FAQ on User Issues

This section provides answers to frequently asked questions about common issues users may encounter when using the software.

You'll find additional FAQ sections here:

FAQ on Usage/Best Practises FAQ for Administrators

Encryption using public keys and certificates

Why does Kleopatra say “No secret key” when decrypting?

This error occurs when Kleopatra can't find a matching secret key, in other words, a key that fits the encrypted file.

Common causes:

  • The sender forgot to add your certificate as a recipient when encrypting the file.
  • The wrong certificate was used by mistake.

-You created a new OpenPGP key pair but didn't revoke the old one. Now two certificates exist with the same user ID, but only the new one includes a secret key.

What to do?

Ask the sender to encrypt the file again and this time, to select your current certificate under Encrypt for others in the file encryption dialog.

Selecting the recipient's certificate during encryption

If you're unsure, just send your current certificate to the sender again, ideally along with any older versions (expired or revoked) that use the same user ID.

Important: When decrypting, what matters is the certificate's fingerprint, not the user ID. There can be multiple certificates with the same name and email address, but only one of them will work.

Read: “What should I do if my name or email address changes?”

Why is my (or someone else's) certificate no longer shown as VS-NfD compliant?

In Kleopatra, you might see an OpenPGP certificate marked as not VS-NfD compliant (highlighted in pink). This means the algorithm used does not meet the requirements for handling information classified as Classified – FOR OFFICIAL USE ONLY (VS-NfD).

This warning only appears if the certificate was not created using GnuPG VS-Desktop®.

In most cases, the issue is due to the use of the RSA-2048 algorithm, which lost its VS-NfD approval in early 2024. The ECC algorithms Ed25519 and Curve25519, which are the default choices in Gpg4win, are also currently not approved by the BSI for VS-NfD use.

If, however, you create a key using the ECC algorithm based on the Brainpool curve, the situation is different: this variant is approved for VS-NfD and can be generated directly using GnuPG VS-Desktop®.

How do I detect a certificate's algorithm?

Whether a certificate meets the requirements for VS-NfD depends on the algorithm it uses. You can easily check this yourself.

For OpenPGP certificates:

  1. In Kleopatra, double-click the relevant certificate.
  2. Switch to the Subkeys tab.
  3. In the Algorithm column, you'll see entries like RSA 2048, ECC (Ed25519), or ECC (Cv25519). If the certificate is shown as non-compliant, it's often because of these specific entries.

For S/MIME certificates:

  1. Double-click the certificate.
  2. Open the Certificate Dump tab.
  3. Look for the keyType field. This may show values like rsa4096 (compliant) or rsa2048 (non-compliant).

What does this mean for how certificates appear in Kleopatra? Certificates using a VS-NfD-compliant algorithm are highlighted in light green and labeled VS-NfD Compliant. All others may still be certified but are not compliant; they appear in pink with the status certified.

Status display for OpenPGP certificates

Root certificates that are trusted are always shown in blue in Kleopatra, regardless of whether they use VS-NfD-compliant algorithms or not. In the Status column, you'll see either VS-NfD compliant or certified.

If the status shows not certified, it means the certificate is not trusted. To use such a root certificate without restrictions, it must be installed and explicitly trusted by an administrator.

Read: "Installation of Root CA Certififcates"

S/MIME certificates follow the same rules for VS-NfD compliance as OpenPGP certificates. The deciding factor is the algorithm used.

Status display for S/MIME

Why is my own certificate marked as "Not certified"?

If your own OpenPGP certificate shows up as not certified in Kleopatra, the reason is usually a small detail: When importing a backup, you didn't confirm that the certificate belongs to you.

You can easily fix this with just a few clicks: Right-click the entry and select Change Certification Power.

Helpful to know: Kleopatra displays your own public keys (certificates) with a corresponding private key in bold.

Why does encryption fail with "Unusable public key"?

This error message appears when you try to encrypt to a Kleopatra group that contains at least one certificate which wasn't properly renewed.

A common case: The certificate had expired and was extended using Kleopatra (up to and including GnuPG VS-Desktop® 3.1.26), but only partially. At first glance, everything seems fine: the certificate is marked as valid. But behind the scenes, the encryption subkey hasn't been renewed, making the certificate unusable for encryption. (Ticket T6473)

Solution: The person whose certificate is affected needs to manually extend the subkey.

Here's how to do it:

1. In Kleopatra, open the certificate list and double-click your certificate.

2. In the new window, click More Details in the lower-left corner.

3. The detail view now shows two lines: The first (for the signing subkey) says valid, the second (for the encryption subkey) says expired.

4. Right-click the second line and choose Change validity from the context menu.

Changing a certificate's validity

5. Now set the same expiration date as shown in the first line and confirm by clicking OK.

Set a new expiration date

6. Both subkeys now share the same expiration date, and the certificate is fully usable again. Everything should work as expected.

Both subkeys now share the same expiration date.

7. Do a quick test, and encrypt a file or message to yourself. If it works, you're good to go.

8. Finally, export the updated certificate and share it with your communication partners. This ensures they can see and use the new validity period as well.

