What if you could enter somebody’s email, and if that person had a PGP key, your client would automatically choose it? Web Key Directory (WKD) allows you to set up exactly that.1 This blog post explains how to set it up for the case where you have access to the web server of your email domain.
First off, make sure you have no wildcard DNS entry for all your server’s
subdomains. More specifically, if your email address is
if your mail server is
mail.example.com), make sure you don’t have a wildcard
DNS entry for
*.example.com. If you do, you need to do a slightly different
setup I won’t cover here.
To set it up, first run
gpg --list-keys --with-wkd-hash $EMAIL. It should
output something like this:
pub rsa4096 2018-05-29 [SC] 8C05D0E98B7914EDEBDCC8CC8E8E09282F2E17AF uid [ultimate] Johannes Christ <email@example.com> firstname.lastname@example.org sub rsa4096 2018-05-29 [E]
Note down the output on line 5, specifically the part in front of your
sign. You will need it in a moment. In your web server root:
mkdir -p static/.well-known/openpgpkey/hu
gpg --export $EMAIL > static/.well-known/openpgpkey/hu/$HASH
Now to test it, use
gpg --homedir "$(mktemp -d)" --verbose --locate-keys $EMAIL. It should output something like the following:
gpg: auto-key-locate found fingerprint 8C05D0E98B7914EDEBDCC8CC8E8E09282F2E17AF gpg: automatically retrieved 'email@example.com' via WKD
See the official documentation for more guidance.
I know that keyservers also fit this bill, but the key difference with WKD is that the key directory is intended to be deployed on the same server hosting the e-mail server in a decentralized manner without relying on a central keyserver. ↩︎