console gpg mail readers

GPG is a complex topic and using console tools for reading mails is even more special. This document tries to give an easy to follow insight, how this can be achieved.

Scenario: We are connected to (or sit in front of) our machine and want to read gpg encrypted mails. There is no X server, but if necessary we become root (to install packages). So our only and main limit is technical experiance.

After reading this document, you hopefully are able to read and write encrypted mail from the console.


To learn the principle of gpg or to create an own key pair, please read one these introductions, especially manage your keys.
It is necessary, to know the difference between validity and trust:

'Validity' for a particular key refers to the knowledge that the key
belongs to the person to whom you expect it to belong.  This knowledge
comes about based on your trust in the people who have signed the key
(including, but not limited to, the key owner).  

'Trust' in a person is a property of your particular installation of
GnuPG.  Trust is a private value that only you have to know about and
refers to whether or not you trust the person's signature on a key to be
as good as your signature on a key, and the degree to which that trust
exists.  Initially, key owners have a trust value of 'unknown'.  You may
give them a trust value of 'none' if they are known to improperly sign
keys.  A value of 'marginal' means that they understand key signing and
perform it properly.  A value of 'full' means that they have an
excellent understanding of key signing and that you trust their
signature on a key as well as if you had signed the key yourself. 

By default, a key is considered valid if it is signed by at least one
person to whom you give full trust, or it is signed by at least three
people to whom you give marginal trust.  This can of course be
reconfigured, and a lower number of marginally trusted owners would
signify a smaller number of people who would have to conspire against
you to pass a key off as valid. 

Without the necessary trusted signatures, the key is not considered
valid.  This does not necessarily mean that the key does not belong to
whom you expect it to, but that the software is warning you that it has
no way of knowing.  Obviously, the web of trust is the weak point in
public key cryptography, but when used properly can introduce some level
of assurance into the situation.  

(Source, VII. Understanding Validity and Your Web of Trust)

In short:

  • The validity you specify just for this specific key, by signing it yourself.
  • By setting the trust for a key, you tell gnupg how much you trust the person (not the key!). This affects the validity of keys, that have been signed with this trusted key. So trust paths can be calculated which is usually know as the ‘web of trust’.

See also trust models and establishing trust with a howto and some thoughts of the limitations of OpenPGP.

If the key is missing one signature by a person you trust fully or at least has three signatures by persons you trust marginally, the software will warn you and deny to use it for encryption.
Thats why you should sign the keys you got by others, AFTER verifiying the fingerprint and that the person you are talking to, is the right one.
A more detailed and very clear introduction you find here.

Ok, let’s start testing now:

the manual way

While writing, i thought it would be good, to be very detailed. If you read the gpg manpage (‘man gpg’), you can skip this part.


You got an encrypted mail and want to read it now.

  • Opan Emacs, vi, nano or whatever editor you like most
  • insert the encrypted mail
  • decrypt it with
    $ gpg -d INFILE OUTFILE
  • enter the passphrase
    If the message was encrypted with your public key and you own the private counterpart, you will find the encrypted message in OUTFILE.
    You also can read the message directly on the console instead:
    $ gpg -d INFILE |less


gpg -ea # 'e' stands for encrypt and 'a' for ascii outpur instead of binary
  • This will prompt for the recipient’s key id. Instead you can insert the mail address as well.
  • Then (maybe without a message) the prgram waits for your input. Just type and if you are done, press Control + d
  • The encrypted message will be shown

To do all this noninteractively including a signature (‘s’):

gpg -sea -r RECIPIENT INFILE # replace recipient by the key id or the email address

To specify the key ID/Email you want to sign with, add ‘-u KEYID’ (before the INFILE).

send mails

echo Message | gpg -u -clearsign - | mail -s Subject -f


with attachment

(echo "This is your message body";uuencode yourfile.ext yourfile.ext)|mail -s "Hello World!"

mail clients

In this tutorial we will test:

  • cone – COnsole Newsreader and Emailer
  • mew – mail reader supporting PGP/MIME for Emacs
  • mutt – text-based mailreader supporting MIME, GPG, PGP and threading

see the list of outstanding tests below


Cone is based on (al)pine. If you know none of them, read the cone manual before.

