In this guide, you will learn the basics of sending, receiving, and verifying messages sent using PGP encryption with Kleopatra.
The principles are the same even if you use other software with PGP.
What can I use PGP for?
PGP stands for Pretty Good Privacy. PGP is an old proprietary application that was used to encrypt and decrypt messages. Currently, PGP is basically defunct. It's been replaced by OpenPGP, an open-source alternative to the proprietary software which functions in the same manner.
How it works in a nutshell (messaging)
- The sender and receiver both generate an OpenPGP key pair. Each pair consists of a private or secret key and a public key.
- These are simply text files containing random gibberish on the PC.
- The sender and receiver both exchange their public keys, keeping the private keys for themselves.
- The sender writes a message and encrypts it using the receiver's public key.
- The receiver gets the encrypted message and decrypts it using their private key. Since they have the sender's public key, they can verify the message's authenticity.
- It will be nearly impossible for anyone to read the contents of the private encrypted message without the public key.
- The system isn't infallible. The NSA and other classified organizations may be capable of breaking the encryption.
There are many use cases for PGP:
- Storing private information, such as a journal or confidential client information
- Encrypted communication between coworkers or peers to protect sensitive or classified information
- A popular way to send and receive messages on the dark web and authenticate your access to dark web applications
- Encryption of private files, either for yourself or to share with specific people
- To verify the authenticity of a message and know the sender is who they say they are. This is a "signed" message.
- To gain access to an application secured with PGP.
For the first demonstration, let's setup Kleopatra, create a key pair, and encrypt a message using someone else's public key.
The first step is to get Kleopatra installed on your computer.
If you are using Windows, download, download and install Gpg4win. This software bundle contains Kleopatra.
If you're using Linux, check out Kleopatra on KDE.
If you're on a Mac, you can look into GPGTools. Note that they don't use Kleopatra, you'll have to use GPG Keychain and GPG Services instead. The interface is significantly different.
Creating Your Key Pair
I assume by now you've installed Kleopatra. Now it's time to create your key pair. If it's your first time running Kleopatra, and you haven't created a key pair yet, your screen should look like this:
Click "New Key Pair" or go to "File" and then "New OpenPGP Key Pair."
Enter your details, or the persona/username you intend on signing the messages with. Optionally, encrypt the key with a passphrase (password). If you use a passphrase, it will be required to encrypt messages you send using this key pair. This will ensure no one else can send messages as you, using your key, except for you.
After generating the key pair, and entering the password (if selected), you will see a success message and the key pair will be added to the certificate list in Kleopatra.
Encrypting a Message
Now let's encrypt a message using the Notepad in Kleopatra. We will just be encrypting a message to ourselves, so only we can read it.
Begin by navigating to "Notepad" in the Kleopatra toolbar. Then, type your message.
Once you're satisfied with your message, you need to encrypt and sign it.
Go to the "Recipients" tab.
Since I'm encrypting this message for me, and me alone, I'm going to use the "Encrypt for me" option. I don't have anyone else to encrypt messages for yet, so we'll leave that alone. Additionally, I won't be sharing this message externally, and I don't want anyone with a password to be able to see it, so I'll leave the checkbox at the bottom unchecked.
Finally, click "Sign / Encrypt Notepad"
If the key pair you created has a passcode/password, you will be required to type it before encrypting the message. If not, it will just encrypt it using your public key.
Back in the "Notepad" tab, you should see the encrypted message.
It has successfully converted the text I typed into a random string of incoherent text. Now, I can copy/paste and save this anywhere I want and no one but me will be able to decrypt it back to the original message.
Now let's see how to decrypt the encrypted message back to its original state.
Say I saved the message in a text file. Open Kleopatra, navigate to the Notepad, and paste the encrypted message back into the text area.
Since I only sent the message to myself, and my private key is safely stored on this computer, I can just decrypt it using the "Decrypt / Verify Notepad" button.
