Encrypt your chat messages from end-to-end with OpenPGP.

OpenPGP is a widely used encryption protocol. It requires the installation of GnuPG in addition to the XMPP client. Once installed and configured, it works very well for encrypting the content of chat messages. I had success with PGP regardless of the client that I tested it with.

Install GnuPG

To enable OpenPGP encryption for XMPP, the GnuPG software must be installed. On windows, go to this page and find the latest version to download “gpg4win-latest.exe”. Download and install. Accept all the defaults.

On Debian Linux, run the command: apt install -y gnupg kleopatra scdaemon

Add Executables to Path

On Windows, it is necessary to add the directory with gnupg executables to the environment variable %PATH%.

Check to make sure that the directory
"C:\Program Files (x86)\GnuPG\bin"
exists and has programs in it.

Type "env" in the windows search tool to find the "Edit system environment variables" dialog.

Click Environment Variables button.

Select Path and click the "Edit..." button.

Click "New" and add the string
"C:\Program Files (x86)\GnuPG\bin" to the %Path% environment variable.

Create a Key Pair (Certificate)

At this point, you must create a new key pair. The Kleopatra program is bundled with GnuPG. Launch the Kleopatra program from windows or linux. The process is identical on either operating system.

Click the "New Key Pair" button.

Enter a name and click the "Next" button.

Click the "Create" button, then enter a passphrase. A passphrase makes sure that only you can decrypt with the certificate. Remember your passphrase.

Here we can see that there is a certifcate for "noble-dan" on Windows and for "noble-ann" on Linux.

Enabling OpenPGP in Gajim

This process is the same for Gajim on Windows or Linux.

Find "Plugins" in the Gajim menu. Enable the PGP plugin from the dialog.

Find "Accounts" in the Gajim menu. In the preferences section, enable "Use PGP Agent".

Select the account name in the Accounts dialog. Click "OpenPGP Key". Add the correct key for the account.

Gajim requests a relogin.

Enter the passphrase of the certificate.

Enabling OpenPGP in Psi-Plus

Psi-Plus for Windows offers OpenPGP encryption, however the Linux version does not.

Open the options dialog and select "Plugins". Enable OpenPGP. Click the configure button on the right side.

In the configure dialog that opens, choose the "Own Keys" tab. Select the correct name of the account, and click the "Select Key" button. Select the key, click the "OK" button.

Click the "Apply" button.

Exchanging Public Keys

At this point, we have two users and two XMPP clients. Each is ready to communicate using OpenPGP Encryption.

  • User “noble-ann” is using Gajim on Linux
  • User “noble-dan” is using Psi-Plus on Windows

noble-dan receives a message from noble-ann. She asks for his public key. From the menu, he can send it easily.

noble-ann receives the public key as text.

noble-ann copies the text of the public key and pastes it into a text editor. She saves the file as

noble-ann imports the file into Kleopatra.

Kleopatra requests that the certificate's fingerprint be verified. This added security measure is optional.

noble-ann can export the public key of her own certificate by viewing the details of the certificate.

noble-ann copies the text of her certificate and pastes it as a message in Gajim.

noble-dan receives the public key. Psi-Plus XMPP client automatically adds the key to the Kleopatra keystore and associates it with noble-ann in the contacts.

At this point, noble-dan can send encrypted messages to noble-ann because Psi-Plus is more automatic.

noble-ann attempts to enable encryption.

noble-ann gets this warning.

noble-ann finds "Assign OpenPGP Key..."

noble-ann assigns the correct public key (noble-dan) to the contact (noble-dan).

Now, the messages are encrypted! A green lock indicates an encrypted message.

This is what a message that says “How are you?", but is encrypted with OpenPGP, looks like on the server:

<message type='chat' id='1ee65f7c-34fc-4a54-a618-c4458f52c2b6' 
<thread>UHJuBakunMSfhbDdNfAvXQJPFjuUKnup</thread><request xmlns='urn:xmpp:receipts'/>
<origin-id id='1ee65f7c-34fc-4a54-a618-c4458f52c2b6' xmlns='urn:xmpp:sid:0'/>
<body>[This message is *encrypted* (See :XEP:`27`]</body>
<x xmlns='jabber:x:encrypted'>hQEMA3hsvJOU9S3nAQf9GqTEcLxHBhJaZpGFqOk5ov9waM0Vq4Kpb3aF/0y6nPgk
=2EGH</x><encryption namespace='jabber:x:encrypted' xmlns='urn:xmpp:eme:0'/></message>

Topics covered on this page:

Last modified June 22, 2020