PGP and Kleopatra (2024)

Video Guide Now Available

Now let's encrypt a message using the Notepad in Kleopatra. We will just be encrypting a message to ourselves, so only we can read it.

Begin by navigating to "Notepad" in the Kleopatra toolbar. Then, type your message.

Once you're satisfied with your message, you need to encrypt and sign it.

Go to the "Recipients" tab.

Since I'm encrypting this message for me, and me alone, I'm going to use the "Encrypt for me" option. I don't have anyone else to encrypt messages for yet, so we'll leave that alone. Additionally, I won't be sharing this message externally, and I don't want anyone with a password to be able to see it, so I'll leave the checkbox at the bottom unchecked.

Finally, click "Sign / Encrypt Notepad"

If the key pair you created has a passcode/password, you will be required to type it before encrypting the message. If not, it will just encrypt it using your public key.

Back in the "Notepad" tab, you should see the encrypted message.

It has successfully converted the text I typed into a random string of incoherent text. Now, I can copy/paste and save this anywhere I want and no one but me will be able to decrypt it back to the original message.

Now let's see how to decrypt the encrypted message back to its original state.

Say I saved the message in a text file. Open Kleopatra, navigate to the Notepad, and paste the encrypted message back into the text area.

Since I only sent the message to myself, and my private key is safely stored on this computer, I can just decrypt it using the "Decrypt / Verify Notepad" button.

As you can see, the message was decrypted. Since I "signed" the message as myself when I encrypted it, it says "Valid signature by..." - this is how you can verify that the message is authentic from the sender.

Next, let's consider a scenario where we want a friend to be able to send us an encrypted message. To do this, we will have to provide them with our public key. Remember, we never want to share our private key with anyone else.

Return to the "Certificates" page and select the key pair you want to use to receive messages from this person.

There are several ways to export the public key. We will export the text by itself. So double click the key pair.

This opens a dialog with more information about the key. Click the "Export" button.

This is the PUBLIC key block. You will share this with the people or services you want to receive encrypted messages from. This is what allows them to send encrypted messages to you.

How you share this is entirely up to you. You may send it as a text file, plain text in an email, a flash drive, a printed piece of paper (this would be tedious to re-enter), or any other means you think is appropriate.

After you send someone your public key, they can send you messages. To decrypt messages sent to you, simply copy/paste them into the notepad and decrypt them using your private key, as we did in the previous example (sending a message to ourselves).

Next, consider a situation where you're the person trying to send an encrypted message to someone else. In order to do this, they should first provide you with their public key.

For demonstration, here is my public key.

-----BEGIN PGP PUBLIC KEY BLOCK-----Comment: User-ID:Kevin Olson <This email address is being protected from spambots. You need JavaScript enabled to view it.>Comment: Valid from:1/9/2023 9:53 PMComment: Valid until:1/9/2025 12:00 PMComment: Type:255-bit EdDSA (secret key available)Comment: Usage:Signing, Encryption, Certifying User-IDsComment: Fingerprint:79DDCFA9BC3AB2D1C3E0A4F919C6A98D75726DB3mDMEY7zTKhYJKwYBBAHaRw8BAQdAuZw9qBYgvn6S5CI3N7oW9q14HT8ZowwV3Nnn2mhat+m0KktldmluIE9sc29uIDxrZXZpbmpvbHNvbkBrZXZpbnNndWlkZXMuY29tPoiZBBMWCgBBFiEEed3Pqbw6stHD4KT5GcapjXVybbMFAmO80yoCGwMFCQPDLWYFCwkIBwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQGcapjXVybbN8YwD/V6a1AmAxyM0zHkp2aJHb9PhqNQz0zuKUgcbZneG4ptsBANsoQXwgucdo/51NTMCPz1QtLohbN5pM7ZTQzSBk2nULuDgEY7zTKhIKKwYBBAGXVQEFAQEHQB88W/e93lnaMMmvjLxDZ0YXIdHrr3h0SR0toAZyBto3AwEIB4h+BBgWCgAmFiEEed3Pqbw6stHD4KT5GcapjXVybbMFAmO80yoCGwwFCQPDLWYACgkQGcapjXVybbOG9AD+P3AStgQb2DOiHNvAWOyIDqHXF54PQXi2ayiGwP0yRR8A/0+pl3ugbMPb71glyDmVGiZW7DuzFFxTpDIEpoJrsz4J=PTgL-----END PGP PUBLIC KEY BLOCK-----

The easiest way to import the public key is to save it as a text file. Open Notepad and paste my public key there. Then, save it as a .gpg file.

Next, return to the "Certificates" section of Kleopatra and click the "Import" button.

Import the GPG key file we just made. Kleopatra will ask if you want to "Certify" the public key. If a key is certified, this is supposed to mean you check the fingerprint of the key against the fingerprint provided by the sender. For example, you could call the owner of the public key and ask them what their key's fingerprint is. If it matches the fingerprint shown, you can certify that it's authentic. If it doesn't, someone sent you an invalid or fake key.

For our purposes, you can just certify the key. The Fingerprint should match "79DDCFA9BC3AB2D1C3E0A4F919C6A98D75726DB3"

Now, you will have multiple keys available in Kleopatra's certificate list. The first one should be your key pair, the second one should be my public key.

Return to the Notepad. In this scenario, I've created a new private/public key pair for someone called "Billy Bob" - so pretend I'm Billy and I want to send a message to Kevin. You can just continue using the private key you made for yourself earlier.

Type the message you only want Kevin to see.