Why isn't my certificate available for encryption after renewal?

At first glance, the certificate looks perfectly fine, and it appears as valid in the certificate list. However, it doesn't show up when encrypting a file or in Outlook.

This happens when an expired certificate was renewed using Kleopatra from GnuPG VS-Desktop® (version 3.1.26 or earlier), but not completely.

See: "Encryption failed: unusable public key"

Why can’t I select a recipient for file encryption?

If you can't select any recipients in the file encryption dialog, it's usually due to a setting in Kleopatra. The recipient field appears grayed out because Kleopatra is set to use symmetric encryption only.

The "Sign/Encrypt Files" dialog

To fix this, open the settings and go to the Crypto Operations tab. Check if the option Use symmetric encryption only is enabled.

Cryptographic operations in Kleopatra

Uncheck the box to enable recipient selection again.

Password-Based Encryption

Why does decryption fail with "Bad passphrase"?

You entered an incorrect password or accidentally copied an extra character like a space. Please double-check your input and make sure capitalization matches exactly.

The passphrase is incorrect

If the password was generated by GnuPG VS-Desktop®, it consists of exactly 30 characters from the following set: 13456789abcdefghijkmnopqrstuwxyz (For readability, the characters 0, 2, l, and v are not included.)

Important: These passwords may be shown with spaces to improve readability. Do not include the spaces when entering the passphrase.

GpgOL Questions

What does "Not all attachments can be shown" mean?

When opening an encrypted email, GpgOL may display the message Not all attachments can be shown. This behavior is typically caused by the internal handling of messages within the add-on: When decrypting, GpgOL retains the original encrypted message and attaches the decrypted version to the same mail object. As a result, the email size temporarily doubles.

If this size exceeds the maximum message limit configured on the Exchange server, GpgOL displays only as many attachments as technically possible. The rest are suppressed, and the above message is shown.

The encryption method also plays a role:

  • S/MIME messages are not compressed, so they reach the limit more quickly.
  • OpenPGP messages use compression and are generally smaller.

Workaround: Save the affected email via drag & drop to your local file system and open it using Windows Explorer. This allows the message to be decrypted outside of Outlook.

If this issue occurs frequently, you may consider increasing the message size limit on your Exchange server.

GpgOL/Web Questions

What is the difference between GpgOL and GpgOL/Web

The "New Outlook" (based on the same technology as "Outlook on the Web (OWA)") is technically completely different from the older "Classic Outlook". For the former you will need to use GpgOL/Web, while for "Classic Outlook" you need GpgOL. At the time of this writing GpgOL/Web is available for GnuPG Desktop®, only. We intend to include it in the next major release of GnuPG VS-Desktop®.

The outlook extension manager does not appear while trying to install the add-in

The "Outlook Extension Manager"-button will open the Outlook Extension Manager in your default web browser. Make sure to log in to your Outlook account, when prompted. The page may take a while to load, completely, so please be patient. Some users report that the extension manager could be opened, once, but could not be opened again, after closing it. It may help to close and re-open your browser window, copy the link to a different browser (e.g. Firefox), or to restart your system.

If troubles persist, you may also want to try the following links:

I have installed the manifest file in Outlook, but no GnuPG icon is visible

Before anything else make sure that the GpgOL/Web app is started (you should see the icon in your system task bar). Click on the status icon to show the current connection status. Make sure that the proxy is shown as running, and connected.

The troubleshooting page of the settings has a button to test for any problems related to the SSL certificate used by GpgOL/Web. If this shows any problems, (such as a warning about a potential security risk), you should try to regenerate the certificate from the "Proxy & SSL" page. You will have to restart the Outlook app and/or your browser, after this.

You should generally make sure to start GpgOL/Web before you open Outlook. If you forgot, try reloading your browser window or restarting Outlook.

Outlook Add-Ins are loaded sequentially and over the web. Even if everything is installed correctly, it may take a while for the icon to appear. Please be patient.

Depending on your screen width and various settings, the icon may not be visible in the main ribbon by default. In this case you should find the GnuPG button when clicking on "More apps". A right mouse button click on the icon should offer the option to "pin" the icon to the main ribbon.

Some browsers will ask whether Outlook may access your local network. Please answer "Yes" to this question, as the GpgOL/Web Add-in is loaded from your local computer. Should you have answered "No" to this question, look for "Website Permissions" in your browser's settings to change it.

When working with an organization or school account, your administrator may need to grant permission to use the add-in.

The GnuPG icon is visible but shown disabled / greyed out

The add-in can only be used while an e-mail is selected for reading. We hope to change this in a future release, but it is currently a limitation in the add-in interface provided by Outlook.

The GnuPG task pane closes whenever I select a different e-mail

Use the "pin" icon to keep the task pane open as long as an e-mail is selected.

Unless otherwise noted, these web pages are: Copyright 2025 g10 Code GmbH. Verbatim copying and distribution is permitted in any medium, provided this notice is preserved. See the Legal Notice & Privacy Policy for details. This page was last changed on 2026-03-26.