Hosting a Web Key Directory

Andre Heinecke aheinecke at
Thu Oct 27 17:33:45 CEST 2016


I just published how to host your own Web Key Directory on the gnupg blog.

Find below a plain text version of my blog entry


1 Hosting a Web Key Directory

  With the improvements in GnuPG for Key Discovery (see: [Key Discovery
  Made Simple]) you may want to provide the OpenPGP keys for your
  domain. The Web Key Service (WKS) describes a protocol for Mail
  Service Providers or large organisations to maintain a Web Key
  Directory (WKD) for their users.

  A Web Key Directory is a static collection of keys provided under well
  known URLs under your domain. This directory can also be manually
  generated without using the Web Key Service protocol.

  By providing a Web Key Directory other people (or their Mail Software)
  can obtain the OpenPGP keys for your domain with a simple query like:

  │ $ gpg --auto-key-locate wkd --locate-keys <mail address>

  In this note, I explain how to do that.

  Note: An updated version of this article may be available in the
  [GnuPG Wiki]

  [Key Discovery Made Simple]

  [GnuPG Wiki]

1.1 Requirements

  • A web server that provides https with a trusted certificate for your
  • A client machine with Python and PyME installed (debian package
  • The script: [generate-openpgpkey-hu] (in the [Mercurial repository


  [Mercurial repository "wkd-tools"]

1.2 Setup

  You can either export all the keys in your keyring that belong to a
  domain or provide an explicit keyring containing just those keys that
  you want to publish.

  The call:

  │ $ ./generate-openpgpkey-hu hu

  Will create a directory called hu containing all the keys with user
  ids that include

  If there are multiple valid keys for a user in your keyring this
  command will error out. In that case you can prepare a keyring with
  only the keys that you want to publish. For example:

  │ $ gpg --export 94A5C9A03C2FE5CA3B095D8E1FDF723CF462B6B1 | \
  │ >   gpg --no-default-keyring --keyring ./wkd-keyring.gpg --import

  And then provide that keyring to generate-openpgpkey-hu:

  │ ./generate-openpgpkey-hu hu wkd-keyring.gpg

1.3 Publishing

  The hu directory has to be published on your server as


  Create the directory structure and set the permissions accordingly.

  This example [Makefile] automates the hu directory generation and
  publishing. Edit the variables at the top of the makefile to set
  `RSYNC_TARGET' The `KEYRING' variable is optional and can be left

  That's it. You can now test your setup by calling:

  │ $ gpg --auto-key-locate wkd --locate-keys <mail address>

  you should see something like this:

  │ gpg: key AC12F94881D28CB7: public key "testuser10 at" imported
  │ gpg: Total number processed: 1
  │ gpg:               imported: 1
  │ gpg: automatically retrieved 'testuser10 at' via WKD
  │ pub   ed25519 2016-07-15 [SC]
  │       5506894357DC548CC65B0BCFAC12F94881D28CB7
  │ uid           [ unknown] testuser10 at
  │ sub   cv25519 2016-07-15 [E]

Andre Heinecke |  ++49-541-335083-262  |
Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998
Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: This is a digitally signed message part.
URL: </pipermail/attachments/20161027/30cfd0c8/attachment-0001.sig>

More information about the Gnupg-users mailing list