Still, looking for more ways to add extra padding to your emails? Today, I’ll be talking about one of the most peculiar and useful mail encryption tools I’ve happen to come across. Meet Kleopatra – not the femme fatale ruler of the Nile – your very own certificate manager and Graphical User Interface for the GnuPG. What is this tool useful for? As the article’s title suggests, it will help you encrypt email messages using the OpenPGP standard. For more info about how PGP came to be and how it works, be sure to check out my article on PGP encryption. Enough babble – let’s see how to encrypt email in Kleopatra.
Jan 02, 2020 Open the Kleopatra component. Click File Import Certificates. Use the File Explorer tool to browse to where you've saved your private key. Select the key file and click. The imported private key now displays under the My Certificates tab. How do I generate a PGP key? Create a Keypair. Open Encryption Desktop. Select the PGP Keys. Kleopatra is a open PGP certificate manager which will allow you to manage your PGP encryption keys. Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. Oct 25, 2016 Kleopatra is a certificate manager and GUI for GnuPG. The software stores your OpenPGP certificates and keys. It is available for Windows and Linux. In association with the KMail email client, you can also take advantages of the cryptographical features for your communication via email. Donations desired.
What exactly is Kleopatra?
Before we get around to encrypting emails, we should say a few words about our queenly certificate manager. First of all, Kleopatra is not an email client, meaning that you won’t be able to send a message. Kleopatra is a desktop repository of OpenPGP certificates and public-private keys. Yes, I know this could be construed as a manager turn-off but, luckily, Kleopatra can be easily associated with open-source email clients such as KMail.
I’ll be talking more about the PGP-compatible email solution in a future article. So, Kleopatra lets you create public-private key pairs, store and modify certificates, share said certificates with your peers – or confederates, depending on the case – and more. Please remember Kleopatra’s for storage, not for actual email communication. With this clarification in mind, let’s explore this awesome tool.
How to Encrypt Email in Kleopatra
Are you ready to do some serious gpg4win encryption? Let’s get down to business.
Step 1. Download and install Kleopatra.
Kleopatra is a message encryption utility that’s part of a large package. This pack is called Gpg4win. Download the package from the official webpage and follow the onscreen instruction to complete the installation process.
Step 2. Set up Kleopatra.
Once the installation process is done, open Kleopatra. On the first run, Kleopatra will ask you to create a key pair (i.e., public-private key). Click on the New Key Pair button. Type in your name and associated email address and press Next to continue. The message “Creating a New Key Pair” will pop up on your screen. After a couple of seconds, a new window will appear, asking you to provide a passphrase.
Kleopatra has a built-in password strength evaluator that will show you how weak or strong your password is based on your choice of alphanumeric symbols. Go ahead and type in your passphrase and click Ok to continue.
After a couple of (more) seconds, your key pair will be created. The key pair creation wizard’s summarization screen contains a copy of your fingerprint (i.e. the shorter version of your public PGP key) and several other useful functions such as key pair backup, upload the public key to directory service, or send the public key via email.
Step 3. Manage your certificates.
Congrats! You’ve just created your first key pair with Kleopatra. Now, before you proceed, I strongly recommend you made a local backup of your key pair. To do that, click on the key pair backup button. Press the browse file button, choose a storage folder, name it, and Ok to continue. This will create a secret key on your machine. Type in your passphrase, click ok and close the wizard.
You’re all set up to encrypt and decrypt messages using PGP. There’s one thing missing thought – the recipient. To encryptdecrypt messages from your peer or peers, you’ll need to certify his or her certificate. To do that, ask your peer to send you his PGP public key via email. Once you’ve received it, open a notepad document and copy the contents of the email.
Extra caution when you copy a PGP key – you must include everything from title (e.g. – – – – – BEGIN PGP PUBLIC KEY BLOCK – – – – -) to footer (- – – – – END PGP PUBLIC KEY BLOCK- – – – – ) and dashes. Now, once you’ve copied the recipient’s public key to a notepad document, select the text, right-click, and select Cut. Go back to Kleopatra, click on Tools, highlight Clipboard, and click on the certificate Import.
