The Ultimate Guide to Email Encryption with OpenPGP

This guide provides a comprehensive, “terminal-first” approach to setting up robust end-to-end email encryption. By creating your cryptographic keys directly with GnuPG, you build a universal and secure foundation. We will then show you how to integrate this setup seamlessly with both Thunderbird, a user-friendly graphical client, and Neomutt, a powerful terminal-based client.

Changelog

Date	Change
2025-07-15	Major Restructure (Terminal-First): The entire guide was rewritten to prioritize key creation in the terminal (`gpg`), making it more robust, universal, and secure. This resolves platform-specific client issues.
2025-07-15	Initial Version: Article created.

1. Pre-Flight Check – Your System’s Foundation

Before we create any keys, we must ensure your system is correctly configured.

1.1. Install GnuPG

This is the core encryption engine.

Debian/Ubuntu: sudo apt update && sudo apt install gnupg
Arch Linux: sudo pacman -Syu gnupg

1.2. Install and Configure `pinentry`

When a program needs your key’s passphrase, GPG uses a helper application called pinentry to display a secure prompt. You must choose the right one for your environment.

Step 1: Choose and Install the Right pinentry for Your Environment

For standard Desktop Environments (GNOME, KDE, XFCE, etc.): A graphical pop-up is the default. Install the appropriate package:
- GNOME: sudo apt install pinentry-gnome3
- KDE Plasma: sudo apt install pinentry-qt
- Arch Linux (most desktops): sudo pacman -S pinentry
For Tiling Window Managers (i3wm, sway, etc.) or Terminal-Enthusiasts (Recommended): A graphical pinentry can “grab” focus and freeze your desktop. The terminal-based pinentry-curses is a much better solution as it runs directly in your terminal, allowing you to switch windows normally.
- Debian/Ubuntu: sudo apt install pinentry-curses
- Arch Linux: pinentry is already included in the pinentry package.

Step 2: Tell the GPG Agent Which Program to Use We will now edit the GPG Agent configuration file.

Open the file with a terminal editor:
```
nano ~/.gnupg/gpg-agent.conf
```

Inside the nano editor, add ONE of the following lines, depending on your choice in Step 1. Ensure the other line is deleted or commented out with a #.

# For a terminal-based prompt (i3wm, sway - HIGHLY RECOMMENDED for this setup)
pinentry-program /usr/bin/pinentry-curses

# For a graphical prompt (GNOME, KDE, etc.)
# pinentry-program /usr/bin/pinentry-gnome3
    
default-cache-ttl 600
max-cache-ttl 7200

Note: Verify the correct path with which pinentry-gnome3 or which pinentry-curses if needed.

Save the file and exit nano (Ctrl+X, then Y, then Enter).
Reload the agent to apply the new configuration:
```
gpg-connect-agent reloadagent /bye
```

2. Creating Your Master Key in the Terminal

We will now create your OpenPGP key using the recommended interactive process.

Start the key generation process:
```
gpg --full-generate-key
```
Follow the prompts. The recommended choices are secure and robust:
- Key Type: Select (1) RSA and RSA.
- Key Size: Enter 4096 bits.
- Expiration Date: Enter 2y (for 2 years). Keys should expire. This is a critical safety net that limits potential damage if a key is ever lost. Don’t worry, you can easily extend the validity before it expires, as shown in Part 3.5.
- Confirm that the expiration date is correct by typing y.
Provide Your User ID:
- Real name: Enter your full name.
- Email address: Enter the email address for this key.
- Comment: You can leave this blank.
- Confirm your details by typing O (for Okay).

Set Your Passphrase: A secure prompt will now appear (thanks to pinentry!). This will be the master password for your new private key.

⚠️ PASSPHRASE QUALITY IS CRITICAL
A weak passphrase makes your encrypted data vulnerable. Consider using a method like Diceware to generate a sequence of random words. If you lose this passphrase, you lose access to all data encrypted with this key permanently.

Congratulations, you have successfully created a secure, command-line-native OpenPGP key!

3. Essential Security Practices (Don’t Skip This!)

Immediately after creation, you must secure your new key for long-term use.

