Questions about OpenPGP best practices

Doug Barton dougb at
Tue Feb 26 07:43:33 CET 2013

On 02/25/2013 02:54 PM, Peter Loshin wrote:
> Many thanks to Daniel Kahn Gillmor for pointing to the best practices
> page (;
> this information is very helpful.
> Some questions about the information on this page:
> 1. "Don't use". Which keyserver *should* be used? I assume
> that a pool is better than a particular server; is there one
> particular pool that is preferred? What about

Yes, that's a good one, and generally preferred.

> 2. On keeping an encrypted backup of my secret key material, what
> method is recommended for doing that? (Presumably something like "gpg
> --export-secret-keys | gpg --output secretkeymatter.gpg --symmetric"?)

If you're using a pass phrase, your key is already encrypted. Just save 
it somewhere safe.

> 3. On using a keyserver with HKPS support: when I attempt to connect
> (via Chrome) to, I get an error headlined
> "The site's security certificate is not trusted!", stating " the
> server presented a certificate issued by an entity that is not trusted
> by your computer's operating system."

Yeah, they are using a self-signed certificate. A very dodgy decision in 
an era where there are a non-zero number of widely accepted CAs that 
will give out free certificates.

> 4. When I try to use hkps://

The Best Practices page you posted above actually suggests:

   keyserver hkps://
   keyserver-options ca-cert-file=/path/to/CA/sks-keyservers.netCA.pem

That worked for me, although I was a bit disappointed that placing the 
cert at /etc/ssl/certs/ didn't work 
like all the docs said it should.

Does anyone know where/how to place the cert file on the system so that 
it can be called by demand, rather than having to specify it in the 

> with GnuPG at the
> command line, I get these messages:
> gpgkeys: HTTP post error 1: unsupported protocol
> gpg: keyserver internal error
> gpg: keyserver send failed: Keyserver error
> And when I try the same with the domain name only (
> I get these messages:
> : can't connect to `': No route to host
> gpgkeys: HTTP post error 7: couldn't connect: No route to host
> gpg: keyserver internal error
> gpg: keyserver send failed: Keyserver error
> My question would be, am I doing something wrong or is the service unavailable?

You're doing something wrong. :)  Follow the doc more closely.


More information about the Gnupg-users mailing list