On this page, we collect information on how to use
keys.openpgp.org with different OpenPGP
We are still in the process of adding more. If you are missing some, please write to us and we'll try to add it.
The web interface on keys.openpgp.org allows you to:
Enigmail for Thunderbird uses keys.openpgp.org by default since version 2.0.12.
Full support is available since Enigmail 2.1 (for Thunderbird 68 or newer):
GPG Suite for macOS uses keys.openpgp.org by default since August 2019.
OpenKeychain for Android uses keys.openpgp.org by default since July 2019.
Note that there is no built-in support for upload and email address verification so far.
Pignus for iOS uses keys.openpgp.org by default since November 2019.
To configure GnuPG to use keys.openpgp.org as keyserver, add this line to your gpg.conf file:
gpg --auto-key-locate keyserver --locate-keys email@example.com
Keys can be uploaded with GnuPG's --send-keys command, but identity information can't be verified that way to make the key searchable by email address (what does this mean?).
gpg --export firstname.lastname@example.org | curl -T - https://keys.openpgp.org
gpg --export email@example.com > my_key.pub
This configuration is no longer necessary, but prevents regular certificates from working. It is recommended to simply remove this line from the configuration.
gpg: key A2604867523C7ED8: no user IDThis is a known problem in GnuPG. We are working with the GnuPG team to resolve this issue.
For users who want to be extra careful, keys.openpgp.org can be reached anonymously as an onion service. If you have Tor installed, use the following configuration:
The Web Key Directory (WKD) is a standard for discovery of OpenPGP keys by email address, via the domain of its email provider. It is used to discover unknown keys in some email clients, such as GpgOL.
keys.openpgp.org can be used as a managed WKD service for any domain. To do so, the domain simply needs a CNAME record that delegates its openpgpkey subdomain to wkd.keys.openpgp.org. It should be possible to do this in the web interface of any DNS hoster.
Once enabled for a domain, its verified addresses will automatically be available for lookup via WKD.
The CNAME record should look like this:
$ drill openpgpkey.example.org
openpgpkey.example.org. 300 IN CNAME wkd.keys.openpgp.org.
There is a simple status checker for testing the service:
$ curl 'https://wkd.keys.openpgp.org/status/?domain=openpgpkey.example.org'
CNAME lookup ok: openpgpkey.example.org resolves to wkd.keys.openpgp.org
For testing key retrieval:
$ gpg --locate-keys --auto-key-locate clear,nodefault,wkd firstname.lastname@example.org
We offer an API for integrated support in OpenPGP applications. Check out our API documentation.
Missing a guide for your favorite implementation? This site is a work-in-progress, and we are looking to improve it. Drop us a line at support at keys dot openpgp dot org if you want to help out!
Hagrid v1.2.1 built from 1c4c529
Powered by Sequoia-PGP
Background image retrieved from Subtle Patterns under CC BY-SA 3.0