Update: August 2019. In August 2017, I wrote this post to document my process for getting gpg2 working on OpenBSD 6.1 after not finding a straight-forward explanation online. In the two years since, I have used these notes to set up mutt on both OpenBSD and several varieties of Linux, such as Debian derivatives, Arch and others. With a little work, I have managed to get mutt working on each of these systems.
In the update, I went through through and cleaned up the post a bit for clarity and fixed some formatting now that WordPress has better options for including code. If you are trying to get gpg/gpg2 working with mutt, hopefully, this will help you too. If you find errors, please feel free to comment below and I’ll try to fix them.
Install mutt and gnupg
[OpenBSD] # pkg_add -i mutt gnupg
A series of options will display. Pick the current version of mutt-1.8.0v3-gpgme-sasl and gnupg-2.1.15p2.
[Ubuntu/Debian] # sudo apt-get install mutt gnupg
Change to the relevant package manager equivalent if you don’t use apt. You may also need to add cyrus-sasl to your package manager on linuxes without it baked in.
Copy gpg.conf to your home directory
[OpenBSD] $ cp /usr/local/share/gnupg/options.skel ~/.gnupg/gpg.conf
[Ubuntu/Debian]$ cp /usr/share/doc/mutt/examples/gpg.rc ~/.gnupg/gpg.conf
On Ubuntu/Debian, this step might not be necessary. If using gpg2, you’ll need to substitute gpg2 for all the gpg commands in the config file should you need it.
Add text to gpg.conf
# Enable gpg-agent
This step seemed required on OpenBSD. On many varieties of Linux, it does not seem to matter. I’d guess gnome has something that automagically handles this in the background.
Start the gpg-connect-agent daemon
On some linux distros, this step may already be taken care of for you.
Import your secret and public gpg keys
$ gpg2 --decrypt file.sec.gpg | gpg2 --import --batch
If you don’t have gpg keys yet, check out man for gpg or the Ubuntu privacy documentation for details about doing it.
Check your gpg keyring
$ gpg2 -K
$ gpg2 -K
Important step. It’s very easy during the import process to type in a key, password, or command wrong and not import your secret keys. I ended up troubleshooting my mutt configuration for a couple of hours before I figured out it wasn’t working because I didn’t have my gpg keys on my keyring. Save yourself this trouble and check.
Create a text file with your email password
set imap_pass = "yourpassword"
set smtp_pass = "yourpassword"
Save this file to ~/.gnupg/email-password.gpg
Encrypt your email-password.gpg file
$ gpg2 --encrypt /home/cafebedouin/.gnupg/email-password.gpg
Add a .mailcap configuration file for HTML email in Mutt
Put the following in your ~/.mailcap file or create one if it doesn’t exist. Install lynx or another text browser of your choice. If different, change lynx to the alternative in the text below.
text/html; /usr/bin/firefox %s >/dev/null 2>&1; needsterminal
text/html; lynx -dump %s; nametemplate=%s.html; copiousoutput
Create a ~/.muttrc configuration file
# gpg.rc is unnecessary on some systems.
# On OpenBSD, you're probably going to need it.
# OpenBSD: /usr/local/share/examples/mutt/gpg.rc
# source ~/.mutt/gpg.rc
set pgp_use_gpg_agent = yes
set pgp_sign_as = 0O0ABCDZ # replace with your key
set pgp_timeout = 7200
set crypt_autosign = no
set crypt_replyencrypt = no
# password: tell mutt where to find your encrypted
# password, depending on what you installed, you
# may need to change initial command to gpg
source "gpg2 -dq ~/.mutt/email-password.gpg |"
# mailbox configuration
set imap_user = email@example.com
# Only need the example.net if your root email address is different from server, otherwise just use your login
set folder = imaps://firstname.lastname@example.org@example.com:993
set spoolfile = imaps://email@example.com@example.com/INBOX
set smtp_url = smtp://firstname.lastname@example.org@example.com:587
set postponed = +Drafts
set record = +Sent
set trash = +Trash
mailboxes = +INBOX
set hostname = example.net
set from = email@example.com
# mutt configuration
set ssl_starttls = yes
set use_from = yes
set postpone = ask-yes
set delete = ask-yes
set editor = "emacs -nw" # or vi
set pager = lynx
set charset = "utf-8"
set visual = "emacs"
set signature = ~/.mutt/sig.txt
set alias_file = ~/.mutt/aliases
set mailcap_path = ~/.mailcap
auto_view text/html # auto render html to text
alternative_order text/plain text/enriched text/html # read html last
# Reduce polling frequency to a sane level
# keep a cache of headers for faster loading (1.5.9+?)
# Display download progress every 10K
The line to decrypt your password activates the gpg-connect-agent daemon and will not ask for you to enter it again for the duration of pgp_timeout specified in the file.
This should get you to a working set-up to read and write email. If you are having trouble logging in, double check your encrypted password file, particularly if your password requires escaping special characters.