How to install Kleopatra on Qubes OS

I have experience using Qubes OS but I have never installed any software before.
Can anyone within this community kindly give me a step by step on how to install and run Kleopatra PGP application?
Thank you in advance.

Like normal but in the template that your AppVM is based on.

For example, open debian-12-minimal and run apt install kleopatra

Then shut down your template, restart your AppVM and then Kleopatra will be installed.

I opened terminal Debian 12 entered
apt install Kleopatra

E: could not open lock file /var/lib/dpkg/lock - frontend - open (13 : permission denied)
E: unable to acquire the dpkg frontend lock (/var/lib/dpkg/lock - frontend) , are you root?

Use this command:

sudo apt install kleopatra

The installation completed within the terminal and I shut down debian 12. Now where do I find the Kleopatra app?

Check the link posted by @org:

  • Shut down the template.

  • Restart all qubes based on the template.

  • (Recommended) In the relevant qubes’ Settings > Applications tab, select the new application(s) from the list, and press OK. These new shortcuts will appear in the Applications Menu. (If you encounter problems, see here for troubleshooting.)

1 Like

Worked thank you

How do I bring the Kleopatra app over to anon-whonix?

Install it in Whonix Workstation template e.g. whonix-workstation-17.

1 Like

I installed on whonix-workstation-17 and I shutdown.
Restarted Qubes os, opened up the settings and applications and I do not see the Kleopatra app in the all available applications list.

Press the Refresh button in the anon-whonix Settings > Applications tab and check again.


I appreciate your help I have learned much from our conversation.

You may want to consider not connecting the VM containing Kleopatra to the Internet.

If you are typing a message and using PGP in Kleopatra and there’s internet access to the VM, you are increasing your attack surface. Without internet, an attacker would have to attack dom0 or parts of your system that may have priviledges that dom0 has (like Intel ME). It would be much harder for an attacker to do this.

You can download .asc files in a disposible whonix VM and copy them to the Kleopatra VM and then add them that way. There may be other better ways of doing this, but only using Kleopatra while attached to the internet increase the risk of attack, which may be very low for you depending on your threat model.

When you say copy them to a Kleopatra VM what do you mean?
I have Kleopatra app running in whonix so should I have Kleopatra running on a different template?

This sentence has me worrying that you may execute programs inside of template VMs. Template VMs are only meant to install software, but never execute them. This you do in App VMs.

You can download .asc files in a disposible whonix VM and copy them to the Kleopatra VM and then add them that way.

@dispuser means that you should

  • start a whonix disposable VM
  • download the asc files inside of the disposable VM
  • use qvm-copy file.asc to copy them to a VM of your choice (that has no network)

I’d recommend to invest a bit of time to get familiar with qubes. Its somewhat command line based at times. I have recently written a blogpost about qubes that is targeted at beginner Level experience: How to Create Qubes OS VMs Using the Command Line If you have the time, I’d recommend to read the whole article and try the examples. It will help you to get a better understanding of how qubes VMs are intended, how to install packages and so on.

I think that @Year1qubes meant that he should try running Kleopatra in a
qube based on a different template, not that he should run it in a
template. This is a reasonable trouble shooting approach.

In any case there are many cases where you might want to run a program in
a template, e.g. to change configuration, resolve annoying “first use”
prompts, etc etc. Some of these changes will be system wide and will
appear in all qubes using that template, and some will be user based,
and so must be copied in to /etc/skel in the template.

Of course, if running the software is a security risk, this may
compromise every qube that uses the template where you ran it. This is
one reason why you may choose to install it in a cloned template, used
only by qubes where you will run it. (The risk in those qubes is almost
exactly the same.) If there is only one such qube, use a standalone, and
install and configure the software there.

I never presume to speak for the Qubes team. When I comment in the Forum I speak for myself.
1 Like

Thank you for clarifying Unman

Yes this worked thank you Tanner