What if you could enter somebody’s email, and if that person had a PGP key, your client would automatically choose it? Web Key Directory (WKD) allows you to set up exactly that.1 This blog post explains how to set it up for the case where you have access to the web server of your email domain.
First off, make sure you have no wildcard DNS entry for all your server’s
subdomains. More specifically, if your email address is me@example.com (even
if your mail server is mail.example.com), make sure you don’t have a wildcard
DNS entry for *.example.com. If you do, you need to do a slightly different
setup I won’t cover here.
To set it up, first run gpg --list-keys --with-wkd-hash $EMAIL. It should
output something like this:
pub rsa4096 2018-05-29 [SC]
8C05D0E98B7914EDEBDCC8CC8E8E09282F2E17AF
uid [ultimate] Johannes Christ <jc@jchri.st>
9gzecbg6yfxg9ojkd465hhz1ckhadezs@jchri.st
sub rsa4096 2018-05-29 [E]
Note down the output on line 5, specifically the part in front of your @
sign. You will need it in a moment. In your web server root:
mkdir -p static/.well-known/openpgpkey/hutouch static/.well-known/openpgpkey/policygpg --export $EMAIL > static/.well-known/openpgpkey/hu/$HASH
Now to test it, use gpg --homedir "$(mktemp -d)" --verbose --locate-keys $EMAIL. It should output something like the following:
gpg: auto-key-locate found fingerprint 8C05D0E98B7914EDEBDCC8CC8E8E09282F2E17AF
gpg: automatically retrieved 'jc@jchri.st' via WKD
See the official documentation for more guidance.
-
I know that keyservers also fit this bill, but the key difference with WKD is that the key directory is intended to be deployed on the same server hosting the e-mail server in a decentralized manner without relying on a central keyserver. ↩︎