Step 4. Validating the recipient’s certificate.
In the Certify Certificate window, click the check box next to your recipient’s name (i.e., if no name was appended to the public key, this field will appear blank; you may still select it). Highlight the box next to “I have verified the fingerprint” and click Next to continue. In the following window, select “Certify only for myself”, and click on Certify to continue. You may be asked to provide your passphrase. Do that and click on ok.
Step 5. How to encrypt email in Kleopatra.
Once you’ve validated your peer’s certificate, you will be able to PGP- or SMIME-encrypt your messages. First, compose your message. Open a fresh notepad document and type in your plaintext message. When you’re done, highlight the message, right-click and select copy. Go back to Kleopatra, click on tools, select Clipboard, and click on Encrypt. Under recipients, click on the “Add recipient” button.
Don’t forget to have your OpenPGP function selected. In the next window, select your recipient, and press Ok. Your message will now be PGP encrypted. Close the encryption window, open a fresh notepad document, right-click, and hit paste.
This is your PGP-encrypted document. Use your favorite email client to send this PGP block to your peer and that’s it. Both sender and recipient can decrypt the message by using the decrypt function in Kleopatra. Just hit decrypt, select your certificate, paste the text from the email’s body, and hit the ok button to begin decryption. That’s it!
- Deep content scanning for attachments and links;
- Phishing, spear phishing and man-in-the-email attacks;
- Advanced spam filters to protect against sophisticated attacks;
- Fraud prevention system against Business Email Compromise;
Parting thoughts
Kleopatra is a very useful and free tool for sending PGP- and SMIME-encrypted messages. On top of that, it’s far safer to use for corporate comms compared to iGolder or other free-to-use resources. Again, I have to emphasize that Kleopatra is just a certificate manager and not an email client. You will need to use another transport vector to send your encrypted message across.
Of course, encrypting your emails is not enough. In a previous article, I’ve highlighted that SMIME is prone to message takeover attacks. Moreover, even PGP is vulnerable to cryptanalytical attacks. An extra layer of protection always makes sense.
Solutions like Heimdal™ Security’s Email Security can protect your assets against spam attacks, ransomware, and even some sophisticated forms of cryptanalytical attacks. As always, stay safe and shoot me an email if you have any questions about Kleopatra or PGP encryption.
There are several places where someone finds information about how to trouble shoot a crypto application problem.
TODO: link to the sections in the gpg4win compendium and other documentation.
For problems with adele see EmailExercisesRobot.
Contents
- Decryption Failure with Gpg4win-3.1.2 or later
- Hints / Tips
- Command line operations
General
- If the problem is with GpgOL, try the operation with GpgEX or Kleopatra, to exclude Outlook's influence. Note that if GpgEX/Kleopatra works, you have a fallback solution to just work via files and send them by attachment, so can can still use crypto, but with less comfort.
- If GUI frontend applications fail, try to do the operations on the command line. This way you can often exclude that the problem is within the frontend. And you sometimes get additional helpful messages.
- Look at or activate and look at additional diagnostic output. (http://gpg4win.de/doc/en/gpg4win-compendium_29.html, TODO link or refer to specific section in the official docs.) There are many ways where additional output can be found or enabled.
- Try to reproduce, sometimes a different installation or a different computer gives you an idea about the difference between a running and a problem case.
- Precisely check the version numbers of components.
- Check general operating or usage issues. Things like a full harddrive or wrong filesystem permissions.
- Gpg4win/RunAsUser, not as administrator.
Decryption Failure with Gpg4win-3.1.2 or later
Starting with Gpg4win-3.1.2 the MDC message integrity mechanism, which has been well established for over 15 years, is now enforced by GnuPG. The reason for this was the public attention to attacks possible against messages without MDC with the publication of 'EFail'.
Since Gpg4win-3.1.3 Kleopatra offers to decrypt such messages anyway if they were done using an old encryption algorithm. In that case you only need to click on the decrypt anyway button. For messages that were encrypted using modern algorithms but still don't use MDC there is a hard failure that will be shown in diagnostics. Such new algo, no MDC, messages are supposed to be rare and might be an indication of broken / insecure software or configuration.
