A Complete Guide to PGP and Kleopatra - DarknetOne (2024)

In this guide we explain the basics of what PGP is and everything you need to know to use Kleopatra, one of the most widely used applications for GnuPG. This includes creating a key pair, importing certificates & public keys, signing & encrypting messages, decrypting messages, and verifying signed messages.

A Complete Guide to PGP and Kleopatra - DarknetOne (1)

I. What is PGP?

An encryption program first developed in 1991, PGP is short for “Pretty Good Privacy.” It uses series of cryptographic algorithms and techniques to create a key pair, consisting of a private and public key. A modern analogy for PGP would be cryptocurrency keys, where a private key is needed to spend coins sent to an address which is ultimately derived from a corresponding public key. The ways in which keys are generated are different but the concept remains the same: the private key is used to verify ownership of the public key.

PGP is used not only to encrypt messages for selective viewing by an intended recipient but also to sign messages as a way of proving content was written by a specific individual or entity. One of the most commonly used and widely available PC applications for PGP is Kleopatra, a free and open-source program for Windows and Linux. The GnuPG software suite, of which Kleopatra is a core application, is free software that was created to help give computer users privacy and advanced control over their computer operations.

To use PGP for sending, receiving, and signing encrypted messages, you will first need to use Kleopatra to generate a PGP key pair as a certificate stored in the application. Each PGP key pair consists of two keys:

  • Public key. This is your public-facing key that others can use to encrypt messages to be read only by you. Others can also use your public key to verify messages sent by you signed with the corresponding private key.
  • Private key. This is your secret key that is used to decrypt messages encrypted with your public key and sign messages, proving you are the owner of the key pair.

Even using the default encryption settings in Kleopatra, PGP encryption is considered to be very secure, with no known instances of private keys having been reverse-engineered from public keys. This makes PGP an extremely valuable utility for anyone who values online privacy.

II. Installing Kleopatra

Kleopatra is available for Windows and Linux:

If you are a MacOS user, there is a rough equivalent of Kleopatra called Gnu Privacy Assistant (GPA) which can be downloaded here. For the purposes of this guide, we will be installing the Windows version. For Windows, Kleopatra is part of a set of utilities known as GnuPG (Gnu Privacy Guard for Windows, or gpg4win). The entire install package is about 28 MB, and you will need at least 101 MB of disk space to extract it. The current version of gpg4win as of January 2023 is 4.1.0.

  1. After clicking on the Windows download link, the installation file will begin downloading on to your PC. After the download has finished, double-click the file to begin installation. A popup will appear on your screen which asks, “Do you want to allow this app to make changes to your device?” Click “Yes” to proceed.
  2. You will then be asked which language you want to install GPG, set to English by default. After selecting your language, click “OK”. A welcome screen will be displayed for the installation.
A Complete Guide to PGP and Kleopatra - DarknetOne (2)
  1. Click “Yes” to proceed. You will then be asked which components of the package you wish to install on your PC. We recommend sticking with the default installations.
A Complete Guide to PGP and Kleopatra - DarknetOne (3)
  1. Press “Next” to continue. You will now be asked to choose a location for the installation. We recommend using the default installation path.
A Complete Guide to PGP and Kleopatra - DarknetOne (4)
  1. Press “Install” to continue. The entire installation process should take less than 30 seconds. Press “Next” after receiving the “Installation Complete” message. You will then be brought to a screen indicating installation has completed. Leave the “Run Kleopatra” box checked if you want to begin the process of creating or importing PGP keys, then press “Finish”.

III. Creating a PGP Key Pair

The first time you open Kleopatra, your list of Certificates will be blank. When you install new versions of Kleopatra, pre-existing certificates will be shown in this area, which is displayed upon opening by default. To create a PGP key pair, follow these steps:

  1. If this is your first time using Kleopatra, you will see the following button in the middle of the Certificates screen which can be used to create a new key pair:
A Complete Guide to PGP and Kleopatra - DarknetOne (5)
  1. Click on “New Key Pair” to get started. Alternately, you can click on the File tab and select “New OpenPGP Key Pair”.
A Complete Guide to PGP and Kleopatra - DarknetOne (6)
  1. Selecting either of these options will open a PGP key creation popup.
A Complete Guide to PGP and Kleopatra - DarknetOne (7)

The Name is set to your computer account name by default. You will probably want to change it to something else. This name will be associated with your PGP public key. Also displayed is the option to associate an email address with the account. Both fields are optional. For those who share access to their computer with others, checking the box to protect the key with a passphrase might be a good idea, but you of course must remember this passphrase, or you will be locked out of your key pair.

