How to Use GPG with GNU Kleopatra in Linux

A photograph of a rotary padlock on top of a computer keyboard.

The GNU Privacy Guard (GPG) is one of the most important programs available today, as it allows you to create your own digital identity and establish encrypted communications online.

This article will show how you can get started with GPG in Linux using Kleopatra and send your first encrypted message over the internet.

Tip: Learn how you can create your own GPG key in Windows 11.

How GPG Works

At its core, GPG follows the OpenPGP standard which allows its users to exchange encrypted and signed messages over a network. The way it works is that the program relies on the idea of asymmetric cryptography. This is a method of cryptography that does not need a “pre-arranged” key to encrypt messages to other users.

One of the biggest advantages of this approach is that you do not need your recipient to be present to begin encrypting messages. This makes GPG suitable for “delay-tolerant” communication such as email.

A screenshot showing the KMail program reading an email.

Aside from that, asymmetric encryption also gives you the opportunity to create “public keys” that you can share to verify your identity. This is highly useful in preventing any bad actor to impersonate as you online.

Installing GNU Kleopatra

While GPG is a powerful tool, it can be hard and complex to use on its own. GNU Kleopatra aims to reduce this complexity by providing an intuitive and easy to use graphical front-end for GPG.

A screenshot of the GNU Kleopatra program version.

To install Kleopatra in Debian and Ubuntu Linux, you can run the following command:

sudo apt install kleopatra
A screenshot of the installation process for GNU Kleopatra.

To install Kleopatra on Fedora and Enterprise Linux 8 distribution:

sudo dnf install kleopatra

and for Arch Linux

sudo pacman -S kleopatra

Good to know: Learn what is the best free Enterprise Linux 8 distribution for you by looking at the differences between AlmaLinux and Rocky Linux.

Creating Your First GPG Keypair

  1. Launch Kleopatra from your desktop’s application launcher.
A screenshot of the GNU Kleopatra application icon.
  1. Kleopatra will check if it has all of its utilities up and running. You can press “Continue” to load the program.
A screenshot of the Kleopatra self-check window.
  1. Click the “New Key Pair” button to generate your GPG key.
A screenshot of the GNU Kleopatra welcome splash screen.
  1. Write the name and the email address that you want to use for your GPG key. While it is good practice to provide accurate contact information, you do not need to write a resolvable email address for your key.
A screenshot of the basic GPG key information prompts.
  1. Tick the “Protect the generated key with a passphrase” checkbox. Doing this will add an additional layer of security for your key.
A screenshot of the GPG passphrase tickbox.
  1. Click the “Advanced Settings…” button.
A screenshot of the Advanced Settings... button in GNU Kleopatra.

Configuring Your GPG Key

  1. Click the drop-down box for both the “RSA” and “+ RSA” options and select “4096 bits.” Increasing the bits will make sure that your GPG private key is secure for the foreseeable future.
A screenshot of the Advanced Settings window showing the new bit values for the GPG key.
  1. Click the drop-down box beside the “Valid until:” checkbox and select a date for your key’s expiration date. This ensures that your GPG key will disable itself even if you cannot access it anymore. In my case, I usually set the expiration date for my GPG keys between 6 to 9 months.
A screenshot showing the modified date value for the GPG key expiry.
  1. Click “OK,” then “Create.”
A screenshot highlighting the "Create" button.
  1. Provide the password for your new GPG key.
A screenshot showing the GPG passphrase key prompt.
  1. Click the “Finish” button to save your new GPG key.
A screenshot showing the finalized details of the new GPG key.

Tip: Learn how to create and use GPG keys using only the command line.

Publishing Your Public Key Online

At this point, you have a working GPG key. You can use this to either sign digital messages or encrypt files to protect your privacy. However, in order to receive encrypted emails from other people, you also need to provide your key’s public key.

One of the easiest ways to do this is by publishing your key on a centralized GPG keyserver. These are write-once, read-many servers that allow you store your public key in an easily searchable index.

  1. Before you publish your key, you need to create a “Revocation Certificate.” To generate one, right click your key, then select “Details.”
A screenshot showing the "Details" prompt in GNU Kleopatra.
  1. Click “Generate Revocation Certificate.”
A screenshot highlighting the revocation certificate option in GNU Kleopatra.
  1. Select a folder where you want to save your certificate.
  1. Click “Close.”
A screenshot showing the highlighted "Close" button for the revocation certificate prompt.
  1. With a revocation certificate at hand, you can now upload your public key to a GPG keyserver. Right click your key and select “Publish on Server.”
A screenshot showing the "Publish on Server..." prompt for GNU Kleopatra.
  1. Click “Continue” on the warning prompt.
A screenshot showing the warning prompt for uploading public keys.
  1. This will upload your public key to a rotating list of keyservers. Once it is done, Kleopatra will display a confirmation message showing that the public key is now live.
A screenshot showing successful key export.

