blog | ~bdeshi

tilde adventures wanderings.

setting up gpg web key directory

February 21, 2020 — ~bdeshi

so we know that were badly done. however, sharing gpg keys seems like a big hassle if we stop using keyservers.

but if you have your own web domain, then it becomes almost too easy, with gpg wkd.

web key directory protocol basically means, gpg looks at the email address of a given key id, and retrieves the key directly from the domain given in the email.

so setting up a web key directory require you have your own domain and an email address with that domain. tough luck to *@gmail.com users (unless you can hack into the gmail.com server root! ;) )

so anyway, here's how to do it:

get the WKD hash of your gpg key:

$ gpg --fingerprint --with-wkd-hash 0xDEADCODEBAADCODE

which outputs

pub   rsa2048 2020-02-20 [SC]
      A52A 51D0 8ECD D98D 0D72  559D DEAD CODE BAAD CODE
uid           [ultimate] YOURNAME <main@YOURDOMAIN.tld>
              rzufz5uv2a9bq7youre9cool1pal6yqh@YOURDOMAIN.tld
sub   rsa2048 2020-02-20 [E]

the meaningless string upto @ at line 4 is your hash.

you have to export your public key into a file with that hash as its name:

$ gpg --output rzufz5uv2a9bq7youre9cool1pal6yqh --export -a 0xDEADCODEBAADCODE

great! now create a .well-known/openpgpkey/hu folder in your web server's public_htmli aka webroot. make sure indexing is disabled for this location in you web server.

then paste the exported publickey file as is into that hu folder.

also, you have to create an empty file called policy beside that hu folder.

so these URLs should point to those two files:

https://YOURDOMAIN.tld/.well-known/openpgpkey/hu/rzufz5uv2a9bq7youre9cool1pal6yqh https://YOURDOMAIN.tld/.well-known/openpgpkey/policy

and that's done!

now anyone can do:

$ gpg --locate-key mail@YOURDOMAIN.tld

and they're going to get your public key straight from the horse's mouth, so to say.

isn't this cool?

Tags: gpg, security, web