Hosting a Web Key Directory

Andre Heinecke aheinecke at intevation.de
Thu Oct 27 17:33:45 CEST 2016


Hi!

I just published how to host your own Web Key Directory on the gnupg blog.

Find below a plain text version of my blog entry
https://gnupg.org/blog/20161027-hosting-a-web-key-directory.html

 Andre


1 Hosting a Web Key Directory
═════════════════════════════

  With the improvements in GnuPG for Key Discovery (see: [Key Discovery
  Made Simple]) you may want to provide the OpenPGP keys for your
  domain. The Web Key Service (WKS) describes a protocol for Mail
  Service Providers or large organisations to maintain a Web Key
  Directory (WKD) for their users.

  A Web Key Directory is a static collection of keys provided under well
  known URLs under your domain. This directory can also be manually
  generated without using the Web Key Service protocol.


  By providing a Web Key Directory other people (or their Mail Software)
  can obtain the OpenPGP keys for your domain with a simple query like:

  ┌────
  │ $ gpg --auto-key-locate wkd --locate-keys <mail address>
  └────

  In this note, I explain how to do that.


  Note: An updated version of this article may be available in the
  [GnuPG Wiki]


  [Key Discovery Made Simple]
  https://www.gnupg.org/blog/20160830-web-key-service.html

  [GnuPG Wiki]
  https://wiki.gnupg.org/WKD#Hosting%20a%20Web%20Key%20Directory


1.1 Requirements
────────────────

  • A web server that provides https with a trusted certificate for your
    domain.
  • A client machine with Python and PyME installed (debian package
    python-pyme)
  • The script: [generate-openpgpkey-hu] (in the [Mercurial repository
    "wkd-tools"])


  [generate-openpgpkey-hu]
  https://hg.intevation.de/gnupg/wkd-tools/raw-file/default/generate-openpgpkey-hu

  [Mercurial repository "wkd-tools"]
  https://hg.intevation.de/gnupg/wkd-tools/


1.2 Setup
─────────

  You can either export all the keys in your keyring that belong to a
  domain or provide an explicit keyring containing just those keys that
  you want to publish.

  The call:

  ┌────
  │ $ ./generate-openpgpkey-hu example.com hu
  └────


  Will create a directory called hu containing all the keys with user
  ids that include @example.com.

  If there are multiple valid keys for a user in your keyring this
  command will error out. In that case you can prepare a keyring with
  only the keys that you want to publish. For example:

  ┌────
  │ $ gpg --export 94A5C9A03C2FE5CA3B095D8E1FDF723CF462B6B1 | \
  │ >   gpg --no-default-keyring --keyring ./wkd-keyring.gpg --import
  └────

  And then provide that keyring to generate-openpgpkey-hu:

  ┌────
  │ ./generate-openpgpkey-hu example.com hu wkd-keyring.gpg
  └────


1.3 Publishing
──────────────

  The hu directory has to be published on your server as

  ┌────
  │ https://example.com/.well-known/openpgpkey/hu/
  └────

  Create the directory structure and set the permissions accordingly.

  This example [Makefile] automates the hu directory generation and
  publishing. Edit the variables at the top of the makefile to set
  `RSYNC_TARGET' The `KEYRING' variable is optional and can be left
  empty.

  That's it. You can now test your setup by calling:

  ┌────
  │ $ gpg --auto-key-locate wkd --locate-keys <mail address>
  └────

  you should see something like this:

  ┌────
  │ gpg: key AC12F94881D28CB7: public key "testuser10 at test.gnupg.org" imported
  │ gpg: Total number processed: 1
  │ gpg:               imported: 1
  │ gpg: automatically retrieved 'testuser10 at test.gnupg.org' via WKD
  │ pub   ed25519 2016-07-15 [SC]
  │       5506894357DC548CC65B0BCFAC12F94881D28CB7
  │ uid           [ unknown] testuser10 at test.gnupg.org
  │ sub   cv25519 2016-07-15 [E]
  └────


  [Makefile]
  https://hg.intevation.de/gnupg/wkd-tools/raw-file/default/Makefile.example
-- 
Andre Heinecke |  ++49-541-335083-262  | http://www.intevation.de/
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20161027/30cfd0c8/attachment-0001.sig>


More information about the Gnupg-users mailing list