|By Kevin Lyda.|
The following is an edited text of a mail I sent to a person to help
them use gpg with mutt. In addition at the end I've enclosed some things
to add to mutt.
OK, well, we'll start simple and have you send me your key. Mutt makes
that very easy: reply to this and then exit the editor. On the
compose screen (that's the one with the to, cc, subject, attachments
and other things screen, right?) just press esc-k. It will then ask
you what key you want to attach. Just type in your email address:
Actually, there are two other things to do first: Add those addresses
to your key, and send it to a keyserver (that way you won't have to send
people keys, but send yours to me anyway so you see how to do it).
Add email addresses:
% gpg --edit-key email@example.com
Note: You actually can type just part of that email address.
to exit the edit-key function without changing the key,
just type "quit". Typing "save" will save changes.
Real name: jane user
Email address: firstname.lastname@example.org
Comment: home key
You selected this USER-ID:
"jane user (home key) <email@example.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a passphrase to unlock the secret key for
user: "jane user (home key) <firstname.lastname@example.org>"
...stuff about your key...
Now repeat all that for this address: email@example.com. Now your
key corresponds to those two addresses.
Sending your key to a keyserver. First make sure you have a keyserver
line in ~/.gnupg/options. Mine looks like:
You can uncomment any one of those three. Then tell gpg to send your key (=
I'm assuming you have a direct net connection):
gpg --send-key firstname.lastname@example.org
And your key should now propogate among the keyservers. Note it will
only send your public key.
I think I can manage to send the things, and to receive them signed
and encrypted, but when I try to hit 'r' to reply to an encrypted
email, I get...
OK, that implies that it's not successfully decrypting the message.
all my gpg settings live in a seperate file that I just source from
my .muttrc. The file is attached.
decrypt-copy make decrypted copy
decrypt-save make decrypted copy and delete
Presumably I need those if I want to reply to things. I can't figure
out how to do those without binding them, so I'm trying to think of
sensible combinations to bind them to, where I can find the keys on
US, UK and laptop keyboards. This is more of a pain than it sounds!
No, those are unbound on mine as well and reply works fine for me.
So anyway, I can read stuff encrypted to me, and I have discovered
the 'p' key on the mutt send-menu and can send and send/encrypt to
Right. You can also use send hooks to set those types of things.
What I need is to be able to save a copy of the thing encrypted to
me as well as the recpient, so to speak. I keep saved-mail for a
long time, and discovering I have no way to read what I wrote is a
Yes, but it should do that by default. Again, mine does that. I'm using
gpg 1.0.4 (bad kevin, bad). You used to have to set that, now you don't.
See, the problem is, I'm always convinced I am sending the wrong
halves of these things. Same with ssh and access keys or whatever
Anyway, note that gpg commands relating to your secret key have the
word secret in them. Don't type secret and you'll be sending the
right bits! :)
I need to know which keys to press in mutt and how to import/sign/upload
to keyserver/tidy up my keyring and
import: gpg --import file.with.key
note that mutt will automagically try to snarf keys if you don't have
that key. Also if someone sends you a key via email - don't save it.
just hilite it, and press c-k.
sign someone else's key: gpg --sign-key email@address
upload: gpg --send-keys email@address
One quick way to refresh your memory on commands is:
gpg --help | grep thing
Where thing is a word related to what you're doing: key, sign, encrypt,
etc. You can also pipe it through less. Finally someone prints a
multipage usage info to stdout instead of stderr.
This is the ~/.mutt.gpg I use. I include it from my mail ~/.muttrc file like
# .muttrc.gpg: Command formats for gpg.
# This version uses gpg-2comp from
# $Id: gpg.rc,v 126.96.36.199 2000/05/23 08:15:02 roessler Exp $
# %p The empty string when no passphrase is needed,
# the string "PGPPASSFD=0" if one is needed.
# This is mostly used in conditional % sequences.
# %f Most PGP commands operate on a single file or a file
# containing a message. %f expands to this file's name.
# %s When verifying signatures, there is another temporary file
# containing the detached signature. %s expands to this
# file's name.
# %a In "signing" contexts, this expands to the value of the
# configuration variable $pgp_sign_as. You probably need to
# use this within a conditional % sequence.
# %r In many contexts, mutt passes key IDs to pgp. %r expands to
# a list of key IDs.
# decode application/pgp
set pgp_decode_command="gpg %?p?--passphrase-fd 0? --no-verbose --batch -=
-output - %f"
# verify a pgp/mime signature
set pgp_verify_command="gpg --no-verbose --batch --output - --verify %s %=
# decrypt a pgp/mime attachment
set pgp_decrypt_command="gpg --passphrase-fd 0 --no-verbose --batch --out=
put - %f"
# create a pgp/mime signed attachment
# set pgp_sign_command="gpg-2comp --no-verbose --batch --output - --passp=
hrase-fd 0 --armor --detach-sign --textmode %?a?-u %a? %f"
set pgp_sign_command="gpg --no-verbose --batch --output - --passphrase-fd=
0 --armor --detach-sign --textmode %?a?-u %a? %f"
# create a application/pgp signed (old-style) message
# set pgp_clearsign_command="gpg-2comp --no-verbose --batch --output - --=
passphrase-fd 0 --armor --textmode --clearsign %?a?-u %a? %f"
set pgp_clearsign_command="gpg --no-verbose --batch --output - --passphra=
se-fd 0 --armor --textmode --clearsign %?a?-u %a? %f"
# create a pgp/mime encrypted attachment
# set pgp_encrypt_only_command="pgpewrap gpg-2comp -v --batch --output - =
--encrypt --textmode --armor --always-trust -- -r %r -- %f"
set pgp_encrypt_only_command="pgpewrap gpg -v --batch --output - --encryp=
t --textmode --armor --always-trust -- -r %r -- %f"
# create a pgp/mime encrypted and signed attachment
# set pgp_encrypt_sign_command="pgpewrap gpg-2comp --passphrase-fd 0 -v -=
-batch --output - --encrypt --sign %?a?-u %a? --armor --always-trust -- -r =
%r -- %f"
set pgp_encrypt_sign_command="pgpewrap gpg --passphrase-fd 0 -v --batch -=
-output - --encrypt --sign %?a?-u %a? --armor --always-trust -- -r %r -- %f"
# import a key into the public key ring
set pgp_import_command="gpg --no-verbose --import -v %f"
# export a key from the public key ring
set pgp_export_command="gpg --no-verbose --export --armor %r"
# verify a key
set pgp_verify_key_command="gpg --no-verbose --batch --fingerprint --chec=
# read in the public key ring
set pgp_list_pubring_command="gpg --no-verbose --batch --with-colons --li=
# read in the secret key ring
set pgp_list_secring_command="gpg --no-verbose --batch --with-colons --li=
# receive key from keyserver:
#set pgp_getkeys_command="wrap.sh -g %r"
set pgp_getkeys_command="gpg --recv-keys %r > /dev/null 2>&1"
RPM of mutt with PGP and S/MIME support.Related:
About the author, Kevin Lyda.