You can fix the error by re-encrypting it. Afterwards it can be used as usual in Kleopatra and will be integrity protected.
To decrypt it, even without an MDC, open the command line (see below for additional hints) and decrypt your file like:
Additionally to decrypting this will list the keyids of the recipients of that message, which you can then use in the command to re-encrypt the message.
Alternatively only using Kleopatra you can also decrypt it with Gpg4win-3.1.1 and then encrypt it again after your key has been updated to ensure MDC is used (see below)
Update key to ensure MDC is used even by older versions
- In Kleopatra double click your key to open the details window.
- Open the edit expiry dialog (the pen button next to the expiry date).
- Close the dialog with OK (you don't need to change the actual expiry date).
Windows > 8 and Server 2012 Task Scheduler Problems
GnuPG uses (as suggested by Microsoft and usual) %APPDATA%gnupg to store data on Windows. When launched from the Task Scheduler %APPDATA% is not always set to the correct users directory. (If you launch it with system privileges it is another place altogether). GnuPG as a result is unable to find the Keys or configuration in the directory Windows provides.
This is a known Windows bug. See the Knowledge Base article Or This technet discussion
Instead of the Workaround mentioned in the knowledge base article GnuPG provides you with the option to set the Home directory as part of the command. (--homedir) Which makes it easy to workaround that bug.
For example:
Would ignore the broken value of %APPDATA% and use the keys stored in c:UsersaheineckeAppDataRoaminggnupg instead. Make sure access rights are set accordingly of course so that this works with the user the Scheduled task runs under.
GpgOL won't load in Outlook
- First check that it is enabled under File->Options->Add-Ins Com-Add-Ins.
- Second check that it is correctly installed: There should be a gpgol.dll under c:Program FilesGpg4winbingpgol.dll or for 64bit Outlook c:Program Files (x86)bin_64gpgol.dll there is a known issue (as of 3.1.7) that if Outlook is running while Gpg4win is updated and you install Gpg4win multiple times without restarting that the dll is not correctly installed.
If it is correctly installed and enabled:
Check in the Windows Registry that
is set to 3.
In the following Registry Keys replace <VERSION> with your Outlook Version. The <VERSION> values are:
- Outlook 2010: 14.0
- Outlook 2013: 15.0
- Outlook 2016: 16.0
Additionally, if they exist, delete all REG_BINARY Entries under:
and
Finally create the Registry Key:
And add a REG_DWORD entry with name GNU.GpgOL and value 1.
You can also enable logging even if Outlook does not start by launching c:Program FilesGpg4winbingpgolconfig.exe directly. This gives you the config dialog of Gpg4win with the usual debugging options.
GpgOL does not work
Check if you have one of the known incompatible Addons.
Hints / Tips
Checking the package integrity
Kleopatra
If the downloaded package seems to be broken, please check the integrity of the downloaded package, by validating the checksum. You find a List of the checksums and a guide for *Nix systems here. If you have a Windows System, open the terminal and compare the output of
'certutil -hashfile FileToHash.exe sha1'
to the ones on the site. Older Windows systems have to download a Windows Patch which provides this functionality.
Command line operations
The manual of the GnuPG (crypto engine) will describe the command line usage in detail, but for testing we give some simple commands here.
First you need to open the 'cmd.exe' command line application in windows. Then you can type commands at the prompt. For good results, create a new directory and change into it with cd and create or copy a testfile you can operate on for, example hello.txt.
An example to use your own key to sign something with CMS with double verbose output:
Kleopatra Encryption
An example to decrypt something with OpenPGP, no extra output
and now with full diagnostic output (be careful when sharing with others, this may contain sensitive information), usually you start with no diagnostic output, then add '-v's and additional '--debug' options. (With gpg --debug help showing available choices to give after --debug.)
Passphrase on the command line
The private key, which is protected by a passphrase, is handled by gpg-agent. This means that with GnuPG 2.1 adding --passphrase on the command line will no longer work out of the box. If you really don't want a passphrase (you have it in a script or the command line history anyway) It is suggested to remove the passphrase from that key. Other options are:
- Increase the cache timeout (e.g. put 'default-cache-ttl 3600' into gpg-agent.conf
- gpg-preset-passphrase /! Pay attention to the necessary gpg-agent config and how to find out about the keygrip.
