Distributing OpenPGP Keys
A public key that nobody can find is not very useful. The point of distributing your public key is to allow others to send you encrypted mail, verify your signatures, and establish trust relationships with you. There are several ways to do this, each with different trade-offs around privacy, reliability, and ease of discovery. This page covers them all, from the simplest to the most robust.
Before distributing anything, make sure your key is in a clean state: correct UIDs, a photo if you want one, and subkeys properly configured. Once a key is on a public key server it is effectively permanent. You cannot delete it, only revoke it.
keys.openpgp.org
The modern replacement for the old SKS keyserver pool is keys.openpgp.org. The SKS pool, which the source material this series is based on references, suffered from significant reliability and abuse problems and is no longer recommended. Keys.openpgp.org is a vetted, privacy-respecting alternative that requires email verification before a key’s UID is made searchable.
Upload your public key:
gpg --keyserver hkps://keys.openpgp.org --send-keys $GPGKEY
After uploading, you will receive an email to the address associated with your key. Follow the verification link to make your UID searchable. Without this step, the key is stored but cannot be found by email address lookup, only by fingerprint.
To verify the upload:
env GNUPGHOME=$(mktemp --tmpdir --directory) \
gpg --verbose --keyserver hkps://keys.openpgp.org \
--search-keys $GPGKEY
Web Key Directory (WKD)
Web Key Directory is a standard for hosting your public key on a domain you control. When someone sends you an email from a WKD-aware mail client, the client automatically fetches your public key from your domain without any manual lookup. This is the most seamless distribution method for people who control their own domain.
WKD works by placing your key at a specific URL derived from your email address. For you@yourdomain.net, the key is served from:
https://yourdomain.net/.well-known/openpgpkey/hu/<hash>
Where <hash> is a z-base-32 encoded SHA-1 hash of the local part of your email address.
Generating the WKD hash
GPG can calculate the correct hash for you:
gpg --with-wkd-hash --fingerprint $GPGKEY
The output will include a line like:
[ultimate] (1). Your Name <you@yourdomain.net>
Hash: abc123defghi456jklmno789pqrstuvw
Exporting a minimal key for WKD
For WKD, export a minimal version of your key that contains only the UID relevant to the domain being served. This avoids leaking unnecessary identity information:
gpg --export-options export-minimal \
--export-filter keep-uid="uid=~@yourdomain.net" \
--export $GPGKEY | \
gpg --dearmor > yourdomain.net.gpg
Directory structure
Create the WKD directory on your web server:
mkdir -p /var/www/yourdomain.net/.well-known/openpgpkey/hu
Copy the exported key file to the correct location using the hash from earlier:
cp yourdomain.net.gpg \
/var/www/yourdomain.net/.well-known/openpgpkey/hu/<hash>
Create a policy file (can be empty, but must exist):
touch /var/www/yourdomain.net/.well-known/openpgpkey/policy
Your web server needs to serve these files with the correct content type. Add the following to your nginx configuration for the domain:
location /.well-known/openpgpkey {
default_type application/octet-stream;
add_header Access-Control-Allow-Origin * always;
}
Verifying WKD
To verify WKD is working correctly:
env GNUPGHOME=$(mktemp --tmpdir --directory) \
gpg --verbose --auto-key-locate clear,wkd \
--locate-keys you@yourdomain.net
A successful result will show the key being fetched from your domain.
DNS-based distribution
There are two DNS-based methods for distributing OpenPGP keys. Both require control of your domain’s DNS and ideally DNSSEC to be meaningful.
DANE / OPENPGPKEY
RFC 7929 defines the OPENPGPKEY DNS record type, which associates your public key with your email address via DNS. Like WKD, DANE-aware mail clients can use this to fetch your key automatically.
Generate the DNS record:
gpg --export-options export-dane \
--export-filter keep-uid="uid=~@yourdomain.net" \
--export $GPGKEY
The output is the DNS record content, ready to add to your zone file. The record type is TYPE61 if your DNS provider does not support the OPENPGPKEY type natively.
DNS CERT (PKA)
An older method using standard DNS CERT records. Less widely supported than DANE but worth knowing about. Generate the DNS records:
gpg --export-options export-pka \
--export-filter keep-uid="uid=~@yourdomain.net" \
--export $GPGKEY
Add the output to your zone file as a CERT record.
Direct URL distribution
The simplest method: host your public key at a memorable URL and share it directly. This requires no special server configuration and is the most accessible option for people who want to verify a key without using key server infrastructure.
Export your public key in ASCII armored format:
gpg --armor --export $GPGKEY > $GPGKEY.asc
Upload this file somewhere accessible, such as your personal website:
https://yourdomain.net/$GPGKEY.asc
Anyone can then import it directly:
gpg --fetch-key https://yourdomain.net/$GPGKEY.asc
QR code fingerprint
A useful complement to any of the above methods: a QR code encoding your key fingerprint in the OPENPGP4FPR: format. This allows others to scan your fingerprint from a business card or website profile with a smartphone, without typing a long hexadecimal string.
Get your full fingerprint:
gpg --fingerprint $GPGKEY
The string to encode in the QR code is:
OPENPGP4FPR:YOURKEYFINGERPRINT
Where YOURKEYFINGERPRINT is your fingerprint with spaces removed and all letters in uppercase. Any QR code generator will produce the image from this string. Print it on business cards, add it to your website footer, include it in your email signature.
A note on key server privacy
Keys uploaded to key servers, including keys.openpgp.org, are public and permanent. The UID on your key, including your name and email address, becomes part of a public record. Think about what you put in your key’s UID before uploading it. You cannot remove it later, only revoke the key entirely.
Keys.openpgp.org mitigates some of this by requiring email verification before UIDs are made searchable, but the key itself is still publicly retrievable by fingerprint once uploaded.
Distributing a key is a one-way door. Revocation is possible. Removal is not. Make sure the key is in the state you want it before it goes anywhere public.