Web Key Directory (WKD) “is a standard for discovery of OpenPGP keys by email address, via the domain of its email provider”.

In short, through some DNS and files-on-your-webserver conventions, some email clients (e.g. Thunderbird or ProtonMail) and tools like GnuPG are able to retrieve your PGP keys automatically. This is of course super convenient and desirable for your correspondents, because PGP encryption is hard enough as it is.

OpenPGP makes this even better by offering “WKD as a service”, which means you only have to do the DNS bits, and not the files-on-your-webserver bits.

Export your keys to OpenPGP AND VERIFY

Before any of this can work, we need to export our public key to OpenPGP, and, very importantly verify the email addresses associated with them.

Following the documentation, we use gnupg and curl to upload, and get a verification link.

1

gpg --export 0x384435C7E77A4564 | curl -T - https://keys.openpgp.org

After running this command, open the verification link, and verify each of the associated email addresses. In short, you click on the verify button, wait for the email, and then click on the link in that email.

Setup your DNS with CNAMEs pointing to OpenPGP

Following the documentation for WKD as a service, create a CNAME openpgpkey subdomain on each of the involved email domains, and point it to wkd.keys.openpgp.org.

I’m currently using CloudFlare for my domains, where this setup looks as follows:

Test and use WKD key discovery

For any domain where you’ve setup this CNAME, you should be able to use something like the following invocation to test WKD retrieval of your key via the email address in question:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

$ gpg --locate-keys --auto-key-locate clear,nodefault,wkd info@charlbotha.com
gpg: key 384435C7E77A4564: "Charl P. Botha <info@charlbotha.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
pub   rsa4096 2013-08-13 [SC]
      54E725AF4E0D36B86E66359E384435C7E77A4564
uid           [ultimate] Charl P. Botha <info@charlbotha.com>
uid           [ultimate] Charl P. Botha <cpbotha@vxlabs.com>
uid           [ultimate] Charl P. Botha <cpbotha@cpbotha.net>
sub   rsa4096 2013-08-13 [E]

Once this is in place, correspondents with sufficiently modern email clients will be able to retrieve the correct keys automatically.

For future key updates, something like gpg --keyserver hkp://keys.openpgp.org --send-keys 0x384435C7E77A4564 (with your key-id of course) should be sufficient, unless you’ve added more email addresses, in which case you should do the verification dance, and add the new CNAME in the case of a new domain.