On this page, we collect information on how to use
keys.openpgp.org with different OpenPGP
We are still in the process of adding more. If you are missing some, please write to us and we'll try to add it.
The web interface on keys.openpgp.org allows you to:
Enigmail for Thunderbird uses keys.openpgp.org by default since version 2.0.12.
Full support is available since Enigmail 2.1 (for Thunderbird 68 or newer):
GPG Suite for macOS uses keys.openpgp.org by default since August 2019.
OpenKeychain for Android uses keys.openpgp.org by default since July 2019.
Note that there is no built-in support for upload and email address verification so far.
Pignus for iOS uses keys.openpgp.org by default since November 2019.
To configure GnuPG to use keys.openpgp.org as keyserver, add this line to your gpg.conf file:
gpg --auto-key-locate keyserver --locate-keys firstname.lastname@example.org
Keys can be uploaded with GnuPG's --send-keys command, but identity information can't be verified that way to make the key searchable by email address (what does this mean?).
gpg --export email@example.com | curl -T - https://keys.openpgp.org
gpg --export firstname.lastname@example.org > my_key.pub
This configuration is no longer necessary, but prevents regular certificates from working. It is recommended to simply remove this line from the configuration.
gpg: key A2604867523C7ED8: no user IDThis is a known problem in GnuPG. We are working with the GnuPG team to resolve this issue.
The Web Key Directory (WKD) is a standard for discovery of OpenPGP keys by email address, via the domain of its email provider. It is used to discover unknown keys in some email clients, such as GpgOL.
keys.openpgp.org can be used as a managed WKD service for any domain. To do so, the domain simply needs a CNAME record that delegates its openpgpkey subdomain to wkd.keys.openpgp.org. It should be possible to do this in the web interface of any DNS hoster.
Once enabled for a domain, its verified addresses will automatically be available for lookup via WKD.
The CNAME record should look like this:
$ drill openpgpkey.example.org
openpgpkey.example.org. 300 IN CNAME wkd.keys.openpgp.org.
There is a simple status checker for testing the service:
$ curl 'https://wkd.keys.openpgp.org/status/?domain=openpgpkey.example.org'
CNAME lookup ok: openpgpkey.example.org resolves to wkd.keys.openpgp.org
For testing key retrieval:
$ gpg --locate-keys --auto-key-locate clear,nodefault,wkd email@example.com
We offer an API for integrated support in OpenPGP applications. Check out our API documentation.
Missing a guide for your favorite implementation? This site is a work-in-progress, and we are looking to improve it. Drop us a line at support at keys dot openpgp dot org if you want to help out!