Chapter 7. Encryption with KGpg


7.1. Why Signing and Encrypting?
7.2. Generating a New Key Pair
7.3. Exporting the Public Key
7.4. Importing Public Keys from Others
7.5. The Key Server Dialog
7.6. Encrypting Your Data
7.7. For More Information

You can sign or encrypt data with KGpg, a graphical user interface for GnuPG. This program helps you to generate and manage all needed keys. Use its editor function for the quick creation and encryption of files or use the applet in your panel to encrypt or decrypt by dragging and dropping. Other programs, such as your mail program (Kontact or Evolution), access the key data to process signed or encrypted contents. In the following sections, learn how to execute the following steps necessary for signing and encrypting data with KGpg:

  1. Generating a New Key Pair

  2. Exporting the Public Key

  3. Importing Public Keys from Others

  4. Encrypting Your Data

7.1. Why Signing and Encrypting?


Signing means attaching electronic signatures to mails (or even software) to prove its origin. To avoid someone writing mails using your name and to protect both you and the recipients, you should sign your mails. Signatures help you to easily check the sender of the mails you receive and to distinguish authentic from malicious mails.

Software developers sign their software so you are able to check its integrity. Even if you have the software from an unofficial server, you can verify the package with the signature.


You might have sensitive information you want to protect from other parties. Encrypting helps you to transform data and make it unreadable for others. This is especially important for companies who must protect internal information as well as the employees' privacy.

7.2. Generating a New Key Pair

To be able to exchange encrypted messages with other users, first generate your own key pair. One part of it—the public key—is distributed to your communication partners, who can use it to encrypt the files or e-mail messages they send. The other part of the key pair—the private key—is used to decrypt the encrypted contents.

[Important]Private Key versus Public Key

Only you should have access to the private key. Do not grant other users access to this data.

Your private key is protected with a passphrase. Choose the passphrase carefully: do not use words from a dictionary, and mix alphabetic with non-alphabetic characters.

To create a new pair, proceed as follows:

  1. Start KGpg from the main menu or press Alt+F2 and enter kgpg. When you start the program for the first time, a wizard appears, guiding you through the configuration. Follow the instructions up to the point where you are prompted to create a key.

  2. Select Keys+Generate Key Pair, if you want to create a new key pair.

    Figure 7.1. KGpg: Creating a Key

    KGpg: Creating a Key

  3. Enter a name, an e-mail address, and optionally, a comment. If you do not like the default settings provided, also set the expiration time for the key, the key size, and the encryption algorithm used.

  4. To generate a standard key, confirm your settings with OK. After clicking OK, a dialog prompts you to enter a passphrase twice. The passphrase protects your private key. The relative strength of your chosen password is measured and displayed by the Password strength meter. The key pair will be generated. This can take some time.

    [Note]Expert Mode

    If you are an experienced user, use the Expert Mode to define additional options. This takes you to a terminal window where you can set the type of key to be generated, the key size (in bits) and the date of expiration. After entering your name and email address, you are prompted for a passphrase to protect your private key.

  5. After the key generation is finished, a summary will be displayed. Save and print the revocation certificate and keep it in a save place. You will need the certificate to revoke your passphrase if you forgot it. After you have confirmed with OK, KGpg displays its main window and you are finished.

    Figure 7.2. KGpg Main Window: Key Management

    KGpg Main Window: Key Management

The main window shows the keys that belong to your key ring: your own key and the keys from other persons that you have already imported. As GnuPG uses a more sophisticated implementation of key pairs, for each user name, several sub keys are displayed but these can be neglected for the purpose of this chapter. Apart from some other details (like expiration date or creation date of the key and the ID), the main windows also shows the level of trust for each key, indicated by colors. White means that the trust level is unknown, blue indicates a high level of trust. For more information, see Section 7.4.2, “Trusting Keys”.

[Note]KGpg Icon and Main Window

When you start KGpg in later sessions, only a small icon with a padlock appears in the system tray. Click that icon to display the main KGpg window on your desktop.

7.3. Exporting the Public Key

After generating your key pair, make the public key available to other users. This enables them to use it to encrypt or sign the messages or files they send you. For example, if you want to encrypt a message for user tux, you encrypt it using tux' public key. To decrypt the message, tux uses his private key. If tux wants to send you a message, he encrypts it using your public key and you decrypt the message with your private key.

To make the public key available for others, select Keys+Export Public Keys. The dialog that opens offers four options:


Your public key is sent to a recipient of your choice by email. If you activate this option and confirm with OK, the dialog for creating a new email message with your default mail program appears. Enter the recipient and click Send. The recipient receives your key and can then send you encrypted contents.


You can place your public key here before continuing to process it.

Default Key Server

To make your public key available to a wide audience, export it to one of the key servers on the Internet. For more information, refer to Section 7.5, “The Key Server Dialog”.


If you prefer to distribute your key as a file on a data medium instead of sending it by email, click this option, confirm or change the file path and name, and click OK.

7.4. Importing Public Keys from Others

If you receive a key in a file (for example, as an e-mail attachment), integrate it in your key ring with Import Key and use it for encrypted communication with the sender. You can also import keys from a public server if the person you want to communicate with has stored his public key there. For more information, see Section 7.5, “The Key Server Dialog”. The procedure is similar to the procedure for exporting keys already described.

