For my email communication, I rely on Thunderbird. That is why I generate my OpenPGP keys with their key manager, not through the gpg itself.
This morning, I set up my Web Key Directory(WKD) so anyone with an email client that supports this can auto-discover my public OpenPGP key without needing to look at any key server or rely on information from my website.
Pre-requirements:
- You have already generated a key-pair using Thunderbird.
- You own the domain name of the email. You would need that later to upload the WKD files.
- Apache is running on your server to serve the files. (If you are using another server, you easily could find the instructions for setting up the headers instead of using .htaccess)
Thunderbird
Since Thunderbird is using its key-chain, there is something else that I need to do.
Here are the steps.
- Open Tools> OpenPGP Key Manager
- Select the name of the key you would like to use.
- Click on the “File” menu and then to “Backup Secret Key(s) to file.”
- A new dialogue will open. Select the location where you want to store the file.
- Then, you will need to set the protection password for the key. Remember it.
- Save the file.
- Now, you can close Thunderbird and open your GPG command line interface.
GPG
I will be using the Fedora Linux instructions, but I think most of the commands are the same cross-system.
1: Import the key that you just exported with the following command:
gpg --import [name of the exported file. asc]
2: Then validate that the import actually happened
gpg --list keys.
You should be able to see something like this:
[bogo@fedora ~]$ gpg --list-keys
/home/bogo/.gnupg/pubring.kbx
-----------------------------
pub ed25519 2024-01-19 [SC] [expires: 2027-01-18]
1128C8F2BBD80CA82FE317AF9F03DC07BCECFE7A
uid [ unknown] Bogomil Shopov <bogomil@bogomil.info>
sub cv25519 2024-01-19 [E] [expires: 2027-01-18]
3: Let’s generate the file you would need to upload later to your web server that will contain the information about your public key that will be auto-discovered.
gpg --with-wkd-hash --fingerprint [your email address here]
in my case is:
[bogo@fedora ~]$ gpg --with-wkd-hash --fingerprint bogomil@bogomil.info
pub ed25519 2024-01-19 [SC] [expires: 2027-01-18]
1128 C8F2 BBD8 0CA8 2FE3 17AF 9F03 DC07 BCEC FE7A
uid [ unknown] Bogomil Shopov <bogomil@bogomil.info>
4b5a97n4drfkijffzpxjyobkb3h6dfxy@bogomil.info
sub cv25519 2024-01-19 [E] [expires: 2027-01-18]
4: Export to a file
pg --export bogomil@bogomil.info >[put this part here]
in my case it would be
gpg --export bogomil@bogomil.info > 4b5a97n4drfkijffzpxjyobkb3h6dfxy
Then ensure that the file is saved on your hard drive.
Website
Now we need to move to your website. You must have access to the leading directory of it. For most hosting providers, this is the www directory or the public_html shortcut that leads to the same one.
- Create there a directory called .well-known (mind the dot). There is a big chance to be already created for another purpose.
- Then, in this folder, create a new one called “openpgpkey“.
- In the newly created folder add an empty file called “policy”
- And another folder in “openpgpkey“, called “hu”
- In the “hu” folder create .htaccess file (mind the dot) and add the following content there :
<IfModule mod_mime.c>
ForceType application/octet-stream
</IfModule>
<IfModule mod_headers.c>
Header always set Access-Control-Allow-Origin "*"
</IfModule>
- Then upload the gpg-generated file to the “hu” directory.
Validation
To see whether you did a great job, use the following validator and enter your email address. The results should be similar to mine.
Now, every service that discovers public keys via WKD can get yours just by using your email address while composing a new message.
Thunderbird and WKD
Natively, Thunderbird doesn’t support auto-discovery with WKD. Most of my peers I communicate with use webmail clients or other software that supports that, so I did this for them, and then when I receive their e-mail with their key attached, I can add it to my trust list.
You are one step more protected! Good job!