Go to the "Recipients" tab. You can sign the message as yourself, if you want. In this example, I deselected the "Encrypt for me" option. This means once I encrypt this message, only the recipient will be able to decrypt it. I will not be able to decrypt the message again as Billy Bob.

Select "Encrypt for others" and then use the public key of the person you want to send the message to (Kevin Olson in this example).

Finally, hit "Sign/Encrypt Notepad"

Back in the Notepad tab, the message has been encrypted.

Now the message has been encrypted. I can send it to anyone, but only Kevin Olson, with his private key, will be able to read it. Please do not actually send me your message this way, the email I provided is not my actual email. This is for example only!

If I try to decrypt the message, it fails. Remember, in this example, I'm "Billy Bob" and not "Kevin". Only I can decrypt the message from Billy Bob with my private key.

You can encrypt a message for any amount of people you want, provided you have their public keys. For example, you could encrypt it for yourself and the recipient, just yourself, just the recipient, or for multiple other recipients.

By now, you should understand the logic behind key pairs, and know how to send and receive message using your private and public keys.

Still, we have just scratched the surface of what PGP encryption can do for us. Here are a few other example scenarios.

A Password Protected Message for Anyone

Now, let's make a password protected message that anyone can read, without a specific private key, provided they know the password. To do this, navigate to "Notepad" and type your message.

Go to recipients and select the bottom checkbox "Encrypt with password."

Of course, in real life you'll want to select a more secure password. Kleopatra will warn you if you use an insecure password, but you may still proceed if you wish. I encrypted this message with "mypassword" as the passphrase.

When I return to the notepad, this is my encrypted message:

-----BEGIN PGP MESSAGE-----jA0ECQMCM+x+7hIP0XD/0m0BdnQZT9DbClaR0s/M5JgwtUyaf6iwJBJB0WwHTxhTXRE5Foesl0R+sL5ZYhfj7ak+ojS9S/uRvXo2OulZUSUQSEDcGRXb+yBU18qy6j8ZPcKRF20hFreS5+uu2pbGe+zYuYl/iFPtgKtvwd+5=GSkE-----END PGP MESSAGE-----

You may copy/paste that into your Kleopatra Notepad if you wish.

Now, you can decrypt the message using just "mypassword". Anyone you send it to can decrypt it with that password. Note that this is considerably less secure than encrypting/decrypting using private/public keys.

Signed Messages

If you want to share a public message, but prove that it's really you writing it, you can create a signed PGP message.

For example, I wrote the following message:

Now, I'm going to "sign" the message, without encrypting the message itself.

Now, when I click "Sign Notepad" I get this output:

-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512Hello, everyone. This is Kevin Olson. The real Kevin Olson. You can tell, because I signed this message.-----BEGIN PGP SIGNATURE-----iHUEARYKAB0WIQR53c+pvDqy0cPgpPkZxqmNdXJtswUCY7zkmAAKCRAZxqmNdXJts52VAQCPYH7i9D258hIOGHuwiMNms0w+FAHdgfpt11fDurzkfwEAgUm9D25HRi0rLJOIB3AkNKV2X4ObTSivPYE/MvhztwE==D1V4-----END PGP SIGNATURE-----

As you can see, the message itself is still visible. However, there is a PGP Signature portion. Anyone with Kleopatra and my Public Key can paste this into the notepad and click "Decrypt / Verify Notepad" - It will check the PGP Signature against my public key and inform them that the message is verified. If you saved my public PGP key provided earlier (in the sending encrypted messages section), you can try this now.

Since I have my public key available in Kleopatra, it's able to verify that the message was signed by Kevin Olson, and not some impostor.

This is useful for verifying your identity online. You may see it used in important forum posts and such. This also happens when you write encrypted messages to people, provided you select the "Sign as" option.

Encrypting Files

For our final example, we will use Kleopatra to encrypt a file. I have a photo of my dogs, but it's super secret, so I don't want anyone else to be able to see it.

If you installed Kleopatra with context menu/shell extensions (the default option when you installed Gpg4Win), you can just right click any file you want to encrypt, and select the "Sign and Encrypt" option. If you're using Windows 11, you may have to select the "Show More Options" option first.

This brings up a dialog similar to the one in Kleopatra's notepad.

Select the key you want to sign the file with and add the recipients you want to be able to access the file. If you want the file only to be accessible by you, with your secret key, just select "Encrypt for me." In this example, I encrypted the file for myself, and for Billy Bob.

Click the "Sign/Encrypt" button. The file will now be encrypted.

Now you can see I have my original file and my encrypted file. I can send the encrypted file to anyone, but only myself and Billy Bob will be able to open it. I could post it publicly anywhere, without fear of someone else seeing my precious puppies. If you're encrypting the files just for yourself, ensure you delete the original file after encrypting it!

Backup Secret Key

The last topic I will discuss is backing up your secret or private key. If you're regularly encrypting/decrypting important files using a particular key, you should probably keep a backup of it somewhere, in the event your computer dies. The most secure option would probably be to store the secret key backup on an external USB drive or hard drive in a physical safe, or on your person. If you're slightly less concerned with security, you could store it in the cloud (Google Drive, OneDrive, iCloud, etc.) - but if you do this, ensure you are using a passcode protected key!

To backup your key, just right click the certificate in Kleopatra and select the "Backup secret keys" option. This will open a dialog allowing you to save the backup key file.

Put it somewhere safe. If you need to restore a key later, you may import this secret key back into Kleopatra using the "Import" button.