Hi! I just published how to host your own Web Key Directory on the gnupg blog.
Find below a plain text version of my blog entry https://gnupg.org/blog/20161027-hosting-a-web-key-directory.html Andre 1 Hosting a Web Key Directory ═════════════════════════════ With the improvements in GnuPG for Key Discovery (see: [Key Discovery Made Simple]) you may want to provide the OpenPGP keys for your domain. The Web Key Service (WKS) describes a protocol for Mail Service Providers or large organisations to maintain a Web Key Directory (WKD) for their users. A Web Key Directory is a static collection of keys provided under well known URLs under your domain. This directory can also be manually generated without using the Web Key Service protocol. By providing a Web Key Directory other people (or their Mail Software) can obtain the OpenPGP keys for your domain with a simple query like: ┌──── │ $ gpg --auto-key-locate wkd --locate-keys <mail address> └──── In this note, I explain how to do that. Note: An updated version of this article may be available in the [GnuPG Wiki] [Key Discovery Made Simple] https://www.gnupg.org/blog/20160830-web-key-service.html [GnuPG Wiki] https://wiki.gnupg.org/WKD#Hosting%20a%20Web%20Key%20Directory 1.1 Requirements ──────────────── • A web server that provides https with a trusted certificate for your domain. • A client machine with Python and PyME installed (debian package python-pyme) • The script: [generate-openpgpkey-hu] (in the [Mercurial repository "wkd-tools"]) [generate-openpgpkey-hu] https://hg.intevation.de/gnupg/wkd-tools/raw-file/default/generate-openpgpkey-hu [Mercurial repository "wkd-tools"] https://hg.intevation.de/gnupg/wkd-tools/ 1.2 Setup ───────── You can either export all the keys in your keyring that belong to a domain or provide an explicit keyring containing just those keys that you want to publish. The call: ┌──── │ $ ./generate-openpgpkey-hu example.com hu └──── Will create a directory called hu containing all the keys with user ids that include @example.com. If there are multiple valid keys for a user in your keyring this command will error out. In that case you can prepare a keyring with only the keys that you want to publish. For example: ┌──── │ $ gpg --export 94A5C9A03C2FE5CA3B095D8E1FDF723CF462B6B1 | \ │ > gpg --no-default-keyring --keyring ./wkd-keyring.gpg --import └──── And then provide that keyring to generate-openpgpkey-hu: ┌──── │ ./generate-openpgpkey-hu example.com hu wkd-keyring.gpg └──── 1.3 Publishing ────────────── The hu directory has to be published on your server as ┌──── │ https://example.com/.well-known/openpgpkey/hu/ └──── Create the directory structure and set the permissions accordingly. This example [Makefile] automates the hu directory generation and publishing. Edit the variables at the top of the makefile to set `RSYNC_TARGET' The `KEYRING' variable is optional and can be left empty. That's it. You can now test your setup by calling: ┌──── │ $ gpg --auto-key-locate wkd --locate-keys <mail address> └──── you should see something like this: ┌──── │ gpg: key AC12F94881D28CB7: public key "testuse...@test.gnupg.org" imported │ gpg: Total number processed: 1 │ gpg: imported: 1 │ gpg: automatically retrieved 'testuse...@test.gnupg.org' via WKD │ pub ed25519 2016-07-15 [SC] │ 5506894357DC548CC65B0BCFAC12F94881D28CB7 │ uid [ unknown] testuse...@test.gnupg.org │ sub cv25519 2016-07-15 [E] └──── [Makefile] https://hg.intevation.de/gnupg/wkd-tools/raw-file/default/Makefile.example -- Andre Heinecke | ++49-541-335083-262 | http://www.intevation.de/ Intevation GmbH, Neuer Graben 17, 49074 Osnabrück | AG Osnabrück, HR B 18998 Geschäftsführer: Frank Koormann, Bernhard Reiter, Dr. Jan-Oliver Wagner
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users