PGP Encryption#
Prerequisites#
Warning
NeoMutt does not work with the tty pinentry program.
You must use a GUI or curses-based pinentry instead: pinentry-qt, pinentry-gtk-2, pinentry-gnome3, pinentry-fltk, or pinentry-curses.
Configure this in ~/.gnupg/gpg-agent.conf:
pinentry-program /usr/bin/pinentry-curses
NeoMutt compiled with GPGME support (recommended) or classic PGP mode
GnuPG installed (version 2.1.0 or later recommended for automatic agent support)
A PGP key pair generated with
gpg --gen-key
Enabling GPGME#
The recommended way to enable OpenPGP is to use GPGME:
# Enable GPGME
set crypt_use_gpgme
If you have complex crypto needs, you can enable “classic mode” by disabling GPGME and setting all pgp_command_* config options.
For example config, see gpg.rc in the Contrib repository.
# Manual crypto functions
unset crypt_use_gpgme
set pgp_clear_sign_command = "..."
# ...
Configuring Your PGP Key#
The two most important settings are $pgp_default_key and $pgp_sign_as.
To perform encryption, you must set the first variable.
If you have a separate signing key, or only have a signing key, then set the second.
Most people will only need to set $pgp_default_key.
set pgp_default_key = "A4AF18C5582473BD35A1E9CE78BB3D480042198E"
Configuring GnuPG Agent and Pinentry#
Starting with version 2.1.0, GnuPG automatically uses an agent to prompt for your passphrase.
If you are using a version older than that, you’ll need to ensure an agent is running (alternatively, you can unset $pgp_use_gpg_agent and NeoMutt will prompt you for your passphrase).
The agent in turn uses a pinentry program to display the prompt.
There are many different kinds of pinentry programs that can be used: qt, gtk2, gnome3, fltk, and curses. However, NeoMutt does not work properly with the tty pinentry program. Please ensure you have one of the GUI or curses pinentry programs installed and configured to be the default for your system.
Sending Cryptographically Signed/Encrypted Messages#
If you have told NeoMutt to PGP encrypt a message, it will guide you through a key selection process when you try to send the message. NeoMutt will not ask you any questions about keys which have a certified user ID matching one of the message recipients’ mail addresses. However, there may be situations in which there are several keys, weakly certified user ID fields, or where no matching keys can be found.
In these cases, you are dropped into a menu with a list of keys from which you can select one. When you quit this menu, or NeoMutt can’t find any matching keys, you are prompted for a user ID. You can, as usual, abort this prompt using Ctrl-G. When you do so, NeoMutt will return to the compose screen.
Once you have successfully finished the key selection, the message will be encrypted using the selected public keys when sent out.
📷 Screenshot Needed
Subject: PGP key selection menu during send
Description: The NeoMutt PGP key selection menu that appears when sending an encrypted message and multiple matching keys exist for a recipient. The menu lists PGP keys with columns for key ID, capabilities, flags, validity, and user ID.
Highlights: The key list layout showing how to identify the correct key by its capability and validity indicators, and the prompt at the bottom for selecting a key or entering a user ID manually.
To ensure you can view encrypted messages you have sent, you may wish to set $pgp_self_encrypt and $pgp_default_key for PGP, or $smime_self_encrypt and $smime_default_key for S/MIME.