How to encrypt and sign your e-mails

I know my phone is private. I know my memory sticks are private. That’s because of cryptography — message scrambling. The math behind crypto is good and solid, and you and me get access to the same crypto that banks and the National Security Agency use. There’s only one kind of crypto that anyone uses: crypto that’s public, open and can be deployed by anyone. That’s how you know it works.

There’s something really liberating about having some corner of your life that’s yours, that no one gets to see except you. […] It’s not about doing something shameful. It’s about doing something private. It’s about your life belonging to you.

C. Doctorow, Little Brother [reference]

Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.

E. Snowden in The Guardian [source]

Why would you need to encrypt your e-mail communications? For the same reason you seal a letter in a envelope before putting it in a mailbox: you deliver personal or intimate informations, you shouldn’t make it easier for anyone to look at it. The second reason is that encryption allows you to digitally sign an e-mail and guarantee the sender identity. 

Let’s have a look at the Mozilla support page:

When you digitally sign a message, you embed information in the message that validates your identity. When you encrypt a message, it appears to be “scrambled” and can only by read by a person who has the key to decrypting the message. Digitally signing a message ensures that the message originated from the stated sender. Encrypting ensures that the message has not been read or altered during transmission.

How does it work?

Asymmetric encryption works with two keys:

  • one public that is used to encrypt the message adressed to the key owner. Public keys may be shared widely.
  • one private, used by the owner of the public key to decrypt the message. The private key must never be shared.

So, you’ll need to make contact with every person you want to establish a secure communication with. GnuPG website explains it quite nicely:

A public key may be thought of as an open safe. When a correspondent encrypts a document using a public key, that document is put in the safe, the safe shut, and the combination lock spun several times. The corresponding private key is the combination that can reopen the safe and retrieve the document. In other words, only the person who holds the private key can recover a document encrypted using the associated public key.

The procedure for encrypting and decrypting documents is straightforward with this mental model. If you want to encrypt a message to Alice, you encrypt it using Alice’s public key, and she decrypts it with her private key. If Alice wants to send you a message, she encrypts it using your public key, and you decrypt it with your private key.”


How to set up encryption in your mail client? This guide/blog is mostly focused on Linux, so we’ll use the Linux tools. However cryptography is compatible with any platforms and you may find alternative softwares to use it, as Thunderbird + Enigmail instead of Kmail + Kgpg.

We’ll need three elements:

  • GnuGP: GnuPG is GPL licensed cryptographic software that helps people ensure the confidentiality, integrity and assurance of their data [details]. It’s a free implementation of the OpenPGP standard and should be already included in most Linux distros and works on Win and MacOS as well.
  • KGpg: a KDE frontend GPG interface to manage your keys. You may find alternatives like GnomePGP for GTK environments.
  • Kmail: our mail client. GPG encryption is also supported by Thunderbird/Icedove et alt.

Create your keys

Let’s begin. We need to create our public and private keys. Launch KGpg and go to menu Keys > Generate Key Pair. Enter your name and email address, set the Key size to 4096 bits and the Algorithm to DSA & ElGamal. You may want to put an expiration date to your keys, for security reason. Enter a passphrase in the next dialog. Key generation may take a few seconds.


To publish your public key, select Export Public Key from the toolbar and choose your Key server: hkp://

Kgpg_02To find someone’s public key go to search by name or address.Try to find yours and click on the ID link indicated with Pub: copy the page in your clipboard or in a text file and import it on Kgpg with the Keys > Import Key menu. Public keys will look like this:

Version: SKS 1.1.4
Comment: Hostname:



Configure the mail client

You must have a mail account configured in your client (Kmail in here). Go to Settings > Configure KMail > Identities. Select your identity and click Modify > Cryptography. For both OpenPGP signing key and OpenPGP encryption key, click Change: your keys should appear there, select them. It’s done.

Kgpg_03Now, open the composer window to:

  • Send an encrypted message to anyone who shared his public key, just select Encrypt in the mail composing dialog box. Kmail should select the encryption according to the recipient address.
  • Send a public key of your keychain by choosing the Attach Public Key menu.
  • Digitally sign the message to prove your identity, select Sign.

Kgpg_04When receiving an encrypted e-mail (encrypted with… your public key, bravo) you will be prompted for your passphrase.



GnuPG can also be used as a simple password protection for files [source]: a new version of the file followed by a second extension ‘.gpg’ will be created.

gpg -c textfile.txt
# enter a passphrase twice

To decrypt the file:

gpg textfile.txt.gpg
#enter your passphrase

Comments are closed.

Blog at

Up ↑