If you are using a distro package, be aware some of them install
pgpewrap outside of $PATH and modify their version of gpg.rc to point
directly to that location.
Copy it someplace sane
cp /usr/share/doc/mutt-1.5.21/gpg.rc ~/.gpg.rc or cp`locate gpg.rc` ~/.gpg.rccp /usr/share/doc/mutt-1.5.21/gpg.rc ~/.mutt/gpg.rc
Make mutt aware of it by adding 'source $FILE' to your .muttrc:
echo"source ~/.gpg.rc">> ~/.muttrc
The pgp menu (p) option in the compose menu controls encryption and
signing for a message.
GPG variables you'll probably want to define in your muttrc
You should set the following:
pgp_default_key pgp_sign_as (only if you have a separate signing key) pgp_use_gpg_agent (however see below)
Note that GPG 2.1 now include an auto-spawning agent, and so requires
pgp_use_gpg_agent to be set. If you are using GPG 1.x without an agent
running you'll need to unset pgp_use_gpg_agent. See
OpenPGP Configuration in the manual.
You may want to adjust the value of these, depending on your preferences:
After you're finished and you're in the
hit the "?" key to see a list of all
Search for "attach a PGP public key".
Exit the help menu and hit the key combination it lists for that
It will then prompt you "Please enter the key ID:". Enter the keyid
(email works) and you'll be prompted with a key selection menu.
Pick your key (it must be in your keyring).
Follow the escape prompt in the context-help menu at the top of the
Hit "send". You will then have emailed your gpg key using mutt.
Mutt UI Notes
The mutt UI idea while dealing with encrypted mails is to automatically
decrypt an encrypted message when it is opened. In a similar way it will
optionally verify the authenticity of a signed message (depending on the
crypt_verify_sig variable) when it is opened.
The status flag defined in the $index_format
variable for the
index, will show a relevant flag for each signed/encrypted message. They
s if the message is signed and not yet verified
S if the message is signed and the signature is successfully verified
P if the message is PGP encrypted
In order to be considered completely sure, all the parts of the
message have to be signed. If this is not the case mutt won't consider
the message completely sure, and the flag will stay "s": this happens
for example when a signed message is processed by a mailing-list
software and a trailing mailing-list signature is applied to it.
Publication of your public key
NOTE: This section is somewhat out of date. Please refer to
Riseup's OpenPGP Best Practices
for a better discussion of key generation, management, and keyservers.
There are different public keyservers, each one implementing one or more
different access methods: HKP, WWW, FTP, mail, LDAP. An important thing
to understand about keyservers is that they're synchronized, i.e. they
tend to share the same public keys.
So in order to get published your public key in just one of these you
only need to publicize it in just one keyserver, the key will eventually
be propagated through all the keyservers.
Here it is a list of public keyservers (from the default gpg.conf file):
Add it to a keyserver via http://sks-keyservers.net/i/ or other
and the corresponding key will be published in the specified keyserver
(and in all others). Now your public key is public, congratulations!
The publication on a public keyserver is not definitively the only
method possible: there is the possibility to use a web page, to send it
through ordinary mail or email, or via web. Note that all of these
methods are subject to a man in the middle attack: the more the number
of methods you'll use, the less are the chances that some very
determined malicious individual will stole your identity. Note also that
the shared publication of your public key highly decreases the
possibility of your public key be compromised, since the attacker should
compromise at the same time all the keyservers.
In case of web publication you can attach an header to your outgoing
mail as this:
in order to inform your recipient of the web address of your public key.
The content of the page can be generated with:
gpg --export --armor
In mutt you can set this with the command:
Retrieval of keys from a keyserver
In order to verify or decrypt a message you need the public key of the
Manually you can do this in this way:
gpg --recv-keys <names>
or even with:
gpg --search-keys <names>
and then selecting the number of the public key you want to add to your
You might need to configure GnuPG to automatically do it for you every
time a private key is not present in the local keyring.
This comes in very handy with Mutt, as you won't have to go and download
and import a key manually in another terminal. In order to do this, add
this line to your ~/.gnupg/gpg.conf file:
with the uri of your preferred keyserver. In this way every time a key
is not present in your local keyring gnupg will try to fetch it from the
keyserver specified in the gpg.conf file.
Verifying messages signatures
The %Z flag (status flag) in the $index_format tell you when a message
is signed. If the message is signed (and it hasn't still been verified
either it has a bad signature) a "s" character will appear in the
corresponding line of the index, if the message signature has been
verified then will appear a "S" character.
In order to verify a message you need the corresponding public key of
the sender being in your keyring, or setup gpg to automatically retrieve
a corresponding key from a public keyserver (remember to setup the
auto-key-retrieve keyserver-option as explained in the previous
In order to verify a message mutt runs the $pgp_verify_command and
check the exit of the command.
If $crypt_verify_sig is set to yes, mutt will run the
pgp_verify_command on every opened message, and the output of this
command will be displayed in the pager, before the message itself.
Verifying a message signature on the fly
You could be interested in verifying the signature of just a specific
message. The following macros let you force the variable value of
crypt_verify_sig to yes in order to get mutt verify the message, and
then restore the previous value (you need mutt >= 1.5.12 with
$my_variable support to get these macros working).
Please do not forget the "\" in the following macros code at the end
of each line (or put all the text of each macro in one line).
macro index \Cv \"<enter-command> set my_crypt_verify_sig=\$crypt_verify_sig<enter> \<enter-command> set crypt_verify_sig=yes<enter> \<display-message><enter-command> set crypt_verify_sig=\$my_crypt_verify_sig<enter>" \ 'Verify PGP signature and open the message'macro pager \Cv \"<exit><enter-command> set my_crypt_verify_sig=\$crypt_verify_sig<enter> \<enter-command> set crypt_verify_sig=yes<enter> \<display-message><enter-command> set crypt_verify_sig=\$my_crypt_verify_sig<enter>" \ 'Verify PGP signature'
$pgp_sign_as let you specify the uid to use when signing (since you
can have different uids depending on the context). The corresponding
public key will be extracted from your current keyring. You can set up
some hook to customize the uid to use according to each particular
You can automatically sign all outgoing messages setting
or simply selecting the pgp-menu (bound to "p") in the compose menu. You
can use send-hook or folder-hook to setup the security criterion in a
context dependent fashion.
To automatically encrypt messages to specific recipients use
where the first global send-hook always resets crypt settings and a
following matching, if any, send-hook sets crypt for that recipient.
Note the double escaped backslash inside double quotes, "\\". The
!~l pattern is to not activate encryption if the mail is also
addressed to a known mailing list.