KMail: Setup PGP/MIME

Autor:B.Sc. Inf. Dominik Schulz <>
Version: 0.1.566
Date: 2008-11-30
Copyright: This document is released under the terms of the GNU Free Documentation License.
Status: Draft


This text explains how to setup and use PGP/MIME in KMail.

German Version / Deutsche Version


PGP/MIME is the successor of the deprecated method of signing mails, often called "inline PGP". Since version 1.5 (KDE 3.1) it is possible to use PGP/MIME within KMail. Unfortunately the setup is far from being intuitive. I'll try to give an easy explaination how to set up the required programs. This description is based on a Debain distribution, but most steps should apply to others as well.

Required Packages

You'll need the following packages to use PGP/MIME in KMail:

On any Debian-based distribution you can install them with the help of aptitude:

aptitude install kgpg gpgsm kleopatra gnupg-agent pinentry-qt

Configuring GnuPG and gpg-Agent

To be able to enter your passphrase you have to tell GnuPG to use the agent. To enable the agent add the following line to the file ~/.gnupg/gpg.conf:


By default the agents asks for the passwort on the commandline but it can be configured to use a so-called pinentry program to ask for the passphrase. This can be enabled in the appropriate configuration file. Open the file ~/.gnupg/gpg-agent.conf and add the following lines to the end of the file:

pinentry-program /usr/bin/pinentry-qt
default-cache-ttl 1800

You'll probably have to adjust the path to pinentry-qt. Use which pinentry-qt to find out where it is installed on your system. The last line configures how long the password is cached.

A screenshot of Pinentry QT

To use GnuPG with the agent you have to start the former one first.

eval "$(gpg-agent --daemon)"

eval executes the command in the brackets and evaluates the returned text. This is important since the agent creates a socket and emits a environment variable the points to this socket. The socekt is used by GnuPG to communicate with the agent. Here lies a small pitfall. The command sets the environment variable GPG_AGENT_INFO only in the current shell (and all derived shells). But if you execute this command in a Konsole and start KMail from your K-Menu it will not know this variable and fail to find the agent. That would mean that it has no access to the passphrase and is unable to unlock your key. So you should create a script in ~/.kde/env/. You can name it whatever you like, I suggest In this file you just put the line from above.

eval "$(gpg-agent --deamon)"

Now you can test if GnuPG uses gpg-agent and pinentry-qt. Lookup your personal key ID by using gpg -K to list your private keys and the execute the following command.

echo "test" | gpg -ase -r 0xDEADBEEF | gpg

Of course you have to replace the key ID with your key ID. If your setup is correct you should be asked for the passphrase twice: Once for encryption and once for signing. Now remeber to start KMail from the same shell in which you executed the command above, or, even better, log out and login again to KDE. If KMail doesn't ask for your passphrase when trying to send an signed mail you should look if GPG_AGENT_INFO is set. If not something went wrong.

Test in KMail

In KMail you should make sure that the OpenPGP backend is enabled. Open "Settings -> Configure KMail -> Security -> Crypto Backends" and look if OpenPGP is auto-detected. From now on it should be possible to handle encrypted mail with KMail.

A screenshot of the Crypto-Modules

Concluding Remarks

This text is based on the text "KMail: PGP/MIME" by Marc Mutz and Bernhard Reiter at If you happen to find any errory in this text please let the author know. Further help can probably be found at the KMail Development List <>.