For most purposes, the Advanced Settings do not need to be changed, but you may want to change the expiration of your key pair. Clicking on “Advanced Settings” reveals the following options set by default:

A Complete Guide to PGP and Kleopatra - DarknetOne (8)

Notice the key is set to be generated using ECDSA ed2219 and cv25519 by default. This is a highly secure key generation method, meaning the chances of your private key being cracked or colliding with another user’s pre-existing key are almost non-existent. It is not recommended you adjust the Key Material settings unless absolutely required. You may, however, want to extend the period of validity for your key, or make it non-expirable. You can adjust the expiry date beyond or short than one year as desired or remove expiry altogether by unchecking the box next to “Valid until:”.

A Complete Guide to PGP and Kleopatra - DarknetOne (9)

Doing this means you will never have to change the end of the validity period, but you may want to leave the key as expirable, depending on the reasons for which you will be using it. Press “OK” if you are satisfied with your key creation settings. Then press “OK” again from the main creation popup to begin creating your key pair.

  1. After a few seconds, you will see a new popup informing you that the key pair has been created, and it will be added to the list of certificates in Kleopatra.
A Complete Guide to PGP and Kleopatra - DarknetOne (10)
  1. Press “OK” to close the popup. You have now created your first PGP key and can begin signing and decrypting messages.

IV. Importing a PGP Key Pair

These instructions are for users who already have a PGP certificate and want to import it into Kleopatra. To do this, complete the following steps:

  1. Click on the “File” menu option and then select “Import”.
A Complete Guide to PGP and Kleopatra - DarknetOne (11)
  1. Next, select the certificate file from your computer which you wish to import. It will usually end with a suffix of .asc, .cer, .cert, .pgp, and will be visible to Kleopatra as a selectable option. Upon opening the file, you will see the following popup:
A Complete Guide to PGP and Kleopatra - DarknetOne (12)

If you are sure this is your certificate, click “Yes, It’s Mine” to proceed. The key will then appear in your list of Imported Certificates in the Certificates menu.

A Complete Guide to PGP and Kleopatra - DarknetOne (13)

Press “OK” to close the popup. You can now decrypt and sign messages with this certificate.

V. Locating Your Public Key

To find your PGP public key for a newly-created or imported certificate, hover over it and double-click it. This will bring up basic details of the certificate.

A Complete Guide to PGP and Kleopatra - DarknetOne (14)

Click the “Export” button. This will bring up the text of your PGP public key, which will look something like this:

A Complete Guide to PGP and Kleopatra - DarknetOne (15)

Select the entire contents and copy them to your clipboard, then paste them into a text document. You can name the document something like “PGP – YourUsername” to help you remember what account the key belongs to. This is your PGP public key that others will need in order to encrypt messages which can be read only by you.

Note that all the lines that begin with “Comment:” aren’t essential to the encryption process and can be deleted if you do not want to reveal extraneous info about your public key. The “—–BEGIN” and “—–END” lines, along with the block of text that begins with the letter “m”, are absolutely crucial, however, and must be pasted when uploading/attaching a public key.

VI. Decrypting a Message

In this section we’ll teach you how to decrypt a message that has been encrypted with your public key. A PGP-encrypted message usually looks something like this:

A Complete Guide to PGP and Kleopatra - DarknetOne (16)
  1. First, copy the entire contents of the message (including the top and bottom lines that contain the dashes) and paste it into the Notepad section of Kleopatra, like so:
A Complete Guide to PGP and Kleopatra - DarknetOne (17)
  1. Next, press the “Decrypt / Verify Notepad” button. If the public key that was used to encrypt the message is already part of your Kleopatra certificates, it will be automatically decrypted, and you will see the decrypted message, along with a message indicating the decryption was successful.
A Complete Guide to PGP and Kleopatra - DarknetOne (18)

If the encrypted message was improperly pasted you will see a “No data” error message above the Notepad. If the private key for the message has not been imported into Kleopatra or does not belong to you, you will see a message that says “Decryption failed: No secret key.”

