💾 Archived View for gmi.bacardi55.io › blog › 2023 › 02 › 05 › setting-up-wkd captured on 2023-03-20 at 17:46:45. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
Posted on 2023-02-05
Quick note on OpenPGP Web Key Directory (WKD). The GnuPG wiki states:
A Web Key Directory (WKD) provides an easy way to provide and get the current public key for a given email address through HTTPS. Thus it is infrastructure to improve the user experience for exchanging secure emails and files. --
It basically means it becomes simple to manage your gpg key yourself on your own server. So people can easily add your gpg key with one command: gpg --locate-keys email@domain.tld. They key will be automatically found.
For this to work, there are 2 solutions:
In this post, I'm setting up [Web Key Directory (WKD)], **not** [Web Key Service (WKS)]. WKS is a more advanced configuration that is usefull in case you want to manage many domains and/or many email addresses. In my use case, for the "rdi55.pl" domain I only manage 1 email address ("bac@"). In this case, setting up WKD is way easier and faster.
The documentation says:
The Web Key Directory is the HTTPS directory from which keys can be fetched. The Web Key Service is a tool / protocol to automatically publish and update keys in the Web Key Directory. It is optional to reduce the administrative effort of a Web Key Directory. --
To setup WKD, the documentation indicates:
The hu directory has to be published on your server as (or if openpgpkey.example.com is not resolvable via DNS).
So I decided to use the non subdomain option ("https://example.com/.well-known/openpgpkey/hu/") for extra simplicity.
Following the gnupg wiki for installing [WKD], as my gpg version is newer than 2.2.12, I can use the gpg-wks-client command to help:
mkdir /path/to/domain.tld/.well-known/opengpgkey && cd /path/to/domain.tld/ # Creating our working directory chmod o-rw .well-known/openpgpkey # Set the right permission, otherwise the gpg-wks-client command will fail gpg --list-options show-only-fpr-mbox -k mail@domain.tld | gpg-wks-client -v --install-key
Result:
gpg-wks-server: gpg: Quantité totale traitée : 1 gpg-wks-server: using key with user id 'User <mail@domain.tld>' gpg-wks-server: gpg: Quantité totale traitée : 1 gpg-wks-server: directory '.well-known/openpgpkey/domain.tld' created gpg-wks-server: directory '.well-known/openpgpkey/domain.tld/hu' created gpg-wks-server: policy file '.well-known/openpgpkey/domain.tld/policy' created gpg-wks-server: key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX published for 'mail@domain.tld'
.
└── .well-known
└── openpgpkey
└── domain.tld
├── hu
│  └── yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
└── policy
Because I'm using the solution without the "openpgpkey" subdomain, it means that the tree is incorrect. I shouldn't have "domain.tld" directory within "openpgpkey" but directly the "hu" directory. Let's move things around:
cd .well-known/openpgpkey mv domain.tld/* ./ rmdir domain.tld
Now, the tree is:
.
└── .well-known
└── openpgpkey
├── hu
│  └── yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
└── policy
Now I just need to "scp" the ".well-known" directory to the web server.
For the root of the directory, as I'm not using this domain for an actual site, I just created a basic html file that redirects to my main site bacardi55.io:
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="refresh" content="3; url='https://bacardi55.io'" />
</head>
<body>
<p>Nothing here, please go to <a href="https://bacardi55.io">my blog</a>.</p>
</body>
</html>
And voilà , this should normally allow anyone to use "gpg --locate-key" with my email "bac" "-at-" "rdi55.pl".