7.4.1. Signing Keys

Keys can be signed like every other file to guarantee their authenticity and integrity. If you are absolutely sure an imported key belongs to the individual specified as the owner, express your trust in the authenticity of the key with your signature.

[Important]Establishing a Web of Trust

Encrypted communication is only secure to the extent that you can positively associate public keys in circulation with the specified user. By cross-checking and signing these keys, you contribute to the establishment of a Web of Trust. For these reasons, make really sure you only sign keys you have personally checked.

Before you can use your key, you need to sign it yourself.

Procedure 7.1. Signing A Key

  1. Select the key to sign in the key list in the Key Management window.

  2. Select Keys+Sign Keys.

  3. Select the private key to use for the signature. An alert reminds you to check the authenticity of this key before signing it. In the drop down list, select how you carefully you have checked that the key belongs to the person with whom you want to communicate.

  4. Click Continue and enter your passphrase in the next step. With entering the passphrase, you sign the key with your own private key. The signed key now appears green in the trust column.

Other users can now check the signature by means of your public key.

7.4.2. Trusting Keys

Normally, you are asked by the corresponding program whether you trust the key, or rather, whether you assume it is really used by its authorized owner. This happens each time a message needs to be decrypted or a signature has to be checked. To avoid this, edit the trust level of the newly imported key. To trust a key and set a certain trust level, do the following:

  1. Right-click the key and select Key Properties.

  2. Adjust the trust level in the Owner Trust drop-down list. This value indicates how much you trust the owner of this key to correctly verify the identity of the keys he signs.

  3. Close the property dialog. If you have set the trust level to Fully or Ultimately, the key now appears blue in the trust column.

The lower the trust level is, the less you trust the signer of the key to have checked the true identity of the keys signed. You may be entirely sure about the signer's identity, but this user may not check other people's identities properly before signing their keys. Notice that the trust level does not trigger any automatic actions by KGpg.

7.5. The Key Server Dialog

Several Internet-based key servers offer the public keys of many users. To engage in encrypted communication with a large number of users, use these servers to distribute your public key. For this purpose, export your public key to one of these servers. Similarly, KGpg enables you to search one of these servers for the keys of certain people and import their public keys from the server. Open the key server dialog with File+Key Server Dialog.

7.5.1. Importing a Key from a Key Server

By means of the Import tab in the key server dialog, import public keys from one of the Internet-based key servers. Select one of the preconfigured key servers and enter a search string (e-mail address of the communication partner) or the ID of the key to find. When you click Search, your system connects to the Internet and searches the specified key server for a key that matches your specifications.

Figure 7.3. Search Screen for Importing a Key

Search Screen for Importing a Key

If your search on the key server is successful, a list of all retrieved server entries is displayed in a new window. Select the key to include in your key ring and click Import. Confirm the following message with OK, then exit the key server dialog with Close. The imported key then appears in the main overview of the key manager and is ready for use.

7.5.2. Exporting Your Keys to a Key Server

To export your key to one of the freely accessible key servers on the Internet, select the Export tab in the key server dialog. Designate the target server and the key to export by means of two drop-down menus. Then start the export with Export.

Figure 7.4. Exporting a Key to a Key Server

Exporting a Key to a Key Server

7.6. Encrypting Your Data

After you have generated your key pair, exported your public key and imported public keys from others, you can also send or receive encrypted mails. Refer to Section 5.2.5, “Signing and Encrypting emails” to learn how to make use of those options in KMail.

KGpg also offers the possibility to encrypt text. To open the integrated editor choose File+Open Editor.

7.6.1. Encrypting and Decrypting from a File Manager

KGpg is also integrated into file managers like Dolphin or Konqueror. Generally, PGP-encrypted files are designated with the suffix asc. There are several options how to encrypt or decrypt files inside a File Manager:

Encrypt a File

To encrypt a file inside a File Manager, right-click the file and select Actions+Encrypt File. Choose one of the trusted keys in the dialog. After clicking OK in the dialog, a new file with the asc suffix will be created in the same directory.

Decrypt a File on the fly

To decrypt an encrypted file instantly, right-click the file and select Open with KGpg. If the original filename already exists, a dialog opens that asks how to name the file or if it should be overwritten. KGpg prompts for the password of your private key and saves the decrypted file in the same directory.

Decrypt with the editor

To decrypt an encrypted file with the editor, right-click the file in the File Manager and select Actions+View file decrypted.

7.6.2. The KGpg Editor

Instead of creating contents for encryption in an external editor then encrypting the file with one of the methods described above, you can use the integrated editor of KGpg. To open the editor, select File+Open Editor. In the editor, enter the desired text (or copy it into the editor from the clipboard or any file), and click Encrypt. Then select the key to use and complete the encryption procedure. To decrypt files, use Decrypt and enter the password associated with the key.

Generating and checking signatures is just as easy as encrypting directly from the editor. Go to Signature+Generate Signature and select the file to sign from the file dialog. Select the private key to use and enter the associated password. KGpg informs you of the successful generation of the signature. Files can also be signed from the editor by simply clicking Sign/Verify. To check a signed file, go to Signature+Verify Signature and select the file to check in the following dialog. After you confirm the selection, KGpg checks the signature and reports the result of the operation. Another possibility is to load the signed file into the editor and click Sign/Verify.

7.7. For More Information

For comprehensive background information about the encryption method, refer to the GnuPG project pages at