3.1. Identifying Your Key: The Key-ID

From this point forward, we will use your key’s unique Key-ID to refer to it. This avoids any confusion if you ever have multiple keys for the same email address.

Find Your Key-ID: Run the following command.

gpg --list-secret-keys --keyid-format LONG

Identify the ID: In the output sec rsa4096/YOUR-KEY-ID ..., the YOUR-KEY-ID is the long string of characters you will use in all subsequent commands.

3.2. Backup Your Private Key

A backup is not a backup until it’s tested. Use your newly found Key-ID here.

Create the Backup:

umask 077 && gpg --export-secret-keys --armor YOUR-KEY-ID > private-key-backup.asc

Verify the Backup:
```
gpg --dry-run --import private-key-backup.asc
```
If this command runs without errors, your backup is valid. Now, store the .asc file in one or more extremely secure, offline locations.

3.3. Create a Revocation Certificate

This is your emergency button. Use your Key-ID to specify which key to revoke.

umask 077 && gpg --gen-revoke --armor YOUR-KEY-ID > revocation-cert.asc

Store this file as securely as your private key backup.

3.4. Verify Keys and Build Your Web of Trust: The Core of PGP’s Security

This section is conceptually the most important part of the entire guide. It explains how you can be sure a public key truly belongs to the person it claims to.

What is the Fingerprint?

When you run the command gpg --fingerprint YOUR-KEY-ID, you get an output like this:

$ gpg --fingerprint 8A738464A2144E4C
pub   rsa4096 2025-07-29 [SC] [expires: 2027-07-29]
      4A9E 9A72 85F5 F569 C17C  299B 8A73 8464 A214 4E4C
uid        [ultimate] Delightful Dude <delightfuldude@criticalbasics.xyz>
sub   rsa4096 2025-07-29 [E] [expires: 2027-07-29]

The Fingerprint is the long line of 40 hexadecimal characters (often displayed in 10 blocks of 4 characters). It is like a human fingerprint: absolutely unique to this specific key. This is your key’s “ID card.”

The Verification Process: A Practical Example

Imagine you want to communicate securely with your friend, Anna.

Step 1: You acquire Anna’s public key. Anna has published her key on her website (Method 4.1) or a keyserver (Method 4.2). You import it.

# Example: You import Anna's key from her website
curl -sL https://anna.example.com/public.asc | gpg --import

Step 2: You check the key’s status. Now, you view the fingerprint of Anna’s key in your keyring.

gpg --fingerprint anna@example.com

The output will contain a line that looks like this: uid [ unknown ] Anna Miller <anna@example.com>

The [ unknown ] part is critical. It means: “I have this key, but I have absolutely no idea if it really belongs to Anna or to an attacker impersonating her.”

Step 3: The actual verification (the human part). To be sure, you must compare the fingerprint with Anna over a different, trusted channel. This is the most important step to prevent man-in-the-middle attacks.

You meet Anna in person.
You call Anna or have a video call (with someone whose voice or face you recognize).

During the conversation, the following happens:

You say: “Anna, I’m going to read you the fingerprint I have for your key. Does it start with 1234 ABCD…?”
Anna says: “Yes, that’s correct. And does yours start with 0FDA EF41…?”
You say: “Yes, it does.”

Now you both have certainty that you possess each other’s authentic key.

Step 4: Sign the key (digitally record your trust). After verifying the key, you tell your GnuPG that you trust it. You do this by signing the foreign key with your own private key.

gpg --sign-key anna@example.com

GPG will show you Anna’s fingerprint again and ask if you are really sure. Confirm with y. You will need to enter your passphrase to authorize the signature with your private key.

Step 5: Check the result. Run the fingerprint command again:

gpg --fingerprint anna@example.com

The output has now changed: uid [ full ] Anna Miller <anna@example.com>

The [ full ] is your personal note: “I have personally verified this key. It’s authentic. I trust it completely.”

Through this process, you build your personal “Web of Trust”. If you trust Anna’s key, and Anna in turn trusts Bob’s key, you have a reason to lend some level of trust to Bob’s key as well.

