” button. This will bring up the text of your PGP public key, which will look something like this:
Select the entire contents and copy them to your clipboard, then paste them into a text document. You can name the document something like “PGP – YourUsername” to help you remember what account the key belongs to. This is your PGP public key that others will need in order to encrypt messages which can be read only by you.
Note that all the lines that begin with “Comment:” aren’t essential to the encryption process and can be deleted if you do not want to reveal extraneous info about your public key. The “—–BEGIN” and “—–END” lines, along with the block of text that begins with the letter “m”, are absolutely crucial, however, and must be pasted when uploading/attaching a public key.
VI. Decrypting a Message
In this section we’ll teach you how to decrypt a message that has been encrypted with your public key. A PGP-encrypted message usually looks something like this:
- First, copy the entire contents of the message (including the top and bottom lines that contain the dashes) and paste it into the Notepad section of Kleopatra, like so:
- Next, press the “Decrypt / Verify Notepad” button. If the public key that was used to encrypt the message is already part of your Kleopatra certificates, it will be automatically decrypted, and you will see the decrypted message, along with a message indicating the decryption was successful.
If the encrypted message was improperly pasted you will see a “No data” error message above the Notepad. If the private key for the message has not been imported into Kleopatra or does not belong to you, you will see a message that says “Decryption failed: No secret key.”
VII. Signing a Message
In this section we explain how to sign a message using one of your PGP private keys. This is done to prove that a message was actually written by the author (key owner) claiming to have written it.
- First, write or paste the message you wish to sign in Kleopatra’s Notepad.
- Next, click the Recipients tab to select the account from which you will be signing the message.
In this instance we have selected “Anonymous User” as the signer and unchecked the “Encrypt for me” and “Encrypt for others” boxes because we are simply signing an unencrypted message.
- After selecting the appropriate account, revert to the Notepad tab from Recipients and press “Sign Notepad”. This will create the signed message which can then be verified by anybody who possesses the PGP public key for this account.
VIII. Importing a Public Key
To verify messages sent by others or encrypt messages to be read by them, you must first import the recipients PGP public key. This can be done a couple of ways; the easiest of which is by copying the public key into your clipboard and selecting Tools->Clipboard->Certificate Import.
Be sure to select the entire contents of the PGP public key you are importing, including the lines with the dashes at top and bottom.
- After copying the public key to your clipboard and selecting “Certificate Import” from the Clipboard section of the Tools menu, you will be greeted with the following popup:
This is simply a warning to make sure you trust that you are importing this key from the entity you believe it belongs to. Press “Certify” to continue.
- You will now be asked to choose which account you wish to use to certify the certificate you are importing.
Note that a PGP Fingerprint is displayed for this account. This is a series of characters that can be used to verify that you are importing the correct public key. It is basically a shorthand ID associated with the PGP key used for easy association. For this example, we have chosen to certify with our main, recently-created PGP account (Anonymous User). We can see that the PGP key belongs to Satoshi Nakamoto. Press “Certify” at the bottom of the screen to proceed.
- You will be greeted with a popup that says “Certification Successful”, and the key will be added as an entry to Kleopatra’s list of certificates. You can now encrypt messages that can only be read by the owner of this certificate’s private key, who in this case is Satoshi Nakamoto. You can also verify messages signed by this keyholder.
IX. Encrypting a Message
This section is for encrypting messages using PGP public keys that are not your own. You can encrypt messages to yourself using the “Sign / Encrypt” feature of Kleopatra’s Notepad (as mentioned above).
- After importing the public key of the entity to which you want to send a message (explained in the section above), copy the text of the message you wish to encrypt into your clipboard.
- Select the “Encrypt” option located under the Clipboard section of the Tools menu.
- You will be brought to an Encrypt Mail Message window. Click the “Add Recipient” box toward the bottom of the window to select the public key you will use to encrypt the message. Note that the message must be in plain text (special characters and other data may not be properly decrypted). For the purpose of this example, we will be encrypting a message to Satoshi Nakamoto, the entity of the certificate that was imported in our above-example. Our message being encrypted is “Hello Satoshi!”
- After selecting the recipient, press “OK”. You will be brought back to the Encrypt Mail Message window which now displays a warning that reads “None of the selected certificates seem to be your own. You will not be able to decrypt the encrypted data again.” Leave the encryption type as OpenPGP (set by default) and click “Next” to encrypt the message. If the imported PGP key is valid, you will be greeted with a message that says “Encryption succeeded.”
- Press “OK” to close the window. The encrypted contents of the message will now be in your clipboard where you can paste them to your intended destination. The encrypted message will look something like this:
Only the owner of the corresponding PGP private key can decrypt this message, which will read “Hello Satoshi!” after decryption. Remember that you will need to transmit the entire output in your clipboard to the recipient in order for them to successfully decrypt it.
X. Verifying a Message
In this section we will teach you how to verify a signed PGP message. This is important for authenticating the source of information. If an entity posts a public key, future correspondence from them in the form of signed messages can be verified with this key by anyone who has a PGP utility like Kleopatra. To verify a signed message, you must first have the PGP public key installed as a certificate in Kleopatra (this process is explained above in Section VIII).
For this example, we will be verifying a message signed by a random internet user named “elfheart.” We have already imported this user’s public key as a certificate into Kleopatra. The signed message appears as follows:
- To verify the message, first copy the entire message and paste it into the Notepad of Kleopatra.
- Next, click the “Decrypt / Verify Notepad” button to verify the message. If the signature is valid (belongs to an unexpired PGP key), you will see a message above the notepad text that looks like the following, with the text of the message below it:
You now know for sure that the message was indeed written by the possessor of the private key used to sign the message. If the signature is not valid or the signature contents are malformed, you will receive a corresponding error message.
XI. Backing Up Your PGP Certificate
It’s a good idea to back up your PGP certificate in case you want to install it on another computer, or store it (password-protected) on a USB or other storage device. This way you can regain access to your PGP key pair in case something happens to your computer. You will want to create backups of both public and private key for your certificate.
- To create a backup of your public key, right-click the name of the certificate you want to save in the Certificates window, and then click “Export”.
- Next, select the file location on your computer where you want to save the public key and click “Save”.
- Now save the private key by once again right-clicking the same name of the certificate and this time click “Backup Secret Keys”.
- Save this alongside your public key export file. You can now copy these files to an external drive for safe keeping.
XII. Final Considerations
After reading this guide you should now be able to perform basic PGP operations in Kleopatra. We did not go into advanced subjects like revoking certification (renders a PGP key no longer valid), changing the end of the validity period (for extending or shortening the length of time before expiration), or changing the certificate’s passphrase, but these are all options that can be executed in Kleopatra.
It is important to keep in mind that anybody who possesses your PGP private key (the “secret” portion of the certificate) can sign messages as you, which could be very damaging, depending on what you are using PGP to accomplish. For this reason, we strongly recommend encrypting your PGP certificate with a passphrase (this option is presented to you during the PGP key pair creation process). Safeguard your PGP certificate as you would any sensitive digital data, for example credentials to important websites, credit card numbers, or a cryptocurrency private key or wallet seed phrase.
For specific information about PGP and Kleopatra not covered in this guide, we recommend you consult The Kleopatra Handbook, hosted on the software developer’s website, kde.org. You can also read more about PGP and its history here, on the OpenPGP website.