VII. Signing a Message

In this section we explain how to sign a message using one of your PGP private keys. This is done to prove that a message was actually written by the author (key owner) claiming to have written it.

  1. First, write or paste the message you wish to sign in Kleopatra’s Notepad.
A Complete Guide to PGP and Kleopatra - DarknetOne (19)
  1. Next, click the Recipients tab to select the account from which you will be signing the message.
A Complete Guide to PGP and Kleopatra - DarknetOne (20)

In this instance we have selected “Anonymous User” as the signer and unchecked the “Encrypt for me” and “Encrypt for others” boxes because we are simply signing an unencrypted message.

  1. After selecting the appropriate account, revert to the Notepad tab from Recipients and press “Sign Notepad”. This will create the signed message which can then be verified by anybody who possesses the PGP public key for this account.
A Complete Guide to PGP and Kleopatra - DarknetOne (21)

VIII. Importing a Public Key

To verify messages sent by others or encrypt messages to be read by them, you must first import the recipients PGP public key. This can be done a couple of ways; the easiest of which is by copying the public key into your clipboard and selecting Tools->Clipboard->Certificate Import.

A Complete Guide to PGP and Kleopatra - DarknetOne (22)

Be sure to select the entire contents of the PGP public key you are importing, including the lines with the dashes at top and bottom.

  1. After copying the public key to your clipboard and selecting “Certificate Import” from the Clipboard section of the Tools menu, you will be greeted with the following popup:
A Complete Guide to PGP and Kleopatra - DarknetOne (23)

This is simply a warning to make sure you trust that you are importing this key from the entity you believe it belongs to. Press “Certify” to continue.

  1. You will now be asked to choose which account you wish to use to certify the certificate you are importing.
A Complete Guide to PGP and Kleopatra - DarknetOne (24)

Note that a PGP Fingerprint is displayed for this account. This is a series of characters that can be used to verify that you are importing the correct public key. It is basically a shorthand ID associated with the PGP key used for easy association. For this example, we have chosen to certify with our main, recently-created PGP account (Anonymous User). We can see that the PGP key belongs to Satoshi Nakamoto. Press “Certify” at the bottom of the screen to proceed.

  1. You will be greeted with a popup that says “Certification Successful”, and the key will be added as an entry to Kleopatra’s list of certificates. You can now encrypt messages that can only be read by the owner of this certificate’s private key, who in this case is Satoshi Nakamoto. You can also verify messages signed by this keyholder.

IX. Encrypting a Message

This section is for encrypting messages using PGP public keys that are not your own. You can encrypt messages to yourself using the “Sign / Encrypt” feature of Kleopatra’s Notepad (as mentioned above).

  1. After importing the public key of the entity to which you want to send a message (explained in the section above), copy the text of the message you wish to encrypt into your clipboard.
  2. Select the “Encrypt” option located under the Clipboard section of the Tools menu.
A Complete Guide to PGP and Kleopatra - DarknetOne (25)
  1. You will be brought to an Encrypt Mail Message window. Click the “Add Recipient” box toward the bottom of the window to select the public key you will use to encrypt the message. Note that the message must be in plain text (special characters and other data may not be properly decrypted). For the purpose of this example, we will be encrypting a message to Satoshi Nakamoto, the entity of the certificate that was imported in our above-example. Our message being encrypted is “Hello Satoshi!”
A Complete Guide to PGP and Kleopatra - DarknetOne (26)
  1. After selecting the recipient, press “OK”. You will be brought back to the Encrypt Mail Message window which now displays a warning that reads “None of the selected certificates seem to be your own. You will not be able to decrypt the encrypted data again.” Leave the encryption type as OpenPGP (set by default) and click “Next” to encrypt the message. If the imported PGP key is valid, you will be greeted with a message that says “Encryption succeeded.”
  2. Press “OK” to close the window. The encrypted contents of the message will now be in your clipboard where you can paste them to your intended destination. The encrypted message will look something like this:
A Complete Guide to PGP and Kleopatra - DarknetOne (27)

Only the owner of the corresponding PGP private key can decrypt this message, which will read “Hello Satoshi!” after decryption. Remember that you will need to transmit the entire output in your clipboard to the recipient in order for them to successfully decrypt it.

