From Organic Design wiki

PGP (Pretty Good Privacy) is actually the name of the original encryption program that provides cryptographic privacy and authentication for data communication and was developed by Phil Zimmermann in 1991. But these days PGP more commonly refers to the open internet standards which encapsulate this original functionality, OpenPGP and GNU Privacy Guard (GPG). In this article we refer exclusively to using PGP functionality via GPG.

Manual PGP encryption/decryption

This is from a Bitcoin Magazine article by L0la L33tz. To use PGP to send an encrypted message, first import my keys:

gpg --recv-keys <KEY_FINGERPRINT>

Or if you configured to access your keys via a different keyserver such as OpenPGP, then run

gpg --keyserver hkps:// --recv-keys <KEY_FINGERPRINT>

To check whether the key import was successful, or to list all your keys along with their corresponding information such as expiry date and fingerprint:

gpg --list-keys

To encrypt a message:

gpg -ae -r <KEY_ALIAS_FROM_LIST>

then and hit “enter.” Write your message in plain text, such as “Hello PGP,” then end the message with CTRL+D. It's best to include your own PGP fingerprint in the message which you can see from the key list from the command above

Next, a PGP message block should appear on your screen. Copy/paste this message including “BEGIN PGP MESSAGE” and “END PGP MESSAGE” into any public forum or messenger of your choice, sending an encrypted message over the open internet, only readable by its designated recipient. For example, you could now send this message to me via Twitter direct message, post it publicly on GitHub or share it in a public Telegram group of which I am a part.

To decrypt a message:

gpg -d

and copy/paste the encrypted message text, including “BEGIN PGP MESSAGE” and “END PGP MESSAGE.” The message should then be resolved to plain text. Et voila, you are now set to communicate in private with your counterparties over the open internet, giving law enforcement no chance to surveil the contents of your communication.

Keys and fingerprints

todo... openpgp4fpr URI scheme

Key servers

todo... HKP

Web Key Directories

Web Key Directories (WKD) provide an easy way to discover public keys through HTTPS. They provide an important piece to the infrastructure to improve the user experience for exchanging secure emails and files. In contrast to the public keyservers a Web Key Directory does not publish mail addresses. And it is an authoritative pubkey source for its domain. Following are some basic instructions on how to get WKD up and running based on this guide.

GPG allows a unique hash to be generated for an email address, for example the address is associated with the hash 4hg7tescntgcqaqebqanpuyfu975. This hash is then used as the filename of a file containing encrypted data of your PGP keys that is generated using your private key and served from a specific location within your email domain ( in the example).

There are two location formats under the domain that the file can be located, the first is:


The first format is tried first and if there is no such domain, then the second format is tried as a fall-back. But note that if the domain for the first method resolves (which will be the case if you have a wildcard domain), then the key must be available at the first URL format otherwise some WKD clients (such as gpg itself) will fail to look the key up. My preferred method is to server the key from both locations.

To obtain the hash for your email address, do the following gpg command from any host that has your private key on it, for example:

gpg --list-keys --with-wkd
pub   rsa2048/0x6BA55ED83ABAE1BB 2018-05-08 [SC] [expires: 2020-05-07]
      Key fingerprint = 74EC 8D3D A82A 79DA A25D  F10C 6BA5 5ED8 3ABA E1BB
uid                   [ultimate] Example Key <>
sub   rsa2048/0x3B5E7761615E2207 2018-05-08 [E] [expires: 2020-05-07]

Next you need to export your key to a file that uses that hash as its name:

gpg --export > 4hg7tescntgcqaqebqanpuyfu975

You then upload the generated file to your web-server ensuring that it is available under both URLs without any errors. Note that you must make sure that a CORS header is served along with the key:

add_header Access-Control-Allow-Origin * always;

To test that your key is available go to another machine that has gpg installed and has never seen your key and try locating it:

gpg --locate-key
gpg: key 6BA55ED83ABAE1BB: public key "Example Key <>" imported
gpg: Total number processed: 1
gpg:               imported: 1
uid [ unknown]
sub   rsa2048 2020-01-23 [E]

Decentralised proofs

todo... decentralised proofs and openpgp-proofs

--sig-notation {name=value}
--cert-notation {name=value}
-N, --set-notation {name=value}

    Put the name value pair into the signature as notation data. name must consist only of printable characters or spaces, and must contain a ’@’ character in the form (substituting the appropriate keyname and domain name, of course). This is to help prevent pollution of the IETF reserved notation namespace. The --expert flag overrides the ’@’ check. value may be any printable string; it will be encoded in UTF-8, so you should check that your --display-charset is set correctly. If you prefix name with an exclamation mark (!), the notation data will be flagged as critical (rfc4880: --sig-notation sets a notation for data signatures. --cert-notation sets a notation for key signatures (certifications). --set-notation sets both.

    There are special codes that may be used in notation names. "%k" will be expanded into the key ID of the key being signed, "%K" into the long key ID of the key being signed, "%f" into the fingerprint of the key being signed, "%s" into the key ID of the key making the signature, "%S" into the long key ID of the key making the signature, "%g" into the fingerprint of the key making the signature (which might be a subkey), "%p" into the fingerprint of the primary key of the key making the signature, "%c" into the signature count from the OpenPGP smartcard, and "%%" results in a single "%". %k, %K, and %f are only meaningful when making a key signature (certification), and %c is only meaningful when using the OpenPGP smartcard.

See also