Bogomil Shopov

Human. Artist. Hacker. I care about free and open-source software(F/LOSS), cybersecurity, ethical design, privacy, and technology. 20+ experience in technology. 40+ in being human. I encourage people to become better humans with heavy metal and technologies. I also promote technologies to be considerate of humans. Let's see how it goes!

Mozilla · January 19, 2024

Use your Thunderbird OpenPGP key to set your Web Key Directory

For my email communication, I rely on Thunderbird. That is why I generate my OpenPGP keys with their key manager, not through the gpg itself.

This morning, I set up my Web Key Directory(WKD) so anyone with an email client that supports this can auto-discover my public OpenPGP  key without needing to look at any key server or rely on information from my website.

Pre-requirements:

  • You have already generated a key-pair using Thunderbird.
  • You own the domain name of the email. You would need that later to upload the WKD files.
  • Apache is running on your server to serve the files. (If you are using another server, you easily could find the instructions for setting up the headers instead of using .htaccess) 

Thunderbird

Since Thunderbird is using its key-chain, there is something else that I need to do. 

Here are the steps.

  • Open Tools> OpenPGP Key Manager
  • Select the name of the key you would like to use.
  • Click on the “File” menu and then to “Backup Secret Key(s) to file.”
  • A new dialogue will open. Select the location where you want to store the file.
  • Then, you will need to set the protection password for the key. Remember it.
  • Save the file.
  • Now, you can close Thunderbird and open your GPG command line interface.

GPG

I will be using the Fedora Linux instructions, but I think most of the commands are the same cross-system.

1: Import the key that you just exported with the following command:

gpg --import [name of the exported file. asc]

2: Then validate that the import actually happened

gpg --list keys.

You should be able to see something like this:

[bogo@fedora ~]$ gpg --list-keys 
/home/bogo/.gnupg/pubring.kbx 
----------------------------- 
pub  ed25519 2024-01-19 [SC] [expires: 2027-01-18] 
     1128C8F2BBD80CA82FE317AF9F03DC07BCECFE7A 
uid          [ unknown] Bogomil Shopov <bogomil@bogomil.info> 
sub  cv25519 2024-01-19 [E] [expires: 2027-01-18] 

3: Let’s generate the file you would need to upload later to your web server that will contain the information about your public key that will be auto-discovered.

gpg --with-wkd-hash --fingerprint [your email address here]

in my case is:

[bogo@fedora ~]$ gpg --with-wkd-hash --fingerprint bogomil@bogomil.info 
pub  ed25519 2024-01-19 [SC] [expires: 2027-01-18] 
     1128 C8F2 BBD8 0CA8 2FE3 17AF 9F03 DC07 BCEC FE7A 
uid          [ unknown] Bogomil Shopov <bogomil@bogomil.info> 
             4b5a97n4drfkijffzpxjyobkb3h6dfxy@bogomil.info 
sub  cv25519 2024-01-19 [E] [expires: 2027-01-18]

4: Export to a file

pg --export bogomil@bogomil.info >[put this part here]

in my case it would be

gpg --export bogomil@bogomil.info > 4b5a97n4drfkijffzpxjyobkb3h6dfxy

Then ensure that the file is saved on your hard drive.

Website

Now we need to move to your website. You must have access to the leading directory of it. For most hosting providers, this is the www directory or the public_html shortcut that leads to the same one.

 

  • Create there a directory called .well-known (mind the dot). There is a big chance to be already created for another purpose.
  • Then, in this folder, create a new one called “openpgpkey“.
  • In the newly created folder add an empty file called “policy”
  • And another folder in “openpgpkey“, called “hu”
  • In the “hu” folder create .htaccess file (mind the dot) and add the following content there : 
<IfModule mod_mime.c>
    ForceType application/octet-stream
</IfModule>
<IfModule mod_headers.c>
    Header always set Access-Control-Allow-Origin "*"
</IfModule>
  • Then upload the gpg-generated file to the “hu” directory.

Validation

To see whether you did a great job, use the following validator and enter your email address. The results should be similar to mine. 

a screen showing all green lines with validation results

Now, every service that discovers public keys via WKD can get yours just by using your email address while composing a new message. 

Thunderbird and WKD

Natively, Thunderbird doesn’t support auto-discovery with WKD. Most of my peers I communicate with use webmail clients or other software that supports that, so I did this for them, and then when I receive their e-mail with their key attached, I can add it to my trust list.

You are one step more protected! Good job!