X. Verifying a Message

In this section we will teach you how to verify a signed PGP message. This is important for authenticating the source of information. If an entity posts a public key, future correspondence from them in the form of signed messages can be verified with this key by anyone who has a PGP utility like Kleopatra. To verify a signed message, you must first have the PGP public key installed as a certificate in Kleopatra (this process is explained above in Section VIII).

For this example, we will be verifying a message signed by a random internet user named “elfheart.” We have already imported this user’s public key as a certificate into Kleopatra. The signed message appears as follows:

A Complete Guide to PGP and Kleopatra - DarknetOne (28)
  1. To verify the message, first copy the entire message and paste it into the Notepad of Kleopatra.
A Complete Guide to PGP and Kleopatra - DarknetOne (29)
  1. Next, click the “Decrypt / Verify Notepad” button to verify the message. If the signature is valid (belongs to an unexpired PGP key), you will see a message above the notepad text that looks like the following, with the text of the message below it:
A Complete Guide to PGP and Kleopatra - DarknetOne (30)

You now know for sure that the message was indeed written by the possessor of the private key used to sign the message. If the signature is not valid or the signature contents are malformed, you will receive a corresponding error message.

XI. Backing Up Your PGP Certificate

It’s a good idea to back up your PGP certificate in case you want to install it on another computer, or store it (password-protected) on a USB or other storage device. This way you can regain access to your PGP key pair in case something happens to your computer. You will want to create backups of both public and private key for your certificate.

  1. To create a backup of your public key, right-click the name of the certificate you want to save in the Certificates window, and then click “Export”.
A Complete Guide to PGP and Kleopatra - DarknetOne (31)
  1. Next, select the file location on your computer where you want to save the public key and click “Save”.
  2. Now save the private key by once again right-clicking the same name of the certificate and this time click “Backup Secret Keys”.
A Complete Guide to PGP and Kleopatra - DarknetOne (32)
  1. Save this alongside your public key export file. You can now copy these files to an external drive for safe keeping.

XII. Final Considerations

After reading this guide you should now be able to perform basic PGP operations in Kleopatra. We did not go into advanced subjects like revoking certification (renders a PGP key no longer valid), changing the end of the validity period (for extending or shortening the length of time before expiration), or changing the certificate’s passphrase, but these are all options that can be executed in Kleopatra.

It is important to keep in mind that anybody who possesses your PGP private key (the “secret” portion of the certificate) can sign messages as you, which could be very damaging, depending on what you are using PGP to accomplish. For this reason, we strongly recommend encrypting your PGP certificate with a passphrase (this option is presented to you during the PGP key pair creation process). Safeguard your PGP certificate as you would any sensitive digital data, for example credentials to important websites, credit card numbers, or a cryptocurrency private key or wallet seed phrase.

For specific information about PGP and Kleopatra not covered in this guide, we recommend you consult The Kleopatra Handbook, hosted on the software developer’s website, kde.org. You can also read more about PGP and its history here, on the OpenPGP website.

A Complete Guide to PGP and Kleopatra - DarknetOne (2024)


How do you make a PGP key with Kleopatra? ›

Creating the keypair
  1. Download the latest version of GPG4Win.
  2. Run the GPG4Win installer. ...
  3. Open Kleopatra.
  4. Go to File > New Key Pair.
  5. Select the option Create a personal OpenPGP key pair.
  6. Type a Name/Email address (at least one is required to continue) and click Next.
  7. Click Create.
  8. Enter a passphrase for the keypair and clock OK.
Jun 21, 2023

Is Kleopatra PGP safe? ›

The receiver gets the encrypted message and decrypts it using their private key. Since they have the sender's public key, they can verify the message's authenticity. It will be nearly impossible for anyone to read the contents of the private encrypted message without the public key.

