The Ultimate Guide to Email Encryption with OpenPGP
Table of Contents 📑
- Changelog
- Part 1: Pre-Flight Check – Your System’s Foundation
- Part 2: Creating Your Master Key in the Terminal
- Part 3: Essential Security Practices (Don’t Skip This!)
- Part 4: Integration with Thunderbird
- Part 5: Integration with Neomutt
- Part 6: Advanced Topic: Handling Multiple Accounts
- Part 7: Quick Troubleshooting
- Part 8: Conclusion
This guide provides a comprehensive, “terminal-first” approach to setting up robust end-to-end email encryption. By creating your cryptographic keys directly with GnuPG, you build a universal and secure foundation. We will then show you how to integrate this setup seamlessly with both Thunderbird, a user-friendly graphical client, and Neomutt, a powerful terminal-based client.
Changelog
| Date | Change |
|---|---|
| 2025-07-15 | Major Restructure (Terminal-First): The entire guide was rewritten to prioritize key creation in the terminal (gpg), making it more robust, universal, and secure. This resolves platform-specific client issues. |
| 2025-07-15 | Initial Version: Article created. |
Part 1: Pre-Flight Check – Your System’s Foundation
Before we create any keys, we must ensure your system is correctly configured.
1.1. Install GnuPG
This is the core encryption engine.
- Debian/Ubuntu:
sudo apt update && sudo apt install gnupg - Arch Linux:
sudo pacman -Syu gnupg
1.2. Install and Configure pinentry
When a program needs your key’s passphrase, GPG uses a helper application called pinentry to display a secure prompt. On minimal systems like Arch Linux, this might not be installed by default, leading to failures.
Install the correct
pinentrypackage for your desktop environment:- GNOME:
sudo pacman -S pinentry(orsudo apt install pinentry-gnome3) - KDE Plasma:
sudo pacman -S pinentry(orsudo apt install pinentry-qt) - If unsure, the standard
pinentrypackage is usually a safe bet.
- GNOME:
Tell the GPG Agent which program to use. We will use the simple terminal editor
nanofor this. Open the file by running:nano ~/.gnupg/gpg-agent.confInside the
nanoeditor, add the following single line. This is the entire content of the file.Save the file and exit
nanoby following these steps: a. PressCtrl + Xto exit. b. PressYto confirm you want to save the changes. c. PressEnterto confirm the filename.Reload the agent to apply the new configuration:
gpg-connect-agent reloadagent /bye
Part 2: Creating Your Master Key in the Terminal
We will now create your OpenPGP key using the recommended interactive process.
Start the key generation process:
gpg --full-generate-keyFollow the prompts. The recommended choices are secure and robust:
- Key Type: Select
(1) RSA and RSA. - Key Size: Enter
4096bits. - Expiration Date: Enter
2y(for 2 years). Keys should expire. This is a critical safety net that limits potential damage if a key is ever lost. Don’t worry, you can easily extend the validity before it expires, as shown in Part 3.5. - Confirm that the expiration date is correct by typing
y.
- Key Type: Select
Provide Your User ID:
- Real name: Enter your full name.
- Email address: Enter the email address for this key.
- Comment: You can leave this blank.
- Confirm your details by typing
O(for Okay).
Set Your Passphrase: A secure prompt will now appear (thanks to
pinentry!). This will be the master password for your new private key.⚠️ PASSPHRASE QUALITY IS CRITICAL A weak passphrase makes your encrypted data vulnerable. Consider using a method like Diceware to generate a sequence of random words. If you lose this passphrase, you lose access to all data encrypted with this key permanently.
Congratulations, you have successfully created a secure, command-line-native OpenPGP key!
Part 3: Essential Security Practices (Don’t Skip This!)
Immediately after creation, you must secure your new key for long-term use.
3.1. Identifying Your Key: The Key-ID
From this point forward, we will use your key’s unique Key-ID to refer to it. This avoids any confusion if you ever have multiple keys for the same email address.
- Find Your Key-ID: Run the following command.
gpg --list-secret-keys --keyid-format LONG - Identify the ID: In the output
sec rsa4096/YOUR-KEY-ID ..., theYOUR-KEY-IDis the long string of characters you will use in all subsequent commands.
3.2. Backup Your Private Key
A backup is not a backup until it’s tested. Use your newly found Key-ID here.
- Create the Backup:
umask 077 && gpg --export-secret-keys --armor YOUR-KEY-ID > private-key-backup.asc - Verify the Backup:
If this command runs without errors, your backup is valid. Now, store thegpg --dry-run --import private-key-backup.asc.ascfile in one or more extremely secure, offline locations.
3.3. Create a Revocation Certificate
This is your emergency button. Use your Key-ID to specify which key to revoke.
umask 077 && gpg --gen-revoke --armor YOUR-KEY-ID > revocation-cert.asc
Store this file as securely as your private key backup.
3.4. Verify Keys and Build Your Web of Trust
To trust a key from a contact, you must verify its fingerprint. Use the Key-ID to be specific.
- Find your fingerprint:
gpg --fingerprint YOUR-KEY-ID - Verification: Meet your contact in person or on a trusted channel (video call) and read your fingerprints aloud to each other.
