Uploading keys using web key directory
Web key directory ¶
Web key directory or WKD refers to the method of uploading one’s public key to their website in a specific location to make it easily accessible by other services supporting WKD. The key will be discoverable using an identifier similar to an email address: email@example.com.
The benefit of WKD is having full control over the key while still having it widely available. It does however require a domain and some form of file hosting. Luckily, openpgp.org have made a WKD-as-a-service. Read more at the end of the guide.
It exists in two variants: the Direct setup and the Advanced setup. Despite their names, both require roughly the same steps.
The Direct setup ¶
To make your keys available via WKD using the Direct setup, you’ll need two paths on your server:
https://domain.org/.well-known/openpgpkey/policy: this is an empty file
https://domain.org/.well-known/openpgpkey/hu/LOCALPART: this is the binary public key (so NOT ASCII armored)
The LOCALPART above is actually the username hashed using the SHA-1 algorithm and encoded using the Z-Base-32 method. As it’s not humanly possible to compute this by ourselves, Keyoxide provides a small utility to do this for you.
So if you wish to make your key available as firstname.lastname@example.org, according to the small utility, the URL would become:
The Advanced setup ¶
While not necessary if the Direct setup works, there is a second setup to make WKD work: the Advanced setup. The paths needed are:
https://openpgpkey.domain.org/.well-known/openpgpkey/domain.org/policy: this is an empty file
https://openpgpkey.domain.org/.well-known/openpgpkey/domain.org/hu/LOCALPART: this is the binary public key (so NOT ASCII armored)
Indeed, quite similar to the Direct setup, except for the openpgpkey subdomain and the additional domain.org in the path of the public key.
The public key for email@example.com would be available at:
In case hosting is problem, Openpgp.org has a handy WKD-as-a-service.