Lost in the maze of encryption - guidance needed please.

Running Leap 15 with KDE Plasma 5.12.6 and am really lost. Back in the day when I was running OS/2 and PMMail I had PGP working well and life was simple. Now I cannot understand what is happening.

I thought I would try pgp again after a gap of 10 years and I have Thunderbird installed with Enigmail. I have not yet set it up because I thought I would try and have a rational approach to key storage.

Meanwhile I messed up my kwallet so started over with a new wallet and thought I would try pgp security rather than blowfish and loh and behold it tells me there are no keys present. As I recall I was asked to use kgpg. But there are already keys present or so I believe, so why didn’t the wallet find them.

Related this has been my initial attempt to set up and use an encrypted usb key device called Nitrokey Storage. This suggests I use gnupg or is that gnupg2 to generate keys.

So where should I start?

You need to start by generating a key.

You can use “gpg” at the command line for this. Or you can use “kgpg” or “kleopatra”. But those are both just GUI front-ends to “gpg” so it won’t really make a difference which you use.

Once you have created a key, you will have a “.gnupg” directory. And “enigmail” should recognize that and be able to use your key.

I’m not sure if this helps. Yes, there’s a steep learning curve for crypto. But once you get over the hump, it all begins to make sense.

Hi and thanks for this. As I wrote before there is already a key there in the .gnupg directory. Not sure how it came to be there but what is clear is that the kwallet app didn’t pick it up and I need to read a good bit more so I can understand how Nitrokey is integrated otherwise I shall have three different sets of keyrings.
Many thanks once more.


gpg --list-keys

to see what keys are there.


gpg --list-keys Budgie2

for your own keys. But replace “Budgie2” by whatever name you are likely to have used on keys – or whatever email address.

When used for kwallet, it wants a key where you have ultimate trust.

After a break in which I have had to move to Tumbleweed I have returned to this topic because I must now start to use Thunderbird/Engmail in anger as it were.
There is one concept on which I would ask clarification and that concerns my email clients and IMAP server.

It appears that during many installations of Thunderbird and use on several different computers but using the same email addresses I seem to have too many key pairs. So my question is; are the key pairs saved in my thunderbird profile and also therefore on the IMAP server or are they saved only locally.

I ask because I now need to weed out surplus keys and ensure that each machine only has the same and correct keyring contents. No doubt there will be more questions but this seems like the place to start.


Talking to myself again but I had it wrong, at least it appears the keys are held locally so what I have done is gone into each system and made all keys inactive except the ones I want to keep and then exported the wanted keys to each machine in turn. I shall delete the unwanted and unused keys when I have checked all is working as it should, Hope I haven’t wasted your time.

Keys are saved in your “gnupg” keyring (in “.gnupg”). It’s best to keep that consistent over all systems.

I still need some guidance please as there appear to be contradictions or different information for the same keyring contents.

Using GNU Privacy Assistant there are two keys shown with my relevant main email address with details as follows:

The first, dated 2019-06-22 has a Key ID:2B24B97C, a fingerprint starting E9F0… is shown as fully valid and can be used for certification, signing and encryption.
The second, dated 2019-07-05 has a Key ID:68EC645D, a fingerprint starting 1EAD… is shown with unknown validity and not available for encryption.
Neither are shown as disabled.

Using Enigmail Key Management there are still two keys shown with my relevant email address with details as follows:

The first, dated 22/06/19 has a Key ID:BB7E69A42B24B97C, a fingerprint starting E9F0… is shown with key validity “disabled” but with ultimate owners trust.
The second, dated 05/07/19 has a Key ID:50A3AF5F68EC645D, a fingerprint starting 1EAD… is shown with unknown validity or trust.

Although the presentation is different it is clear these keys are the same in both applications so why are the Key IDs different and note that Enigmail App shows the 22/06/19 dated key as disabled?

When I use console to look at the keys with a view to creating another subkey for use in authentication I have as follows:-

alastair@AJBR-W530:~> gpg --edit-key --expert ajbudge@errichel.co.uk
gpg (GnuPG) 2.2.17; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa2048/BB7E69A42B24B97C
     created: 2019-06-22  expires: 2020-06-21  usage: SC  
     trust: ultimate      validity: ultimate
*** This key has been disabled
ssb  rsa2048/50CBBAAAC6A53584
     created: 2019-06-22  expires: 2020-06-21  usage: E   
[ultimate] (1). ajbudge@errichel.co.uk <ajbudge@errichel.co.uk>


This shows the disabled key but not the other although both have the same email address.

Please could somebody reassure me that all is well and explain what I have yet to do to get the key dated 05/07/19 which has not been disabled, to show as available for encryption and enable creation of authentication subkey.

You need to clarify your intention… Are you trying to set up OpenPGP or GPG?
They’re not the same, look them up…
That may even be at least in part why you’re not finding anything working with GPG keys…

Both PGP and GPG support asymmetric encryption (You exchange public keys which are used to unlock files or messages encrypted with the other person’s related private key).
There is also the symmetric key S-MIME.

Recommend you clarify exactly what you want,
Then look up a guide for the particularly email client you’re using and that encryption method.

If you run into problems,
You can post the guide you’re following and the problem.


Hi Tsu and thanks for the good questions. My objectives are:-

To have all my computers used for secure email to all be using the same key database and eventually have this synced, possibly in cloud such as dropbox.

