I’ve run my own email server for a few years now without too many troubles. I also pay for a ProtonMail account that’s been very good. But I’ve always struggled with PGP keys for encrypting messages to non-Proton users - basically everyone. The PGP key distribution setup just seemed half baked and a bit broken relying on central key servers.
Then I noticed that email I set from my personal email to my company provided email were being encrypted even though I wasn’t doing anything to achieve this. This got me curious as to why that was happening which lead me to WKD (Web Key Directory). It’s such a simple idea for providing discoverable downloads for public keys and it works really well having set it up for my own emails now.
It’s basically a way of discovering the public key of someone’s email by making it available over HTTPS at an address that can be calculated based on the email address itself. So if your email is name@example.com
, then the public key can be hosted at (in this case) https://openpgpkey.example.com/.well-known/openpgpkey/example.com/hu/pmw31ijkbwshwfgsfaihtp5r4p55dzmc?l=name
this is derived using a command like gpg-wks-client --print-wkd-url name@example.com
. You just need an email client that can do this and find the key for you automatically. And when setting up your own server you generate the content using the keys in your gpg key ring using env GNUPGHOME=$(mktemp -d) gpg --locate-keys --auto-key-locate clear,wkd,nodefault [email protected]
. Move this generated folder structure to your webserver and you’re basically good to go.
I have this working with Thunderbird, which now prompts me to do the discoverability step when I enter an email that doesn’t have an associated key. On Android, I’ve found OpenKeyChain can also do a search based just on the email address that apps like K9-Mail (to be Thunderbird mail) can then use.
Anyway, I thought this was pretty cool and was excited to see such an improvement in seamless encryption integration. It’d be nicer if on Thunderbird and K9 it all happened as soon as you enter an email address rather than a few extra steps to jump through to perform the search and confirm the keys. But it’s a major improvement.
Does your email provider have WKD setup and working or do you use it already?
I had never heard of this, but it sounds fascinating — thanks for sharing! Definitely going to try to set this up this weekend.
No worries, I thought it was pretty interesting and I’d never heard of it before so thought I’d share.
The most difficult part for me was configuring nginx to properly serve the files. The gpg part was actually the easy bit.