Setting up easy PGP key autodiscovery with Web Key Directory

19th July 2023 from jc's blog

What if you could enter somebody’s email, and if that person had a PGP key, your client would automatically choose it? Web Key Directory (WKD) allows you to set up exactly that.1 This blog post explains how to set it up for the case where you have access to the web server of your email domain.

First off, make sure you have no wildcard DNS entry for all your server’s subdomains. More specifically, if your email address is (even if your mail server is, make sure you don’t have a wildcard DNS entry for * If you do, you need to do a slightly different setup I won’t cover here.

To set it up, first run gpg --list-keys --with-wkd-hash $EMAIL. It should output something like this:

pub   rsa4096 2018-05-29 [SC]
uid           [ultimate] Johannes Christ <>
sub   rsa4096 2018-05-29 [E]

Note down the output on line 5, specifically the part in front of your @ sign. You will need it in a moment. In your web server root:

Now to test it, use gpg --homedir "$(mktemp -d)" --verbose --locate-keys $EMAIL. It should output something like the following:

gpg: auto-key-locate found fingerprint 8C05D0E98B7914EDEBDCC8CC8E8E09282F2E17AF
gpg: automatically retrieved '' via WKD

See the official documentation for more guidance.

  1. I know that keyservers also fit this bill, but the key difference with WKD is that the key directory is intended to be deployed on the same server hosting the e-mail server in a decentralized manner without relying on a central keyserver. ↩︎

reply via email