Kleopatra Settings

Kleopatra settings

Kleopatra settings can be controlled through configuration files or, since version 3.1.24, the Windows Registry.

The system wide configuration is placed under:
HKEY_LOCAL_MACHINE\Software\Wow6432node\GNU\Kleopatra
and in:
C:\Program Files (x86)\GnuPG VS-Desktop\share\kleopatrarc

Please note that the system wide configuration file can be overwritten when an update is installed. Since version 3.1.24 the recommended way to set defaults is through group policies / registry entries.

The user configuration is placed under:
HKEY_CURRENT_USER\Software\GNU\Kleopatra
and in:
%LOCALAPPDATA%\kleopatrarc

The local kleopatrarc can be used for experiments.

The order in which the entries are read is:

  1. HKEY_LOCAL_MACHINE\Software\Wow6432node\GNU\Kleopatra
  2. C:\Program Files (x86)\GnuPG VS-Desktop\share\kleopatrarc
  3. HKEY_CURRENT_USER\Software\GNU\Kleopatra
  4. %LOCALAPPDATA%\kleopatrarc

A restart of Kleopatra is required for changes to take effect.

User configuration takes precedence over system wide configuration unless the marker [$i] is set on a configuration group or entry to mark it as immutable.

In the Windows registry groups are subkeys under the default key Kleopatra. Group and entry names can contain the [$i] marker. Values have to be either of type REG_SZ or REG_EXPAND_SZ. Environment variables are expanded in case REG_EXPAND_SZ is the type of the value.

In the settings file the format is a key=value ini format. A group is opened in [] above the key value pairs. Unknown entries are ignored. Same Groups can occur multiple times.

Internal settings can occur in the config files. They are not documented here and this documentation does not claim to be exhaustive.

Any configuration made in Kleopatra can be seen in the local kleopatrarc and extracted from there to the registry or system wide configuration.

Example contents of the Windows registry

kleopatra-registry-example.png

Example contents of the ini file

[KDE Action Restrictions][$i]
action/help_check_updates=false
action/help_about_kde=false
action/file_export_certificates_to_server=false
action/certificates_certify_certificate=false
action/certificates_revoke_certification=false
action/configure_backend=false
action/options_configure=false

[UpdateNotification][$i]
NeverShow=true

[Notification Messages][$i]
CertifyQuestion=false

KDE Action Restrictions

[KDE Action Restrictions] is the group to disable user actions. All actions that can be found under Settings -> Configure Toolbars in Kleopatra can be disabled.

The action names are defined in the source code and orient themself on the English menu structure.

To disable an action define the value to false and prepend the name with action/

e.g.: action/file_new_certificate=false

certificates_add_userid
certificates_certify_certificate
certificates_change_expiry
certificates_change_owner_trust
certificates_change_passphrase
certificates_delete
certificates_distrust_root
certificates_revoke_certification
certificates_trust_root
clipboard_menu
configure_backend
configure_groups
crl_clear_crl_cache
crl_dump_crl_cache
crl_import_crl
file_checksum_create_files
file_checksum_verify_files
file_decrypt_verify_files
file_export_certificates
file_export_certificates_to_server
file_export_paper_key
file_export_secret_keys
file_import_certificates
file_lookup_certificates
file_new_certificate
file_sign_encrypt_files
file_sign_encrypt_folder
help_check_updates
help_show_compendium
manage_smartcard
pad_view
settings_self_test
tools_refresh_openpgp_certificates
tools_refresh_x509_certificates
tools_start_kwatchgnupg
view_certificate_details
view_certificate_overview
view_redisplay
view_stop_operations
window_close_tab
window_collapse_all
window_duplicate_tab
window_expand_all
window_move_tab_left
window_move_tab_right
window_new_tab
window_rename_tab
window_view_hierarchical

Update check related settings

Group Name : [UpdateNotification]

NeverShow
Set this to false to never show update notifications. Default: false

Certificate Creation Settings

Group :: [CertificateCreationWizard]

CN_placeholder
Placeholder for CN. This text will be used as placeholder text for the common name (CN) field of S/MIME certificates. Default:
CN_prefill
Prefill CN automatically. If true, then the common name (CN) field of S/MIME certificates will be prefilled with information gathered from the system, e.g., from the email settings of the desktop or, on Windows, from the Active Directory. Default: true
EMAIL_placeholder
Hint for EMAIL. This text will be shown above the email address field of OpenPGP certificates and used as placeholder text in that field for S/MIME. Default:
EMAIL_prefill
Prefill EMAIL automatically. If true, then the email address field of OpenPGP and S/MIME certificates will be prefilled with information gathered from the system, e.g. from the email settings of the desktop or, on Windows, from the Active Directory. Default: true
EMAIL
Value for EMAIL. This will be inserted into the email address field of OpenPGP and S/MIME certificates. Overrides EMAIL_prefill. Use type REG_EXPAND_SZ. Default:
NAME_placeholder
Hint for NAME. This text will be shown above the name field of OpenPGP certificates. Default:
NAME_prefill
Prefill NAME automatically. If true, then the name field of OpenPGP certificates will be prefilled with information gathered from the system, e.g. from the email settings of the desktop or, on Windows, from the Active Directory. Default: true
NAME
Value for NAME. This will be inserted into the name field of OpenPGP certificates. Overrides NAME_prefill. Use type REG_EXPAND_SZ. Default:
ValidityPeriodInDays
Default validity period. This setting specifies how many days a new OpenPGP key is valid by default, or, in other words, after how many days the key will expire. It also applies when changing a keys validity period. Set this to 0 for unlimited validity. If this setting is not set or is set to a negative value, then new or extended OpenPGP keys will be valid for three years by default. Default: -1
ValidityPeriodInDaysMin
Minimum validity period. Specifies the minimum number of days for the validity period of an OpenPGP key at creation or change of validity.
ValidityPeriodInDaysMax
Maximum validity period. Specifies the maximum number of days for the validity period of an OpenPGP key at creation or change of validity. If this setting is not set or is set to a negative value, then unlimited validity is allowed. If ValidityPeriodInDaysMin = ValidityPeriodInDaysMax then this validity period can not be changed using Kleopatra.
HideAdvanced
Hide advanced settings. If true, hides the advanced settings button in the new certificate wizard. Default: false

