---
title: PGP plugin usage
sidebar_position: 100
---

# PGP plugin usage

## Enabling the PGP plugin

1. To check whether the PGP plugin is installed, check the Integrations tab in Zammad. This should show ‘PGP’ in the list of integrations. A green dot will appear next to its name if the plugin is enabled - here the plugin is not yet enabled:

![Untitled](/docs/link/admin/pgp/Untitled.png)

1. To enable the plugin, open the settings for ‘PGP’, and toggle the switch in the top left corner of the page:

![Untitled](/docs/link/admin/pgp/Untitled1.png)

## Sending encrypted email to a user

1. The ‘Public and Private Keys’ section will display all the known encryption keys and associated emails. To be able to send encrypted email to an email address, it is necessary to upload the public key associated with that email address.  Usually the public keys will be sent from the PGP users themselves, as attachments to tickets created via email. Here’s an example of such a ticket: 

![Untitled](/docs/link/admin/pgp/Untitled2.png)

1. To be able to reply to this user using encrypted email, download this attachment and upload it to the ‘Public and Private Keys’ section of the PGP integrations, by selecting ‘Add Public Key’, and then ‘Browse’:

![Untitled](/docs/link/admin/pgp/Untitled3.png)

1. The PGP key fingerprint and email will now show up in the list:

![Untitled](/docs/link/admin/pgp/Untitled4.png)

1. Replying on the ticket will now show the option to ‘Encrypt’, enabled by default. This means the reply will be sent encrypted. The padlock can be clicked to disable encryption.:

![Untitled](/docs/link/admin/pgp/Untitled5.png)

## Receiving encrypted email from a user:

1. To receive encrypted email, a PGP key must be generated for the helpdesk email. For example, on Linux systems, this can be done using the `gpg` command, and filling in the name and email address for the new key. In this example, we create a key for ‘helpdesk’ with email address ‘help@cdr.link’:

```ruby
gpg --gen-key                                                                                                                                                                                                                                                                                                                             ✔  8074  13:16:03
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
```

```ruby
Note: Use "gpg --full-generate-key" for a full featured key generation dialog.
GnuPG needs to construct a user ID to identify your key.

Real name: helpdesk
Email address: help@cdr.link
You selected this USER-ID:
"helpdesk [help@cdr.link](mailto:help@cdr.link)"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 032591C6B1918366 marked as ultimately trusted
gpg: revocation certificate stored as '/home/helpdesk/.gnupg/openpgp-revocs.d/78A30920D68F5F1A6C6912D4032591C6B1918366.rev'
public and secret key created and signed.

pub   rsa3072 2022-07-27 [SC] [expires: 2024-07-26]
78A30920D68F5F1A6C6912D4032591C6B1918366
uid                      helpdesk [help@cdr.link](mailto:help@cdr.link)
sub   rsa3072 2022-07-27 [E] [expires: 2024-07-26]
```

1. Export both the public and private keys just created.

```ruby
gpg --export -a helpdesk > helpdesk.pub
gpg --export-secret-key -a helpdesk > helpdesk.priv
```

1. The next step is to upload the helpdesk’s public and private keys to Zammad. The private key will be used to decrypt messages that were sent encrypted to the helpdesk. The public key will be distributed to the helpdesk users who wish to send encrypted email. First, upload the public key to the ‘Public and Private Keys’ section of the PGP integrations, by selecting ‘Add Public Key’, and then ‘Browse’ and selecting the public key exported in the previous step:

![Untitled](/docs/link/admin/pgp/Untitled6.png)

1. Now add the private key, by selecting ‘Add Private Key’, and then ‘Browse’ and selecting the private key exported in the previous step:

![Untitled](/docs/link/admin/pgp/Untitled7.png)

The display should now indicate the private key was uploaded

![Untitled](/docs/link/admin/pgp/Untitled8.png)

1. Ticket replies will now be sent signed by default. When an encrypted email is sent by a user, its contents will automatically be decrypted and displayed in a ticket. 

⚠ Note: for a user to be able to send encrypted email to the helpdesk, the helpdesk public key must first be distributed to that user.