mail-gpg travis-ci ruby Rubygems

GPG/MIME extension for the Ruby Mail Library

4 years after

Mail::Gpg Build Status

This gem adds GPG/MIME encryption capabilities to the Ruby Mail Library

For maximum interoperability the gem also supports decryption of messages using the non-standard 'PGP-Inline' method as for example supported in the Mozilla Enigmail OpenPGP plugin.

There may still be GPG encrypted messages that can not be handled by the library, as there are some legacy formats used in the wild as described in this Know your PGP implementation blog.


Add this line to your application's Gemfile:

gem 'mail-gpg'

And then execute:

$ bundle

Or install it yourself as:

$ gem install mail-gpg


Encrypting / Signing

Construct your Mail object as usual and specify you want it to be encrypted with the gpg method: do
  to '[email protected]'
  from '[email protected]'
  subject 'gpg test'
  body "encrypt me!"
  add_file ""

  # encrypt message, no signing
  gpg encrypt: true

  # encrypt and sign message with sender's private key, using the given
  # passphrase to decrypt the key
  gpg encrypt: true, sign: true, password: 'secret'

  # encrypt and sign message using a different key
  gpg encrypt: true, sign_as: '[email protected]', password: 'secret'

  # encrypt and sign message and use a callback function to provide the
  # passphrase.
  gpg encrypt: true, sign_as: '[email protected]',
      passphrase_callback: ->(obj, uid_hint, passphrase_info, prev_was_bad, fd){puts "Enter passphrase for #{passphrase_info}: "; (IO.for_fd(fd, 'w') << readline.chomp).flush }

Make sure all recipients' public keys are present in your local gpg keychain. You will get errors in case encryption is not possible due to missing keys. If you collect public key data from your users, you can specify the ascii armored key data for recipients using the :keys option like this:

johns_key = <<-END
Version: GnuPG v1.4.12 (GNU/Linux)

END do
  to '[email protected]'
  gpg encrypt: true, keys: { '[email protected]' => johns_key }

The key will then be imported before actually trying to encrypt/send the mail. In theory you only need to specify the key once like that, however doing it every time does not hurt as gpg is clever enough to recognize known keys, only updating it's db when necessary.

You may also want to have a look at the GPGME docs and code base for more info on the various options, especially regarding the passphrase_callback arguments.


Receive the mail as usual. Check if it is encrypted using the encrypted? method. Get a decrypted version of the mail with the decrypt method:

mail = Mail.first
mail.subject # subject is never encrypted
if mail.encrypted?
  # decrypt using your private key, protected by the given passphrase
  plaintext_mail = mail.decrypt(:password => 'abc')
  # the plaintext_mail, is a full Mail::Message object, just decrypted

Set the :verify option to true when calling decrypt to decrypt and verify signatures.

A GPGME::Error::BadPassphrase will be raised if the password for the private key is incorrect. A EncodingError will be raised if the encrypted mails is not encoded correctly as a RFC 3156 message.

Signing only

Just leave the :encrypt option out or pass encrypt: false, i.e. do
  to '[email protected]'
  gpg sign: true

Verify signature(s)

Receive the mail as usual. Check if it is signed using the signed? method. Check the signature of the mail with the signature_valid? method:

mail = Mail.first
if !mail.encrypted? && mail.signed?
  verified = mail.verify
  puts "signature(s) valid: #{verified.signature_valid?}"
  puts "message signed by: #{{|sig|sig.from}.join("\n")}"

Note that for encrypted mails the signatures can not be checked using these methods. For encrypted mails the :verify option for the decrypt operation must be used instead:

if mail.encrypted?
  decrypted = mail.decrypt(verify: true, password: 's3cr3t')
  puts "signature(s) valid: #{decrypted.signature_valid?}"
  puts "message signed by: #{{|sig|sig.from}.join("\n")}"

It's important to actually use the information contained in the signatures array to check if the message really has been signed by the person that you (or your users) think is the sender - usually by comparing the key id of the signature with the key id of the expected sender.

Key import from public key servers

The Hkp class can be used to lookup and import public keys from public key servers. You can specify the keyserver url when initializing the class:

hkp ="hkp://")

If no url is given, this gem will try to determine the default keyserver url from the system's gpg config (using gpgconf if available or by parsing the gpg.conf file). As a last resort, the server-pool at will be used.

Lookup key ids by searching the keyserver for an email address'[email protected]')

You can lookup (and import) a specific key by its id:

key = hkp.fetch(id)

# or do both in one step

Rails / ActionMailer integration

class MyMailer < ActionMailer::Base
  default from: '[email protected]'
  def some_mail
    mail to: '[email protected]', subject: 'subject!', gpg: { encrypt: true }

The gpg option takes the same arguments as outlined above for the Mail::Message#gpg method.

Running the tests

bundle exec rake

Test cases use a mock gpghome located in test/gpghome in order to not mess around with your personal gpg keychain.

Password for the test PGP private keys is abc


  • signature verification for received mails with inline PGP
  • on the fly import of recipients' keys from public key servers based on email address or key id
  • handle encryption errors due to missing keys - maybe return a list of failed recipients
  • add some setup code to help initialize a basic keychain directory with public/private keypair.


  1. Fork it
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Add some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create new Pull Request


Thanks to:

  • Planio GmbH for sponsoring the ongoing maintenance and development of this library
  • morten-andersen for implementing decryption support for PGP/MIME and inline encrypted messages
  • FewKinG for implementing the sign only feature and keyserver url lookup
  • Fup Duck for various tweaks and fixes

Related Repositories



Mail-in-a-Box helps individuals take back control of their email by defining a o ...



A chrome plugin that enables gpg encryption and decryption for the gmail web int ...



Encrypted end to end file transfer ...



Gmail, Gnus and GPG ...

GPG Mail Gateway for Postfix fork ...

Top Contributors

jkraemer morten-andersen dmke ilyakatz meineerde yeah


-   0.2.4 zip tar
-   0.2.3 zip tar
-   0.2.2 zip tar
-   0.2.1 zip tar
-   0.1.7 zip tar
-   0.1.6 zip tar
-   0.1.5 zip tar