Publishing your PGP using Web Key Directory

Last modified on

Most people with personal websites publish their public key on their website at a place like /pgp.asc, /key.gpg, etc. They then have a link to that public key location on their main page. This is how I do as well. Obviously I rarely get a PGP encrypted email. Who would bother checking my homepage trying to locate the key, download it, and import it to their key manager? Very few would do that. Luckily there is Web Key Directory.

Web Key Directory is a standard for discovering a public key given an email address. Integrating this standard enables decent email clients like Thunderbird to easily find public keys and encrypt emails accordingly. It is even used by mail service providers like Protonmail and Skiff, providing seamless encrypted messging experience for the average user. This is all good but how would you add support for it on your simple blog website?

All you need is to pipe our public key fingerprint to gpg-wks-client -v --install-key, which gets the public key from your gpg keyring. The output file then needs to be placed at /.well-known directory of your website. Below is a script to achieve this for all public keys of

# Assume we own `` and want to publish PGP of all `*` emails.

# Assume the ROOT is the root location where the web server serves the files.

# Create the required directory
mkdir -p "$ROOT"/.well-known/openpgpkey

# Create the required files of all the PGP keys of domain ``.
gpg --list-options show-only-fpr-mbox -k "$DOMAIN" |\
  gpg-wks-client -v --install-key --directory "$ROOT"/.well-known/openpgpkey

# Remove domain name from the file path assuming we are using `` to instead of
# `` for publishing.
mv "$ROOT"/.well-known/openpgpkey/"$DOMAIN"/* "$ROOT"/.well-known/openpgpkey/
rm -r "$ROOT"/.well-known/openpgpkey/"$DOMAIN"

After that, you can check here if the public key is published properly:

Refer to here on more details setting this up: