PGP (Pretty Good Privacy) is actually the name of the original encryption program that provides cryptographic privacy and authentication for data communication and was developed by Phil Zimmermann in 1991. But these days PGP more commonly refers to the open internet standards which encapsulate this original functionality, OpenPGP and GNU Privacy Guard (GPG). In this article we refer exclusively to using PGP functionality via GPG.
Setting up WKD for PGP
WKDs (Web Key Directories) provide an easy way to discover public keys through HTTPS. They provide an important piece to the infrastructure to improve the user experience for exchanging secure emails and files. In contrast to the public keyservers a Web Key Directory does not publish mail addresses. And it is an authoritative pubkey source for its domain. Following are some basic instructions on how to get WKD up and running based on this metacode.biz guide, see also his article on decentralised proofs which is really interesting.
GPG allows a unique hash to be generated for an email address, for example the address email@example.com is associated with the hash 4hg7tescntgcqaqebqanpuyfu975. This hash is then used as the filename of a file containing encrypted data of your PGP keys that is generated using your private key and served from a specific location within your email domain (example.org in the example).
There are two location formats under the domain that the file can be located, the first is:
The first format is tried first and if there is no such domain, then the second format is tried as a fall-back. But note that if the domain for the first method resolves (which will be the case if you have a wildcard domain), then the key must be available at the first URL format otherwise some WKD clients (such as gpg itself) will fail to look the key up. My preferred method is to server the key from both locations.
To obtain the hash for your email address, do the following gpg command from any host that has your private key on it, for example:
gpg --list-keys --with-wkd firstname.lastname@example.org
pub rsa2048/0x6BA55ED83ABAE1BB 2018-05-08 [SC] [expires: 2020-05-07] Key fingerprint = 74EC 8D3D A82A 79DA A25D F10C 6BA5 5ED8 3ABA E1BB uid [ultimate] Example Key <email@example.com> firstname.lastname@example.org sub rsa2048/0x3B5E7761615E2207 2018-05-08 [E] [expires: 2020-05-07]
Next you need to export your key to a file that uses that hash as its name:
gpg --export email@example.com > 4hg7tescntgcqaqebqanpuyfu975
You then upload the generated file to your web-server ensuring that it is available under both URLs without any errors. Note that you must make sure that a CORS header is served along with the key:
add_header Access-Control-Allow-Origin * always;
To test that your key is available go to another machine that has gpg installed and has never seen your key and try locating it:
gpg --locate-key firstname.lastname@example.org
gpg: key 6BA55ED83ABAE1BB: public key "Example Key <email@example.com>" imported gpg: Total number processed: 1 gpg: imported: 1 uid [ unknown] firstname.lastname@example.org sub rsa2048 2020-01-23 [E]