OpenPGP Applications and Tools
GnuPG is a command line tool and always will be. Everything covered in the previous sections has been terminal-first, which is appropriate for a setup that involves servers, automation, and scripting. But day-to-day use of GPG on a desktop, managing keys, signing files, encrypting documents, is more comfortable with a graphical interface, and on Kubuntu there are good options that integrate properly with the KDE environment.
This page covers the tools worth knowing about: graphical frontends, useful command line utilities, and how they fit together.
Kleopatra
Kleopatra is the certificate manager and GPG frontend built for KDE. It ships as part of the KDE PIM suite and is the right graphical tool for this setup. On Kubuntu it integrates cleanly with the rest of the desktop and connects directly to the running GPG agent.
Install it if not already present:
sudo apt install kleopatra
Kleopatra handles both OpenPGP and S/MIME certificates in a single interface, which matters because the certificate authority section of this series involves X.509 certificates alongside GPG keys. Having one tool that manages both is genuinely useful.
What Kleopatra is good for
Key management. Viewing your keyring, checking expiry dates, setting trust levels, and importing public keys from contacts. Much easier to navigate than gpg --list-keys for anything beyond a handful of keys.
Signing and encrypting files. Right-click a file in Dolphin and Kleopatra appears in the context menu, letting you encrypt or sign without opening a terminal. For occasional file encryption this is considerably friendlier than the command line.
Key server lookups. Searching keys.openpgp.org and importing results directly into your keyring.
WKD lookups. Fetching public keys via Web Key Directory from email addresses, which is how you get keys for contacts who have set up WKD on their domains.
Smartcard management. Changing PINs, viewing card information, and moving subkeys to a Yubikey. This is covered in more detail in the Yubikey section, but Kleopatra is the GUI tool for it.
Certificate verification. Checking the validity and trust chain of certificates, both OpenPGP and X.509.
What Kleopatra is not good for
Key generation with full control over capabilities and subkey structure. The wizard produces sensible defaults but does not expose the granular options covered in the key generation section. For that, the command line is the right tool. Similarly, the nuances of the sshcontrol file and agent configuration are not surfaced in Kleopatra. Think of it as the operational interface, not the configuration interface.
Starting Kleopatra
From the application launcher, search for Kleopatra. Or from the terminal:
kleopatra &
On first launch it will detect your existing GnuPG keyring and display your keys. If it shows no keys, check that GnuPG is correctly configured and that gpg --list-keys returns results in the terminal.
KGPG
KGPG is a lighter alternative to Kleopatra that lives in the system tray and provides quick access to common GPG operations. It is less comprehensive than Kleopatra but useful if you want a persistent tray icon for one-click encryption and decryption.
Install it:
sudo apt install kgpg
KGPG is particularly good for quick text encryption and decryption via the clipboard, and for a persistent visual indicator of the GPG agent status in the system tray. For most people using Kleopatra, KGPG is redundant, but worth knowing about.
Dolphin integration
The KDE file manager Dolphin integrates with Kleopatra to provide right-click encryption, decryption, signing, and verification directly from the file manager. This requires the kio-extras package which is installed by default on Kubuntu:
sudo apt install kio-extras
Right-clicking any file in Dolphin should show encrypt and sign options once Kleopatra is installed. If they do not appear, verify kio-extras is installed and restart Dolphin.
Useful command line tools
The command line remains essential for scripting, automation, and anything that needs to run on a server. These are the GPG-adjacent tools worth having installed.
gpg-connect-agent
A low-level tool for communicating directly with the GPG agent. Useful for troubleshooting and for operations not exposed through the main gpg command:
# Update the agent's idea of the current terminal
gpg-connect-agent updatestartuptty /bye
# Check the agent is responding
gpg-connect-agent /bye
# Flush the passphrase cache
gpg-connect-agent reloadagent /bye
gpgconf
The configuration tool for GnuPG components. Used throughout this series for reloading the agent, finding socket locations, and managing component settings:
# List all component socket paths
gpgconf --list-dirs
# Reload the agent
gpgconf --reload gpg-agent
# Kill all GnuPG daemons
gpgconf --kill all
# Check component status
gpgconf --check-programs
gpg-wks-client
The Web Key Service client. Used for publishing your key to WKD-enabled mail servers that support the Web Key Service protocol (as opposed to self-hosted WKD covered in the publish section):
# Check if a domain supports WKS
gpg-wks-client --check you@yourdomain.net
# Submit your key to a WKS server
gpg-wks-client --create $GPGKEY you@yourdomain.net
scdaemon and pcscd
These are required for smartcard and Yubikey support. Install them now if you plan to follow the Yubikey section:
sudo apt install scdaemon pcscd
scdaemon is the smartcard daemon that communicates between GPG and hardware tokens. pcscd is the PC/SC daemon that manages the physical card reader interface. Both are invoked automatically by the GPG agent when needed rather than directly.
paperkey
A tool for creating paper backups of your private key. Takes the binary private key data and reduces it to the minimum information needed to reconstruct it, stripping out the public key components that can be recovered from your public key. The output is a compact hexadecimal representation that can be printed and stored physically:
sudo apt install paperkey
# Create a paper backup
gpg --export-secret-key $GPGKEY | paperkey --output ~/private-key-paper-backup.txt
Store the printed backup alongside your revocation certificate in whatever physically secure location you use for long-term key storage. To restore from paper backup you need both the paper key output and your public key.
hopenpgp-tools
A set of tools for analysing OpenPGP keys against best practice recommendations. Useful for verifying that a newly generated key is well-formed and follows current guidance:
sudo apt install hopenpgp-tools
# Analyse your key
gpg --export $GPGKEY | hokey lint
A clean output with no warnings confirms the key is properly structured. Any warnings are worth investigating before distributing the key publicly.
A note on GUI tool versions
Kleopatra on Kubuntu 24.04 LTS is version 3.x from the KDE Gear 24.x release. The Kleopatra available on Windows via Gpg4win is a different but related codebase. The Linux and Windows versions share the underlying KDE framework but have diverged in some UI details. Documentation screenshots from Windows Gpg4win guides will look somewhat different from what you see on Kubuntu, though the core functionality is the same.
The command line and the GUI are not competing interfaces. They complement each other. Use Kleopatra for the things it does well, use the terminal for the things it does better, and reach for the right tool for the job rather than defaulting to one or the other.