I’ve run my own email server for a few years now without too many troubles. I also pay for a ProtonMail account that’s been very good. But I’ve always struggled with PGP keys for encrypting messages to non-Proton users - basically everyone. The PGP key distribution setup just seemed half baked and a bit broken relying on central key servers.
Then I noticed that email I set from my personal email to my company provided email were being encrypted even though I wasn’t doing anything to achieve this. This got me curious as to why that was happening which lead me to WKD (Web Key Directory). It’s such a simple idea for providing discoverable downloads for public keys and it works really well having set it up for my own emails now.
It’s basically a way of discovering the public key of someone’s email by making it available over HTTPS at an address that can be calculated based on the email address itself. So if your email is name@example.com
, then the public key can be hosted at (in this case) https://openpgpkey.example.com/.well-known/openpgpkey/example.com/hu/pmw31ijkbwshwfgsfaihtp5r4p55dzmc?l=name
this is derived using a command like gpg-wks-client --print-wkd-url name@example.com
. You just need an email client that can do this and find the key for you automatically. And when setting up your own server you generate the content using the keys in your gpg key ring using env GNUPGHOME=$(mktemp -d) gpg --locate-keys --auto-key-locate clear,wkd,nodefault name@example.com
. Move this generated folder structure to your webserver and you’re basically good to go.
I have this working with Thunderbird, which now prompts me to do the discoverability step when I enter an email that doesn’t have an associated key. On Android, I’ve found OpenKeyChain can also do a search based just on the email address that apps like K9-Mail (to be Thunderbird mail) can then use.
Anyway, I thought this was pretty cool and was excited to see such an improvement in seamless encryption integration. It’d be nicer if on Thunderbird and K9 it all happened as soon as you enter an email address rather than a few extra steps to jump through to perform the search and confirm the keys. But it’s a major improvement.
Does your email provider have WKD setup and working or do you use it already?
I had never heard of this, but it sounds fascinating — thanks for sharing! Definitely going to try to set this up this weekend.
I tried setting this up a few years ago without success. Prompted by your post I took another look and I think I was trying to serve my key from a mishmash of the direct and advanced URIs (although I don’t remember there being an advanced and direct method when I first tried this) and I had a TXT record setup in DNS as well for some reason. Might have been following a draft RFC? Whatever I was trying, it didn’t work for me then.
No one I know other than a couple of services I have accounts with use pgp so it is of little use to me right now. But I am glad it is now working and I don’t need to rely on any 3rd party keyservers. So thanks for the prompt and the write-up.
It’d be nice if email clients automatically checked for public keys for any email you enter in the To fields. With a nice prompt that keys have been found to Encrypt the message with. It doesnt sound too difficult and it could lead to much wider adoption of secure emails.
Unfortunately most people get their email free because companies like reading it and stopping that means it might become a paid for service. Something I’m happy to pay for, but many wouldn’t be.
I’ve just discovered this today too! I’m not even sure how to find my key (Proton user too). I’ve admittedly not spent too much time understanding PGP since basically no one uses it.
You can download the public key from the web interface. I then imported it in to gpg with a
gpg --import public.asc
and then used the above commands to generate the WKD structure.
This actually sounds quite interesting. Is this controlled with DNS entries at the domain level somehow, or is the subdomain fixed/mandatory?
There’s 2 methods, one uses a subdomain and one doesn’t. Without is called ‘direct’. No special DNS entries required really. I have a wildcard subdomain entry which works for me. Just so long as the key is available over HTTPS using one method.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters DNS Domain Name Service/System HTTP Hypertext Transfer Protocol, the Web HTTPS HTTP over SSL SSL Secure Sockets Layer, for transparent encryption nginx Popular HTTP server
3 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.
[Thread #865 for this sub, first seen 12th Jul 2024, 05:35] [FAQ] [Full list] [Contact] [Source code]