How to configure gpg/pgp encrypted communication for OTRS / Znuny?

Learn how to configure your OTRS to encrypt and decrypt GPG messages easily for your agents.

Basically you have two steps, the preparation on your operating system of OTRS, and to be specific in the user context of the running otrs. The usercontext is typically the user otrs (default on all debian, ubuntu also for redhat and centos).

OS dependent steps

You need to prepare your OS to be able to use GPG in OTRS properly.

Install GPG

First install gpg on your OS. Typically it is already installed, anyway test it by executing these commands.


sudo apt install gpg

redhat and centos

sudo yum install gnupg2

Prepare your OTRS users home directory with GPG keys

first we need to find out your home directory. Use this command to get the detals:

sudo -H -u otrs bash -c 'echo "I am user $USER, with uid $UID"; echo "my home dir is $HOME"'

you will get something like this (example is from centos)

I am user otrs, with uid 500
my home dir is /opt/otrs

Generate the GPG keys

The next step is now to generate the GPG keys for the otrs user.

sudo -H -u otrs bash -c 'gpg --gen-key'

This will result in something like

gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory `/opt/otrs/.gnupg' created
gpg: new configuration file `/opt/otrs/.gnupg/gpg.conf' created
gpg: WARNING: options in `/opt/otrs/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/opt/otrs/.gnupg/secring.gpg' created
gpg: keyring `/opt/otrs/.gnupg/pubring.gpg' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 2

Use DSA and Elgamal which is said to be more secure over RSA. In our case enter ‘2’.
The next question is asking for the length of the key. Use at least 2048 bits. Better you go to a longer version like we use 3072 bits length.

DSA keys may be between 1024 and 3072 bits long.
What keysize do you want? (2048) 3072
Requested keysize is 3072 bits

The key expire time frame shall be typically multiple years. We will use here unlimted (key does not expire).

Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all

Confirm this parameters and add now the personal data to the key details.

Do you need help with Znuny / OTRS?
We have lot of experiences with OTRS and Znuny and can help you with your issues. Get in touch with us and we will check if and how we can help you.

Leave a Comment

Do you need help with Znuny / OTRS?​

We have lot of experiences with OTRS and Znuny.
We can help you with your issues to solve them.

From giving you support up to implementing integrations to your existing systems.

Get in touch with us and we will check if and how we can help you.​

Get OTRS/Znuny/OTOBO Support
Step 1 of 2
To get a quick and efficient clearance of your needs, our experts will call you.
We communicate in English.
Maybe we can communicate in your native language too. So please let us know your native written and spoken language.

Your environment

We have different partners for different tasks and company sizes.
To assign you the right partner and thus the proper system engineers, we would like to ask you for more details about your environment.
The more details we get the quicker we can narrow down to the right persons.