Certification

Group :: [Certification]

CertificationValidityInDays
Default certification validity period. This setting specifies how many days a certification is valid by default. Set this to 0 for unlimited validity of certifications.

S/MIME / CMS related settings

Group :: [CMS]

Enabled
Enable S/MIME. If false, then Kleopatra's main UI will not offer any functionality related to S/MIME (CMS). Default: true
AllowCertificateCreation
Allow S/MIME certificate creation. If false, then Kleopatra will not offer the creation of S/MIME certificate signing requests. Default: true
AllowSigning
Allow signing with S/MIME certificates If false, then Kleopatra will not offer functionality for creating signatures with S/MIME certificates. Default: true

Group :: [DN]

AttributeOrder
DN-Attribute Order Specifies the display order of the DN attributes of X.509 certificates.

Configuration Dialog

Group :: [ConfigurationDialog]

ShowAppearanceConfiguration
Show appearance configuration Default: true
ShowCryptoOperationsConfiguration
Show crypto operations configuration Default: true
ShowDirectoryServicesConfiguration
Show directory services configuration Default: true
ShowGnuPGSystemConfiguration
Show GnuPG system configuration Default: true
ShowSMimeValidationConfiguration
Show S/MIME validation configuration Default: true
ShowSmartCardsConfiguration
Show smart cards configuration Default: true

Group related settings

Group :: [Groups]

GroupsEnabled
Enable Groups. Enable usage of groups of keys to create lists of recipients. Default: true

Smartcard related settings

Group :: [Smartcard]

AlwaysSearchCardOnKeyserver
Always search smart card certificates on keyserver. Searches on keyservers regardless of the protocol for the smart cards key, regardless of the keyserver protocol. Default behavior is to only do this for LDAP keyservers. Default: false
AutoLoadP15Certs
Automatically load S/MIME certificates from PKCS#15 (CardOS) smart cards. If true, then Kleopatra will call gpgsm –learn if a PKCS#15 Smartcard is inserted with unknown certificates. This can take a while and blocks the smart card while the command is running. Default: true

File Operation settings

These can also be set in Kleopatra configuration user interface.

Group :: [FileOperations]

UsePGPFileExt
Use pgp as the default extension for generated OpenPGP files. Set this to make Kleopatra default to pgp file extensions for OpenPGP files. Default: false
AutoDecryptVerify
Automatically start operation based on input detection for decrypt/verify. With this option set Kleopatra no longer asks you what you want to do with input files but instead automatically starts the operations it detects as applicable to the input. Default: true
AddASCIIArmor
Create signed or encrypted files as text files. Set this option to encode encrypted or signed files as base64 encoded text. So that they can be opened with an editor or sent in a mail body. This will increase file size by one third. Default: false
DontUseTmpDir
Create temporary decrypted files in the folder of the encrypted file. Set this option to avoid using the users temporary directory. Default: false
SymmetricEncryptionOnly
Use symmetric encryption only. Set this option to disable public key encryption. Default: false

Tooltip settings

Group :: [Tooltip]

ShowValidity
Show certificate validity. Show validity information for certificates in tooltip, such as whether the certificate is expired or revoked. Default: true
ShowOwnerInformation
Show certificate owner information. Show owner information for certificates in tooltip, such as User IDs, subject and issuers. Default: false
ShowCertificateDetails
Show certificate details. Show more certificate details, such as fingerprint, key length and expiration dates Default: false

Tag / Remark settings

Group :: [RemarkSettings]

UseTags
Use tags. Enable display and usage of tags attached to keys. Default: false
TagKey
Fingerprint of tag key. If a key is specified, then only tags made with this key are considered. Otherwise, tags made with any fully trusted key are considered. Default:

Import related settings

Group :: [Import]

RetrieveSignerKeysAfterImport
Retrieve signer keys after import If enabled, then Kleopatra will automatically try to retrieve the keys that were used to certify the user ids of newly imported OpenPGP keys. This is useful in combination with trusted introducers. Default: false [since 3.1.21.0]
QueryWKDsForAllUserIDs
Query certificate directories of providers for all user IDs By default, Kleopatra only queries the certificate directories of providers (WKD) for user IDs that were originally retrieved from a WKD when you update an OpenPGP certificate. If this option is enabled, then Kleopatra will query WKDs for all user IDs. Default: false

Group :: [Notification Messages]

CertifyQuestion
Ask for certification on import. Set this false to avoid asking the user to certify an imported key. Useful if the certificates_certify_certificate action is disabled. Default: true

Expiration related settings

Group :: [Notifications]

ShowExpiryNotifications
Notify about upcoming certificate expiration If enabled, then Kleopatra will show notifications in some place when using certificates that are about to expire soon. Default: true