Unsupported Version
This article applies to an unsupported version of Ubuntu. More info...


Needs Expansion
This article is incomplete, and needs to be expanded. More info...


This guide assumes that you have a working knowledge of GnuPG and the command line, and that GPG and KMail are installed in a KDE environment. Detailed information on GnuPG can be found here. More information on KMail can be found on EmailClients.

Set up

Required Packages

Pinentry-Qt will provide the front end into which you will type your pass phrase.


gpg-agent is a program that caches your private key passphrases for a period of time. Without gpg-agent you'd have to type your passphrase every time you wanted to decrypt an email or file. Since it is recommended that your passphrase be very long, and hard to guess, this can become cumbersome.


Configuring GPG

Uncomment the following line in ~/.gnupg/gpg.conf. If not present, please append it to the file.


Note: Due to a gnupg bug in Feisty, your ~/.gnupg/gpg.conf may not have been created. You can create it by:

cp /usr/share/gnupg/options.skel ~/.gnupg/gpg.conf

Then create the file ~/.gnupg/gpg-agent.conf with the following contents:

pinentry-program /usr/bin/pinentry-qt
default-cache-ttl 1800

You can replace the time, 1800 seconds, for a greater period, but it must be inferior to two hours (7200). If you wish to store the passphrase for a longer period of time, you must substitute default-cache-ttl 1800 with the following block of text, where XXXX is the time in seconds. You should also remember that there is compromise between ease of use and security.

default-cache-ttl XXXX
max-cache-ttl XXXX

Configuring KDE to start gpg-agent on login

In order to use the gpg-agent with KDE, you'll want it to start up and have its environment variables added to KDE's environment before KDE starts. Thankfully, KDE allows us to do this quite easily.

  1. Create the directory ~/.kde/env

  2. Create a file in the directory called gpg-agent.sh with the following contents:

eval "$(gpg-agent --daemon)" 
  1. Make the file executable.
  2. Log out of KDE if you're in KDE and log back in.
  3. Create the directory ~/.kde/shutdown

  4. Create a file in the directory called gpg-agent.sh with the following contents:

# the second field of the GPG_AGENT_INFO variable is the
# process ID of the gpg-agent active in the current session
# so we'll just kill that, rather than all of them :)
[[ -n ${GPG_AGENT_INFO} ]] && kill `echo $\{GPG_AGENT_INFO\} | cut -d ':' -f 2`
  1. Make the file executable.

Before proceeding, please test gpg-agent:

echo "test" | gpg -ase -r 0xE95EDDC9 | gpg

Configuring KMail

  1. Start up KMail
  2. Go to the Settings menu
  3. Select the Security icon on the left hand side
  4. Select the Crypto Backends tab
  5. Make sure OpenPGP (gpg) is in the list, and check the box next to it.
  6. Select the Identities Icon on the left hand side
  7. If you haven't already created an identity for yourself, create one now.
  8. Select your identity and click the Modify... button
  9. Select the Cryptography tab
  10. Click on Change... next to OpenPGP signing key and select your preferred key from the list.
  11. Repeat for OpenPGP encryption key if you want to encrypt messages
  12. Make sure the Preferred crypto message format is either Any or OpenPGP/MIME. The inline format is deprecated, and highly annoying to users of mail client software that doesn't support this standard. This is the "old" way of doing things, and the OpenPGP/MIME format is the preferred method.
  13. Click OK in the edit identity window and in the preferences window.


Sending emails

When you compose an email, you will notice an icon depicting a fountain pen drawing a scribble. Click it to sign an email with your private key. The icon next to it depicts a lock and is used to encrypt an email using the recipient's public key.

Reading emails

KMail will automatically validate signatures on a received message. When you receive an encrypted message, you will be prompted to enter your pass phrase. If you have successfully done so, KMail will display the encrypted message.


Now you're successfully using KMail to send and receive signed and encrypted messages. Remember that the more people use tools like PGP and GnuPG, the safer the internet can become. You can sincerely tell someone you never sent an email they said you sent because it wasn't signed with your key, and you can send sensitive information safely between your peers with encrypted messages!

Note: If you create Ubuntu packages (no longer required with the Gutsy version of devscripts), please add the following line to ~/.devscripts :


Gutsy Updates

As of gnupg 1.4.6-2ubuntu3 in Gutsy, new installations/users will automatically be configured for gpg to use-agent. Dependencies for KMail have also been adjusted to automatically install gnupg-agent and pinentry-qt. If you want a non-default cache period or you don't want the pinentry window to grab focus you can still make the ~/.gnupg/gpg-agent.conf changes recommended above, but they are not required.

Bottom line is that all of the steps above Configuring KMail should no longer be required for new Gutsy installs.


KMailGPGAgent (last edited 2009-08-07 15:08:21 by 76-10-161-77)