- Use the loopback feature to let the agent ask the invoking program for the passphrase instead of pinentry by adding '--pinentry-mode loopback' to the gpg invocation.
e.g.:
Enable GpgOL debugging
GpgOL can log what it does internally. You might be asked for such a debug log to analyze a problem.
To enable it:
- Close Outlook
- Open regedit.exe and
- set HKEY_CURRENT_USERSoftwareGNUGpgOLenableDebug to either 1 or 1922
- set HKEY_CURRENT_USERSoftwareGNUGpgOLlogFile to some writeable file (e.g. c:users<youruser>gpgol.txt )
- Open Outlook again and reproduce the problem, close it and you have a debug log..
The value of enableDebug -> If set to 1 it logs less and should not leak any private data except Mail Addresses. If set to 1922 the log will contain the plaintext of decrypted messages, so only use that if you have a test mail or some unconfidential mail.
Manually update GpgOL to a beta
Sometimes after reporting an issue on https://dev.gnupg.org you might be asked to install an updated GpgOL binary which contains a fix that should be tested, as it is sometimes impossible for the developers to reproduce the exact conditions for a problem.
The binaries can be found as HTTPS secured download under: https://files.gpg4win.org/Beta/gpgol/
Look for the directory of the version you want to use and open it. In there you find the corresponding source code and two binaries.
The gpgol.dll in the top level binary is the 32 Bit version of GpgOL.
The gpgol.dll in the x64 sub directory is the 64 Bit version of GpgOL.
Which version you need depends on your Outlook Version. You can find out if you have a 32bit or 64bit outlook by looking at
File -> Office Account -> Info about Microsoft Outlook.
64 Bit versions have it noted at the top of the info window.
Once you have downloaded the correct version you need to *shutdown Outlook* and replace the gpgol.dll in the installation directory of Gpg4win. For the 64 bit version the gpgol.dll must be placed in the bin_64 subfolder.
The default paths are:
c:Program Files (x86)Gpg4winbingpgol.dll for 32 bit.
c:Program Files (x86)Gpg4winbin_64gpgol.dll for 64 bit.
General warning: Beta versions are naturally less tested, than stable released versions. They still may have critical defects. On the other hand, they may also have important defects fixed. Depending on the need of your security level, you should estimate if it is okay to use a beta version for your production environment with real keys. Rule of thumb, unless noted otherwise, we believe that it is okay to use a beta version in production settings for normal security requirements and as a precaution do should use it in high security environments or with highly sensitive key-material.
Antivirus reports on Gpg4win
Kleopatra Encryption Mac
See Gpg4win/AntiVirusSoftware
Disable Gpg4win update check and notification
To disable and hide the update check and notification of Gpg4win create a new file in the Gpg4win Installation directory in the subfolder 'share'. The file needs to have the name 'kleopatrarc' and no file extension.
e.g.: c:program filesgpg4winsharekleopatrarc
The contents of the file should be:
Kleopatra Encryption Software For Windows
Restoring corrupted Archives created by Kleopatra
Kleopatra before Version 3.1.6 had an issue that might have caused the creation of corrupted archives. T4332 If you are affected get errors when extracting such an archive the good news are: The data can be restored with some effort because there were only 'bad blocks' added and no data removed.
To repair such an Archive:
- Open it with a hex editor
- Search for blocks of 512 bytes or larger multiples of 512 which are all zero.
- Remove these blocks
- Try to extract again or use gpgtar --skip-crypto -t 'damaged-archive.tar'
If you are in luck and your data does not naturally contain blocks of 512 zeros this should do the trick. If your data can contain blocks of 512 zeros naturally, e.g. pdfs. It gets more complicated. In that case your best bet is to look for 'candidate blocks' remove them. Run gpgtar and check if the errors changed.
If you need assistance with that you can ask on one of the channels under: https://www.gpg4win.org/community.html