In pursuing this objective to rationalize all the keys and subkeys I have and sort out their trust status etc.

To set up a “Nitrokey Storage” as a login key for computers, a convenient means of opening KeePassXC password database without having to enter the long password and also a key safe for transporting key database and password database before cloud sync is working or when there is no internet access.

All of the information I have used has either been from the Firefox/Enigmail instructions of from the Nitrokey.com site which has various instructions for using the NitroKey.

You point out that there are differences between OpenPGP and GPG but I confess I am slightly confused. For example NitroKey describes “OpenPGP Email Encryption with Thunderbird” and goes on to explain how to install Enigmail and gnupg2. In another instruction Nitrokey describes OpenPGP Key generation with Backup and the terminal commands are for gpg.

In a similar manner, instructions for Key Management in Enigmail and certainly in the Enigmail documentation the references are for GnuPG and OpenPGP but where GPG fits in if it is different I am not clear.

I am not sitting here asking others to sort out my problem and am reading and trying but not making much progress. I have not used email encryption since I stopped using OS/2 many years ago. All the keys now extant are new and none have been used in anger. I could clear out all the keys in my present machines and start over but am uneasy and would rather put the unwanted keys in storage somewhere so they do not confuse what I am trying to do now but could find them if needed.

Thanks again for your reply. Given the several different issues I propose to work at the enigmail until I have that all correct before going on the the Nitrokey. Will report back when I next get stuck!

Legacy. Some programs default to old short form, some display more modern long form.

Enigmail App shows the 22/06/19 dated key as disabled?

This key is disabled in your keyring.

alastair@AJBR-W530:~> gpg --edit-key --expert ajbudge@errichel.co.uk

This shows the disabled key but not the other although both have the same email address.

a) you did not show any evidence that both keys have the same uid. Show “gpg -K” output.
b) --edit-key edits one single key. So it happens to pick up the first one in the list of matching keys. If you want to edit another one, select it using more precise search criteria, like key id.

what I have yet to do to get the key dated 05/07/19 which has not been disabled, to show as available for encryption

Encryption is using recipient public key, not your own secret key. If you want to encrypt message so you can also read it, you will need your matching public key. Do you have one (“gpg -k” lists public keys)?

enable creation of authentication subkey.

You mean that “gpg --edit-key 68EC645D” does not work?

I have not used the Enigma plugin to Thunderbird, but I understand it somewhat uniquely (and maybe transparently) can support either OpenPGP and GPG… So to the User setup and encrypt/decrypt may seem exactly the same no matter what is the backend… But you will have to set up the backend correctly for OpenPGP or GPG.


OpenPGP is the name of the standard. And GPG is an implementation of that standard.

Not entirely true.
There are distinct differences which is why they are not necessarily always interchangeable (depends on the software)
Usually compatible but not exactly the same.
One came before the other, and although there is a lot of overlap in features, there are differences which shouldn’t be ignored.



There’s also PGP (from “pgp.com”) which is another implementation of the OpenPGP standard, and started by the originator of PGP. As far as I know, “enigmail” on linux can only use GPG. At one time there was a PGP version for linux, but I’m not sure if that is still true.

OK and thanks for the detailed additional information. I was however reasonably confident that if I followed the Enigmail Mozilla Applications Handbook I should be OK. In order to clear the decks for new action I put all my previous activity into a temporary directory and started with a clean and empty .gnupg directory. I then followed the instructions by going to a friend’s email which had been sent by him earlier which had attached his public key.

The email had an Enigmail banner at the top with an Import Key button. This didn’t work because the key had not been uploaded to “the key server.”

OK, so the Handbook instructions say “right click on the attachment” and choose Import OpenPGP Key.

Unfortunately this option is not offered. Instead I am offered “Decrypt and Open” or “Decrypt and Save As…”

Surely this should be managed in the background by the Enigmail but what should I do with the file?

There are free, public GPG servers you can upload a public GPG cert… I’d be pretty sure how that button should work, it’s a convenient way to distribute your public key for all to use when communicating with the person who generated the key


I’d expect that either of those other two options should also work if the you already have the necessary public key, but Enigma must know where that key is stored… There has to be another way to import the key if the described way isn’t there… Click around the app, something will likely show up, or do a search on your version of Enigma.


I just tested and it works fine, at least if I used Enigmail “Attach public key” menu option when sending it. I also tested signed and encrypted messages with attachment and it worked in both cases.

Instead I am offered “Decrypt and Open” or “Decrypt and Save As…”

So Enigmail did not recognize it as attached public key. More useful answer is hardly possible without having actual message.

First in reply to Tsu many thanks and I see that a number of key servers are listed in the Enigmail Preferences Expert Settings with the first on the list being the default which in this case is hkps://keys.openpgp.org so all is well here once I opt to upload. My testing suggests my friend has not uploaded or, as he is using Mailvelope, he may have used the Mailvelope key server as his default!

I am disappointed that the key saving is less elegant than the Handbook suggests. What I have to do is save the ascii file and then go to Enigmail Key Management and import that file. All clear and straight forward but several unwanted additional moves which should be uneccessary.

The attachment is all working and so is the recognition of of the key once it is in the keyring.
In conclusion so far OK but not smooth yet.

Thanks again.