As you can see, the message was decrypted. Since I "signed" the message as myself when I encrypted it, it says "Valid signature by..." - this is how you can verify that the message is authentic from the sender.
Getting Encrypted Messages from Other People
Next, let's consider a scenario where we want a friend to be able to send us an encrypted message. To do this, we will have to provide them with our public key. Remember, we never want to share our private key with anyone else.
Return to the "Certificates" page and select the key pair you want to use to receive messages from this person.
There are several ways to export the public key. We will export the text by itself. So double click the key pair.
This opens a dialog with more information about the key. Click the "Export" button.
This is the PUBLIC key block. You will share this with the people or services you want to receive encrypted messages from. This is what allows them to send encrypted messages to you.
How you share this is entirely up to you. You may send it as a text file, plain text in an email, a flash drive, a printed piece of paper (this would be tedious to re-enter), or any other means you think is appropriate.
After you send someone your public key, they can send you messages. To decrypt messages sent to you, simply copy/paste them into the notepad and decrypt them using your private key, as we did in the previous example (sending a message to ourselves).
Sending an Encrypted Message
Next, consider a situation where you're the person trying to send an encrypted message to someone else. In order to do this, they should first provide you with their public key.
For demonstration, here is my public key.
-----BEGIN PGP PUBLIC KEY BLOCK----- Comment: User-ID: Kevin Olson <
The easiest way to import the public key is to save it as a text file. Open Notepad and paste my public key there. Then, save it as a .gpg file.
Next, return to the "Certificates" section of Kleopatra and click the "Import" button.
Import the GPG key file we just made. Kleopatra will ask if you want to "Certify" the public key. If a key is certified, this is supposed to mean you check the fingerprint of the key against the fingerprint provided by the sender. For example, you could call the owner of the public key and ask them what their key's fingerprint is. If it matches the fingerprint shown, you can certify that it's authentic. If it doesn't, someone sent you an invalid or fake key.
For our purposes, you can just certify the key. The Fingerprint should match "79DDCFA9BC3AB2D1C3E0A4F919C6A98D75726DB3"
Now, you will have multiple keys available in Kleopatra's certificate list. The first one should be your key pair, the second one should be my public key.
Return to the Notepad. In this scenario, I've created a new private/public key pair for someone called "Billy Bob" - so pretend I'm Billy and I want to send a message to Kevin. You can just continue using the private key you made for yourself earlier.
Type the message you only want Kevin to see.
Go to the "Recipients" tab. You can sign the message as yourself, if you want. In this example, I deselected the "Encrypt for me" option. This means once I encrypt this message, only the recipient will be able to decrypt it. I will not be able to decrypt the message again as Billy Bob.
Select "Encrypt for others" and then use the public key of the person you want to send the message to (Kevin Olson in this example).
Finally, hit "Sign/Encrypt Notepad"
Back in the Notepad tab, the message has been encrypted.
Now the message has been encrypted. I can send it to anyone, but only Kevin Olson, with his private key, will be able to read it. Please do not actually send me your message this way, the email I provided is not my actual email. This is for example only!
If I try to decrypt the message, it fails. Remember, in this example, I'm "Billy Bob" and not "Kevin". Only I can decrypt the message from Billy Bob with my private key.
You can encrypt a message for any amount of people you want, provided you have their public keys. For example, you could encrypt it for yourself and the recipient, just yourself, just the recipient, or for multiple other recipients.
By now, you should understand the logic behind key pairs, and know how to send and receive message using your private and public keys.
Still, we have just scratched the surface of what PGP encryption can do for us. Here are a few other example scenarios.
A Password Protected Message for Anyone
Now, let's make a password protected message that anyone can read, without a specific private key, provided they know the password. To do this, navigate to "Notepad" and type your message.
Go to recipients and select the bottom checkbox "Encrypt with password."
Of course, in real life you'll want to select a more secure password. Kleopatra will warn you if you use an insecure password, but you may still proceed if you wish. I encrypted this message with "mypassword" as the passphrase.