$ cone # run cone

To decrypt an email:
Open the email and press ‘Y’.

In my case appeared gpg: Sorry, no terminal at all requested - can't get input

To write and encrypt an email:
Insert master password if you set one and enter ‘W’ to write a new mail.
Press ^X (Control + x) to send it and enter ‘E’ to encrypt this mail.
Mark all wished recipients with Space and press ENTER when you are done.

Usually you will see this message afterwards (if you did not sign the key before):

gpg: XXXXXXXX: There is no assurance this key belongs to the named user
gpg: Sorry, no terminal at all requested – can’t get input

Press SPACE to continue.

That means, insufficient trust level for the choosen key. You need to sign them and set the owner trust.

Press ^P to postpone the message and ‘M’

You suppress all warnings if you enter the setup (‘S’) and add ‘—always-trust’ to the field ‘Extra GnuPG encrypt/sign options’. This is not suggested though. :)
To solve the problem instead, hit ‘E’ to enter the encryption menu.

As described above you have two possibilities:

  1. sign the key yourself
  2. set the trust for three persons who signed the key which you want to use to ‘marginal’ (This means, you think, ‘that they understand key signing and
    perform it properly’)
  3. set the trust of one person who signed the key you want to use to ‘fully’, if you think, the person has an ‘excellent understanding of key signing and that you trust their signature on a key as well as if you had signed the key yourself’

To *sign *a key, press S, choose the public key you want to sign, then choose the private key whith which you want to sign and answer the question, how well you checked that the key is from the right person (fingerprint, voice, etc).
You should publish that key afterwards, so others can see your signature:

> gpg --keyserver --send-keys KEYID

To set the trust, choose ‘Edit key’ (‘E’ asks me if you want to delete the public key, which is confusing), scroll to the accoring key and hit ENTER. The key is shown and you get a prompt.

> trust

Anser (3 for ‘marginal’ or aboce), enter ‘quit’, then ENTER.


Besides mew there are plugins to read mails for emacs like Gnus, Rmail, MailCrypt. AutoEncryption shows how to edit encrypted files from inside Emacs.

Follow the configuration instructions. After installing the package ‘mew’ start emacs, change to the command mode with M-x (Alt + x) and type ‘mew’.

When everything is set fine, mew will start download a list of all messages in the INBOX.

Press Enter to show a message. If it’s encrypted you will be asked fo a passphrase.
At the top the message list stays visible and you can scroll up and down with the arrows to choose another message (toggle this view with ‘v’)
Press SPACE to scroll through messages. more keystrokes
With M-x Mew you get back to the message list.

To write an encrypted mail, press ‘w’ to start a new mail and:

  • ‘C-cC-s’ – Sign the entire draft. Input your pass-phrase.
  • ‘C-cC-e’ – Encrypt the entire draft.
  • ‘C-cC-b’ – Sign, and then encrypt the entire draft. Input your pass-phrase.
  • ‘C-cC-r’ – Encrypt, and then sign the entire draft. Input your pass-phrase.
    (These commands create a PGP/MIME message by default.)

To cancel a message use C-cC-q.
Put it to queue: ‘C-cC-m’

To send you need to configure smtp in your .mew.el
Send all messages in quere: ‘C-cC-c’.
‘i’ updates the message list and sends queued messages if configured.


Read the mutt gpg HOWTO or encryption section in mutt wiki

$ mutt 

‘c’ for connect, enter the string like given in this mutt IMAP HOWTO:

> imaps://

To ise mutt for, read this. After setting the .muttrc as described, everything works fine. It is uncomplicated decrypting my mail, asking for the passprase and handles attached PGP/MIME encrypted files without problems.


outstanding tests

  • etpan-ng – console mail user agent based on libEtPan!
  • kuvert – A wrapper that encrypts or signs outgoing mail
  • pgp4pine – A PGP/GPG Wrapper for Pine*
  • premail – An e-mail privacy package.
  • x-pgp-sig-el – X-PGP-Sig mail and news header utility for Emacs