Is Kleopatra a GPG or PGP? ›

Kleopatra is a tool for managing X. 509 and OpenPGP certificates. Kleopatra is the KDE tool for managing X. 509 and OpenPGP certificates in the GpgSM and GPG keyboxes and for retrieving certificates from LDAP and other certificate servers.

How to generate PGP private key from public key? ›

To create a key pair using PGP Command Line follow these steps:
  1. Open a command shell or DOS prompt.
  2. On the command line, enter: pgp --gen-key [user ID] --key-type [key type] --bits [bits #] --passphrase [passphrase] ...
  3. Press "Enter" when the command is complete. ...
  4. PGP Command line will now generate your keypair.
Jul 27, 2023

What is the difference between PGP and public key? ›

PGP, Pretty Good Privacy, is a "public key cryptosystem." (Also known as PKC.) In PGP, each person has two "keys": a "public key" that you give to other people, and a "private key" that only you know. You use public keys to encrypt messages and files for others or to add users to PGP Virtual Disk volumes.

Is PGP obsolete? ›

PGP based registry signatures will be deprecated on March 31st 2023. This means no new packages will be signed with PGP keys from this date onwards and the public key hosted on Keybase will expire. Read more about registry signatures.

Why don t people use PGP? ›

PGP is not an especially good way to securely transfer a file. It's a clunky way to sign packages. It's not great at protecting backups. It's a downright dangerous way to converse in secure messages.

Is PGP still relevant? ›

Is PGP Encryption Secure? PGP encryption is almost impossible to hack. That's why it's still used by entities that send and receive sensitive information, such as journalists and hacktivists. Though PGP encryption cannot be hacked, OpenPGP does have a vulnerability that disrupts PGP encrypted messages when exploited.

What encryption does Kleopatra use? ›

Kleopatra is a graphical interface to GnuPG, a tool to encrypt and authenticate text and files using the OpenPGP standard.

Is PGP better than AES? ›

PGP is just as strong as that of AES, but it adds an additional layer of security to prevent anyone who only has the public key from being able to decrypt data. Another benefit of asymmetric encryption is that it allows for authentication.

What encryption algorithm does Kleopatra use? ›

Encrypting Files Sent to Equifax

7.1. Go to Settings → Configure Kleopatra → GnuPG System → S/MIME. Ensure “Use cipher algorithm NAME” is AES256.

What is the difference between GPG and PGP? ›

GPG, or GNU Privacy Guard, is an open-source implementation of PGP encryption. It is functionally similar to PGP, but is available for free and can be used on a wider range of devices. PGP is more user-friendly and supports a wider range of cryptographic algorithms. GPG is more powerful and supports digital signatures.

Why use Kleopatra? ›

With Kleopatra you can: Create new OpenPGP keys for yourself. Manage your OpenPGP private keys and the public keys of others. Encrypt and sign text with a public key.

Can you decrypt PGP with a public key? ›

Public key cryptography

Anyone with a copy of your public key can then encrypt information that only you can read. Even people you have never met. It is computationally infeasible to deduce the private key from the public key. Anyone who has a public key can encrypt information but cannot decrypt it.

How do you make a certificate in Kleopatra? ›

Create Certificate with Kleopatra
  1. Start Kleopatra from your start menu.
  2. You will see the Kleopatra Window which will show you the certificates you have installed. ...
  3. Let's create your first public key private key pair be clicking File > New Certificate.
  4. The Certificate Creation window will open.

Where is the key in Kleopatra? ›

This is pretty easy. Go to the list of Certificates, double click the one you want , a Certificate Details window will pop up, click Export and it should open up a window with your public key.

Top Articles
Latest Posts
Article information

Author: Kerri Lueilwitz

Last Updated:

Views: 6316

Rating: 4.7 / 5 (47 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Kerri Lueilwitz

Birthday: 1992-10-31

Address: Suite 878 3699 Chantelle Roads, Colebury, NC 68599

Phone: +6111989609516

Job: Chief Farming Manager

Hobby: Mycology, Stone skipping, Dowsing, Whittling, Taxidermy, Sand art, Roller skating

Introduction: My name is Kerri Lueilwitz, I am a courageous, gentle, quaint, thankful, outstanding, brave, vast person who loves writing and wants to share my knowledge and understanding with you.