- Web of Trust: Once verified, sign their key (
gpg --sign-key contact@email.com). This builds the “Web of Trust” and tells GPG that you vouch for that key’s authenticity.
3.5. Extending Your Key’s Validity (Key Renewal)
An expiring key is a feature, not a problem. You do NOT need to start over. You can easily extend its life before it expires.
- Start the Key-Editing Process:
gpg --edit-key YOUR-KEY-ID - Extend the Expiration Date: Inside the GPG prompt, type
expire, enter a new duration (e.g.,2y), and confirm. - Save Your Changes:
gpg> save - Distribute Your Updated Key: You must re-publish your updated public key.
Also, send a newly signed email with your updated public key attached to your most important contacts.gpg --keyserver hkps://keys.openpgp.org --send-keys YOUR-KEY-ID
Part 4: Integration with Thunderbird
- Open Account Settings and go to the End-To-End Encryption tab for your email account.
- Click Add Key… and select “Use an existing OpenPGP Key”.
- Thunderbird will scan your GPG keyring and find the key you just created. Select it and click “Continue”.
- Confirm that you want to use this key for your account.
That’s it! To allow others to find your public key, upload it to a modern keyserver as shown in Part 3.5.
Part 5: Integration with Neomutt
5.1. Neomutt Configuration
Add these settings to ~/.config/neomutt/muttrc. Here, it is crucial to use the Key-ID to be unambiguous.
# --- GPG/PGP Settings for Neomutt ---
set pgp_verify_sig = yes
set pgp_good_sign = "✅ Good OpenPGP signature from"
set pgp_autosign = yes
set pgp_replyencrypt = yes
set pgp_replysign = yes
set pgp_replysign_encrypted = yes
# Use the Key-ID followed by an exclamation mark!
# This tells GPG to use *exactly* this key.
set pgp_sign_as = "YOUR-KEY-ID!"
set pgp_timeout = 300
set pgp_show_unusable = no
Part 6: Advanced Topic: Handling Multiple Accounts
For maximum security, use separate OpenPGP keys for each email account. This provides strong separation between your digital identities.
Create Keys: For each identity (e.g., private, work), repeat the process in Part 2 to generate a new, dedicated key. Make sure to use the correct name and email address for each.
Thunderbird Integration: For each account you have set up in Thunderbird, follow Part 4 to assign the correct existing key to the corresponding email address. Thunderbird handles the mapping automatically.
Neomutt Integration: Use
folder-hookto switch configurations automatically as you navigate your mailboxes.Structure: First, create a directory for your account configurations:
mkdir -p ~/.config/neomutt/accountsMain
muttrc: Your main~/.config/neomutt/muttrcwill now act as a loader.# --- Main muttrc --- # General settings (editor, etc.) # --- PGP Defaults --- set pgp_timeout = 300 set pgp_verify_sig = yes set pgp_good_sign = "✅ Good OpenPGP signature from" set pgp_show_unusable = no set pgp_replysign_encrypted = yes # --- Account Hooks --- # Load a specific config file when you enter an account folder. folder-hook 'imaps://private@mail.com/' 'source ~/.config/neomutt/accounts/private.muttrc' folder-hook 'imaps://work@company.com/' 'source ~/.config/neomutt/accounts/work.muttrc' # Load a default account on startup source ~/.config/neomutt/accounts/private.muttrcAccount Files: Create a separate file for each account inside
~/.config/neomutt/accounts/.Example:
private.muttrc# --- Account: Private --- set from = "private@mail.com" set realname = "Your Name (Private)" set pgp_sign_as = "YOUR-PRIVATE-KEY-ID!" set pgp_autosign = yes # ... your private imap_user, smtp_url, etc. go hereExample:
work.muttrc# --- Account: Work --- set from = "work@company.com" set realname = "Your Name (Work)" set pgp_sign_as = "YOUR-WORK-KEY-ID!" set pgp_autosign = yes # ... your work imap_user, smtp_url, etc. go here
Part 7: Quick Troubleshooting
| Problem | Solution |
|---|---|
| “gpg: signing failed: Ambiguous specification” | You have multiple keys for one email. Use the unique Key-ID instead of the email address in your configuration (e.g., pgp_sign_as in Neomutt). |
| No password prompt appears | Your pinentry program is missing or misconfigured. Go back to Part 1.2 and ensure it is installed and configured correctly. |
| GPG Agent Issues (Passphrase not requested) | The GPG agent might have a stale cache. Force a reload with: gpg-connect-agent reloadagent /bye |
| “Key not found” error | You don’t have the recipient’s public key. Ask them for it or search a keyserver. |
| “gpg: signing failed: No secret key” | Your key might be expired, or GPG cannot find the correct secret key. Check gpg --list-secret-keys to ensure it’s present and valid. |
| Message shows “untrusted signature” | You have the sender’s public key, but you haven’t marked it as trusted. Verify the fingerprint and then sign it. |
Part 8: Conclusion
By starting with a solid foundation—creating your keys directly in the terminal—you have built a robust and universal encryption setup. This method not only avoids platform-specific pitfalls but also equips you with a deeper understanding of how PGP works. By performing essential maintenance like backups and key renewals, you ensure your digital identity remains secure for the long term.