Importing Other People’s Public Keys

Aside from letting other people fetch your public key, you could also import theirs to your own keyring. This can be helpful if you are sending the first message and you want your recipient to verify his identity.

To find a GPG Public Key, you need to go to a key directory. These are websites that present the key fingerprint of any user that has uploaded his public key online. One of the most popular key directories available today is keyserver.ubuntu.com.

  1. Go to keyserver.ubuntu.com
A screenshot showing Ubuntu keyserver website.
  1. Click the search bar and type the email address of the user that you want to import the public key of. For example, you can type “ramces@example-email.com” to search for a GPG key that I have made for this article.
A screenshot showing the search prompt for the Ubuntu keyserver website.
  1. Right click the link that contains a string of letters and numbers on the column with the “[self-sig]” label.
A screenshot showing the results of the key search in the Ubuntu keyserver.
  1. Click “Save Link As…”
A screenshot showing the "Save Link As..." prompt for the Ubuntu keyserver.
  1. Change the name of the file from “lookup” to “lookup.asc” and save it in your home directory.
A screenshot showing the file picker program for the Ubuntu keyserver website.
  1. Go back to Kleopatra and click “File,” then “Import.”
A screenshot showing the "Import" option for GNU Kleopatra.
  1. Navigate to your home directory and select your “lookup.asc” file.
A screenshot showing the new GPG public key inside the file picker prompt.
  1. Click “OK” on the confirmation box to include the new public key to your keyring.
A screenshot showing the successful public key import.

Encrypting Your First File in GPG

Once you have the public key of the user that you want to communicate with, you can now use Kleopatra to send encrypted messages and files to them.

  1. To encrypt your first file, click “File,” then “Sign/Encrypt.”
A screenshot showing the file encryption prompt in GNU Kleopatra.
  1. Select the file that you want to encrypt.
A screenshot showing the file picker prompt for the file encryption process.
  1. This will open a small window where you can tell Kleopatra how you want to encrypt your file. Tick the “Encrypt for Others” checkbox and type the address of your recipient’s public key.
A screenshot showing the various public keys that you can encrypt a file to.
  1. Click “Sign/Encrypt” to create your GPG-encrypted file.
A screenshot showing a confirmation window of the file encryption process.

FYI: You can also create automatic encrypted backups to the cloud using Rclone.

Decrypting Your First File in GPG

The Kleopatra utility also provides the ability to decrypt GPG-encrypted files from inside the program. This, coupled with the ability to encrypt files, makes Kleopatra an effective tool to securely correspond with other GPG users.

  1. To decrypt a GPG-encrypted file, click “File,” then “Decrypt/Verify”
A screenshot showing a GPG decrypt function.
  1. Select the file that you want to decrypt.
A screenshot showing the file picker prompt for the decryption process.
  1. This will open a summary window where Kleopatra will check whether the GPG-encrypted file has been properly encrypted and addressed to you. You can decrypt your file by clicking “Save All.”
A screenshot showing the successful file decryption process in GNU Kleopatra.

Tip: Learn how to do quick file and directory encryption using Tomb.

Frequently Asked Questions

How can I delete a key from a keyserver?

It is not possible to fully delete a key from a GPG keyserver. However, you can tell a keyserver that you no longer use a particular public key.

While this will not remove your record from a keyserver, this will allow you to prevent any malicious actor from reusing your old keys. To do this, you need to right click your key in Kleopatra and select “Revoke Certification.”

Is it possible to recover a GPG key password?

There is no built-in function in either GPG or Kleopatra to recover a key password. If the password you used is simple enough, you can try “brute forcing” your key’s password using a dictionary password cracker (though that really defies the purpose of setting a password).

Is it possible to encrypt entire directories with GPG?

Yes. Click “File -> Sign/Encrypt Folder” in Kleopatra. It will open a file picker dialog box where you can select the folder that you want to encrypt.

Aside from that, you can also encrypt a directory by placing it first inside a tar archive. For example, running: tar cvzf ./encrypt-folder.tar.gz ./sample will compress the sample directory as “./encrypt-folder.tar.gz.” You can then encrypt this archive as a file in Kleopatra.

Image credit: Towfiqu barbhuiya via Unsplash. All alterations and screenshots by Ramces Red.

Is this post useful?
Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox

Ramces Red
Ramces Red - Staff Writer

Ramces is a technology writer that lived with computers all his life. A prolific reader and a student of Anthropology, he is an eccentric character that writes articles about Linux and anything *nix.