When I return to the notepad, this is my encrypted message:
-----BEGIN PGP MESSAGE----- jA0ECQMCM+x+7hIP0XD/0m0BdnQZT9DbClaR0s/M5JgwtUyaf6iwJBJB0WwHTxhT XRE5Foesl0R+sL5ZYhfj7ak+ojS9S/uRvXo2OulZUSUQSEDcGRXb+yBU18qy6j8Z PcKRF20hFreS5+uu2pbGe+zYuYl/iFPtgKtvwd+5 =GSkE -----END PGP MESSAGE-----
You may copy/paste that into your Kleopatra Notepad if you wish.
Now, you can decrypt the message using just "mypassword". Anyone you send it to can decrypt it with that password. Note that this is considerably less secure than encrypting/decrypting using private/public keys.
If you want to share a public message, but prove that it's really you writing it, you can create a signed PGP message.
For example, I wrote the following message:
Now, I'm going to "sign" the message, without encrypting the message itself.
Now, when I click "Sign Notepad" I get this output:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello, everyone. This is Kevin Olson. The real Kevin Olson. You can tell, because I signed this message. -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQR53c+pvDqy0cPgpPkZxqmNdXJtswUCY7zkmAAKCRAZxqmNdXJt s52VAQCPYH7i9D258hIOGHuwiMNms0w+FAHdgfpt11fDurzkfwEAgUm9D25HRi0r LJOIB3AkNKV2X4ObTSivPYE/MvhztwE= =D1V4 -----END PGP SIGNATURE-----
As you can see, the message itself is still visible. However, there is a PGP Signature portion. Anyone with Kleopatra and my Public Key can paste this into the notepad and click "Decrypt / Verify Notepad" - It will check the PGP Signature against my public key and inform them that the message is verified. If you saved my public PGP key provided earlier (in the sending encrypted messages section), you can try this now.
Since I have my public key available in Kleopatra, it's able to verify that the message was signed by Kevin Olson, and not some impostor.
This is useful for verifying your identity online. You may see it used in important forum posts and such. This also happens when you write encrypted messages to people, provided you select the "Sign as" option.
For our final example, we will use Kleopatra to encrypt a file. I have a photo of my dogs, but it's super secret, so I don't want anyone else to be able to see it.
If you installed Kleopatra with context menu/shell extensions (the default option when you installed Gpg4Win), you can just right click any file you want to encrypt, and select the "Sign and Encrypt" option. If you're using Windows 11, you may have to select the "Show More Options" option first.
This brings up a dialog similar to the one in Kleopatra's notepad.
Select the key you want to sign the file with and add the recipients you want to be able to access the file. If you want the file only to be accessible by you, with your secret key, just select "Encrypt for me." In this example, I encrypted the file for myself, and for Billy Bob.
Click the "Sign/Encrypt" button. The file will now be encrypted.
Now you can see I have my original file and my encrypted file. I can send the encrypted file to anyone, but only myself and Billy Bob will be able to open it. I could post it publicly anywhere, without fear of someone else seeing my precious puppies. If you're encrypting the files just for yourself, ensure you delete the original file after encrypting it!
Backup Secret Key
The last topic I will discuss is backing up your secret or private key. If you're regularly encrypting/decrypting important files using a particular key, you should probably keep a backup of it somewhere, in the event your computer dies. The most secure option would probably be to store the secret key backup on an external USB drive or hard drive in a physical safe, or on your person. If you're slightly less concerned with security, you could store it in the cloud (Google Drive, OneDrive, iCloud, etc.) - but if you do this, ensure you are using a passcode protected key!
To backup your key, just right click the certificate in Kleopatra and select the "Backup secret keys" option. This will open a dialog allowing you to save the backup key file.
Put it somewhere safe. If you need to restore a key later, you may import this secret key back into Kleopatra using the "Import" button.
Congratulations for making it to the end of this guide! I hope you found it useful and now have a better understanding of what you can do with OpenPGP and Kleopatra.