3.5. Extending Your Key’s Validity (Key Renewal)

An expiring key is a feature, not a problem. You do NOT need to start over. You can easily extend its life before it expires.

Start the Key-Editing Process:
```
gpg --edit-key YOUR-KEY-ID
```
Extend the Expiration Date: Inside the GPG prompt, type expire, enter a new duration (e.g., 2y), and confirm.
Save Your Changes:
```
gpg> save
```
Distribute Your Updated Key: You must re-publish your updated public key.
```
gpg --keyserver hkps://keys.openpgp.org --send-keys YOUR-KEY-ID
```
Also, send a newly signed email with your updated public key attached to your most important contacts.

4. Making Your Key Discoverable (Optional)

A public key that only exists on your computer is like a phone number you never give out. For others to send you encrypted mail easily, you should distribute your public key.

4.1. Method 1: The Gold Standard - Your Personal Website

This is the most secure and authoritative method. You establish a “source of truth” that you control, avoiding issues with public servers.

Export your public key:

gpg --export --armor YOUR-KEY-ID > public.asc

Upload the public.asc file to your website, for example, to https://your-website.com/public.asc.

4.2. Method 2: The Convenient Way - Public Keyservers

This method is more convenient but involves a trade-off with privacy.

Security Risk: NO. You only upload your public key.
Privacy Risk: YES. This publicly associates your email with PGP usage.

The Solution: Use a Modern, Privacy-Respecting Keyserver. This is why we exclusively recommend keys.openpgp.org. It requires your consent via email verification to publish your key.

Send Your Key to the Server:

gpg --keyserver hkps://keys.openpgp.org --send-keys YOUR-KEY-ID

Check Your Email: The keyserver will send you a verification email. You must click the link to finalize the publication.

5. Going Public: Your Contact Page and Email Signature

Now that you have ways to distribute your key, you need to tell people about them.

5.1. On Your Website’s Contact Page

Add a section like this to your contact page. It provides clear instructions for everyone.

<h3>Digital Contact & Verification</h3>
<p><strong>E-Mail:</strong> your.name@example.com</p>
<p>
    <strong>OpenPGP Key:</strong> For encrypted communication, you can get my public key here:
    <ul>
        <li><a href="/public.asc" download>Download Public Key</a></li>
        <li><strong>Or import via command line:</strong><br>
            <code>curl -sL https://your-website.com/public.asc | gpg --import</code>
        </li>
    </ul>
    <strong>Fingerprint for Verification:</strong><br>
    <code>YOUR FINGERPRINT IN 4-DIGIT BLOCKS</code>
</p>
<p><em>Policy: All legitimate emails from me will be digitally signed with this key.</em></p>

5.2. In Your Email Signature

A compact, professional signature in every email reinforces trust and makes verification easy.

-- 
Your Name

Website & PGP Key: https://your-website.com/contact
GPG Fingerprint: YOUR FINGERPRINT IN 4-DIGIT BLOCKS

This signature doesn’t overload the email but provides everything a recipient needs to verify your identity and find your key.

6. Integration with Thunderbird

Once your key is created via the terminal, you need to tell Thunderbird to use it for your email account.

In Thunderbird, open the Account Settings (via the “Hamburger” menu or Tools -> Account Settings).
In the left-hand sidebar, select the email account you want to secure (e.g., delightfuldude@criticalbasics.xyz).
Click on the End-To-End Encryption sub-menu for that account.

Now, you have two possible scenarios:

Scenario A: Thunderbird Automatically Finds Your Key

If you’re lucky, Thunderbird has already detected the key you created in the terminal. You will see it listed and can select it directly from the dropdown menu to associate it with your account. If so, you’re done!

Scenario B: The Key is Not Listed (Manual Import)

More often, Thunderbird doesn’t immediately find externally created keys. If your key is not in the list, you must import it manually.

In the same settings window, click the OpenPGP Key Manager… button.
A new “OpenPGP Key Manager” window will open. In its menu, go to File -> Import Secret Key(s) From File….
A file dialog will open. Navigate to and select the private.asc file you exported in Part 4.
You will be prompted for the passphrase you created for your key. Enter it to complete the import.
After a successful import, your new key will appear in the Key Manager list. You can now close this window.
Back in the Account Settings, your newly imported key should now be available in the dropdown menu. Select it to finalize the setup.

