keys.openpgp.org
About | News | Usage | FAQ | Stats | Privacy
On this page, we collect information on how to use
keys.openpgp.org with different OpenPGP
software products.
We are still in the process of adding more. If you are missing some, please
write to us and we'll try to add it.
Web Interface
The web interface on keys.openpgp.org allows you to:
- Search for keys manually, by fingerprint or email address.
- Upload keys manually, and verify them after upload.
- Manage your keys, and remove published identities.
Enigmail
Enigmail for Thunderbird uses keys.openpgp.org by default since version 2.0.12.
Full support is available since Enigmail 2.1 (for Thunderbird 68 or newer):
- Keys will be kept up to date automatically.
- During key creation, you can upload and verify your key.
- Keys can be discovered by email address.
GPG Suite
GPG Suite for macOS uses keys.openpgp.org by default since August 2019.
OpenKeychain
OpenKeychain for Android uses keys.openpgp.org by default since July 2019.
- Keys will be kept up to date automatically.
- Keys can be discovered by email address.
Note that there is no built-in support for upload and email address verification so far.
Pignus
Pignus for iOS uses keys.openpgp.org by default since November 2019.
- Your keys can be uploaded at any time.
- Keys can be discovered by email address.
GnuPG
To configure GnuPG to use keys.openpgp.org as keyserver, add this line to your gpg.conf file:
keyserver hkps://keys.openpgp.org
Retrieving keys
-
To locate the key of a user, by email address:
gpg --auto-key-locate keyserver --locate-keys user@example.net
- To refresh all your keys (e.g. new revocation certificates and subkeys):
gpg --refresh-keys
Uploading your key
Keys can be uploaded with GnuPG's --send-keys command, but identity information can't be verified that way to make the key searchable by email address (what does this mean?).
-
You can try this shortcut for uploading your key, which outputs
a direct link to the verification page:
gpg --export your_address@example.net | curl -T - https://keys.openpgp.org
-
Alternatively, you can export them to a file
and select that file in the upload page:
gpg --export your_address@example.net > my_key.pub
Troubleshooting
-
Some old ~/gnupg/dirmngr.conf files contain a line like this:
hkp-cacert ~/.gnupg/sks-keyservers.netCA.pem
This configuration is no longer necessary, but prevents regular certificates from working. It is recommended to simply remove this line from the configuration.
-
While refreshing keys, you may see errors like the following:
gpg: key A2604867523C7ED8: no user ID
This is a known problem in GnuPG. We are working with the GnuPG team to resolve this issue.
Usage via Tor
For users who want to be extra careful, keys.openpgp.org can be reached anonymously as an onion service. If you have Tor installed, use the following configuration:
keyserver hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion
WKD as a Service
The Web Key Directory (WKD) is a standard for discovery of OpenPGP keys by email address, via the domain of its email provider. It is used to discover unknown keys in some email clients, such as GpgOL.
keys.openpgp.org can be used as a managed WKD service for any domain. To do so, the domain simply needs a CNAME record that delegates its openpgpkey subdomain to wkd.keys.openpgp.org. It should be possible to do this in the web interface of any DNS hoster.
Once enabled for a domain, its verified addresses will automatically be available for lookup via WKD.
The CNAME record should look like this:
$ drill openpgpkey.example.org
...
openpgpkey.example.org. 300 IN CNAME wkd.keys.openpgp.org.
There is a simple status checker for testing the service:
$ curl 'https://wkd.keys.openpgp.org/status/?domain=openpgpkey.example.org'
CNAME lookup ok: openpgpkey.example.org resolves to wkd.keys.openpgp.org
For testing key retrieval:
$ gpg --locate-keys --auto-key-locate clear,nodefault,wkd address@example.org
API
We offer an API for integrated support in OpenPGP applications. Check out our API documentation.
Others
Missing a guide for your favorite implementation? This site is a work-in-progress, and we are looking to improve it. Drop us a line at support at keys dot openpgp dot org if you want to help out!