ℹ️ FURTHER HELP
For more detailed questions or troubleshooting, Mozilla provides an extensive FAQ page that is highly recommended: Official Thunderbird Help: OpenPGP HOWTO and FAQ

7. Integration with Neomutt

7.1. Neomutt Configuration

Add these settings to ~/.config/neomutt/muttrc, using your unique Key-ID.

# --- GPG/PGP Settings for Neomutt ---
set pgp_verify_sig = yes
set pgp_good_sign = "✅ Good OpenPGP signature from"
set pgp_autosign = yes
set pgp_replyencrypt = yes
set pgp_replysign = yes
# Für neuere Neomutt-Versionen:
set pgp_replysign_encrypted = yes
# Für ältere Neomutt-Versionen (falls obige Option einen Fehler verursacht):
# set crypt_replysign = yes
# Use the Key-ID followed by an exclamation mark!
# This tells GPG to use *exactly* this key.
set pgp_sign_as = "YOUR-KEY-ID!"
set pgp_timeout = 300
set pgp_show_unusable = no

8. Advanced Topic: Handling Multiple Accounts

For maximum security, use separate OpenPGP keys for each email account. This provides strong separation between your digital identities. This section covers the setup for Thunderbird and two common approaches for Neomutt.

Create Keys: For each identity (e.g., private, work), repeat the process in Part 2 to generate a new, dedicated key. Make sure to use the correct name and email address for each.

8.1. Thunderbird Integration

For each account you have set up in Thunderbird, follow Part 6 to assign the correct existing key to the corresponding email address. Thunderbird handles the mapping automatically.

8.2. Neomutt Integration: Two Approaches

For Neomutt, you can either switch accounts automatically based on the folder you are in, or manually via keyboard shortcuts.

Method A: Automatic Switching with Folder-Hooks

This method uses folder-hook to automatically load the correct account configuration (including the PGP key) when you enter a specific mailbox.

Step 1: Create the Directory Structure First, organize your account configurations in a dedicated directory.

mkdir -p ~/.config/neomutt/accounts

Step 2: Configure the Main muttrc for Hooks Your main ~/.config/neomutt/muttrc will now act as a loader. Add the PGP defaults (if not already present) and the hooks.

# --- PGP Defaults (add to your main muttrc) ---
set pgp_timeout = 300
set pgp_verify_sig = yes
set pgp_good_sign = "✅ Good OpenPGP signature from"
set pgp_show_unusable = no
# Für neuere Neomutt-Versionen:
set pgp_replysign_encrypted = yes
# Für ältere Neomutt-Versionen (falls obige Option einen Fehler verursacht):
# set crypt_replysign = yes

# --- Account Hooks ---
# Load a specific config file when you enter a folder.
# Replace the imap paths with your actual server paths.
folder-hook 'imaps://private@mail.com/' 'source ~/.config/neomutt/accounts/private.muttrc'
folder-hook 'imaps://work@company.com/'   'source ~/.config/neomutt/accounts/work.muttrc'

# Load a default account when Neomutt starts
source ~/.config/neomutt/accounts/private.muttrc

Step 3: Create Per-Account Configuration Files Create a separate file for each account inside ~/.config/neomutt/accounts/. This is where you set the PGP key for each identity.

Example: ~/.config/neomutt/accounts/private.muttrc

# --- Account: Private ---
set from = "private@mail.com"
set realname = "Your Name (Private)"
set pgp_sign_as = "YOUR-PRIVATE-KEY-ID!" # Get ID from Part 3
set pgp_autosign = yes
# ... your private imap_user, imap_pass, smtp_url, etc. go here

Method B: Manual Switching (for `mutt-wizard` users)

Many users rely on the popular mutt-wizard script, which favors manual account switching via macros. If your muttrc contains lines like macro index,pager i1 'source ...', this method is for you.

Step 1: Locate Your Account Files mutt-wizard creates a separate configuration file for each of your accounts, typically located in ~/.config/mutt/accounts/.

Step 2: Add pgp_sign_as to Each Account File For each account, edit its corresponding file and add the pgp_sign_as line to tell Neomutt which PGP key to use.

Get the Key-ID for the key you want to use with this account (as described in Part 3).
Open the account’s configuration file (e.g., ~/.config/mutt/accounts/delightfuldude@criticalbasics.xyz.muttrc).

Add the following line, replacing YOUR-KEY-ID! with the actual ID:

# Inside e.g., ~/.config/mutt/accounts/delightfuldude@criticalbasics.xyz.muttrc

# ... existing settings like 'set from', 'set realname', etc.

# Add this line to set the default PGP signing key for this account
set pgp_sign_as = YOUR-CRITICALBASICS-KEY-ID!

Result: Now, when you use your keyboard macros (e.g., i1, i2) to switch accounts, Neomutt will load the correct email settings and automatically select the right PGP key for signing. Your existing workflow remains unchanged but is now PGP-aware.

9. Transferring Your Configuration Between Computers

One of the most common questions is: “How can I use my OpenPGP setup on multiple computers without repeating this entire tutorial?” The good news is that you can transfer your configuration between computers quite easily.

9.1. What Files to Transfer

The most important directory is ~/.gnupg/, which contains:

Your private and public keys
GPG Agent configuration
Trust database (Web of Trust)

Additionally, depending on your email client:

Thunderbird: Thunderbird accesses the GnuPG keyring directly, so transferring the .gnupg directory is sufficient.
Neomutt: You’ll also need to copy your configuration files:
- ~/.config/neomutt/muttrc
- ~/.config/neomutt/accounts/ (if you have multiple accounts)

9.2. Transfer Process

Secure Transfer: Use a secure channel for transferring these files (encrypted USB drive, encrypted file transfer).

Copy the Directory: Copy the entire .gnupg directory to the same location on the target computer.

# On the source computer, create a secure backup
tar -czf gnupg-backup.tar.gz -C ~ .gnupg

# Transfer securely to the target computer and extract
# On the target computer:
tar -xzf gnupg-backup.tar.gz -C ~

Fix Permissions: After transferring, ensure proper permissions:
```
chmod 700 ~/.gnupg
chmod 600 ~/.gnupg/*
```
Adjust Pinentry Configuration: If the target system has a different desktop environment, you may need to modify the pinentry-program path in ~/.gnupg/gpg-agent.conf.
Reload GPG Agent: After transferring, reload the GPG agent:
```
gpg-connect-agent reloadagent /bye
```
Verify the Setup: Test that your keys are available:
```
gpg --list-secret-keys
```

By following these steps, you can efficiently use your OpenPGP setup across multiple computers without repeating the entire configuration process.

10. Quick Troubleshooting

Problem	Solution
“gpg: signing failed: Ambiguous specification”	You have multiple keys for one email. Use the unique Key-ID instead of the email address in your configuration (e.g., `pgp_sign_as` in Neomutt).
No password prompt appears	Your `pinentry` program is missing or misconfigured. Go back to Part 1.2 and ensure it is installed and configured correctly.
GPG Agent Issues (Passphrase not requested)	The GPG agent might have a stale cache. Force a reload with: `gpg-connect-agent reloadagent /bye`
“Key not found” error	You don’t have the recipient’s public key. Ask them for it or search a keyserver.
“gpg: signing failed: No secret key”	Your key might be expired, or GPG cannot find the correct secret key. Check `gpg --list-secret-keys` to ensure it’s present and valid.
Message shows “untrusted signature”	You have the sender’s public key, but you haven’t marked it as trusted. Verify the fingerprint and then sign it.

11. Conclusion

By starting with a solid foundation—creating your keys directly in the terminal—you have built a robust and universal encryption setup. This method not only avoids platform-specific pitfalls but also equips you with a deeper understanding of how PGP works. By performing essential maintenance like backups, establishing a clear public identity, and renewing your keys, you ensure your digital identity remains secure and trustworthy for the long term.

📚OPENPGP DOCUMENTATION 🛡️GNUPG DOCUMENTATION

CATEGORIES

TAGS

OBLIGATORY GIFS