Uploading keys using web key directory

Back to guides

Web key directory

Web key directory or WKD refers to the method of uploading one's public key to their website in a specific location to make it easily accessible by other services supporting WKD. The key will be discoverable using an identifier similar to an email address: username@domain.org.

The benefit of WKD is having full control over the key while still having it widely available. It does however require a domain and some form of file hosting. Luckily, openpgp.org have made a WKD-as-a-service. Read more at the end of the guide.

It exists in two variants: the Direct setup and the Advanced setup. Despite their names, both require roughly the same steps.

The Direct setup

To make your keys available via WKD using the Direct setup, you'll need two paths on your server:

https://domain.org/.well-known/openpgpkey/policy: this is an empty file

https://domain.org/.well-known/openpgpkey/hu/LOCALPART: this is the binary public key (so NOT ASCII armored)

The LOCALPART above is actually the username hashed using the SHA-1 algorithm and encoded using the Z-Base-32 method. As it's not humanly possible to compute this by ourselves, Keyoxide provides a small utility to do this for you.

So if you wish to make your key available as jimothy@dm.com, according to the small utility, the URL would become:

https://dm.com/.well-known/openpgpkey/hu/n9utc41qty791upt63rm5xtiudabmw6m

The Advanced setup

While not necessary if the Direct setup works, there is a second setup to make WKD work: the Advanced setup. The paths needed are:

https://openpgpkey.domain.org/.well-known/openpgpkey/domain.org/policy: this is an empty file

https://openpgpkey.domain.org/.well-known/openpgpkey/domain.org/hu/LOCALPART: this is the binary public key (so NOT ASCII armored)

Indeed, quite similar to the Direct setup, except for the openpgpkey subdomain and the additional domain.org in the path of the public key.

The public key for jimothy@dm.com would be available at:

https://openpgpkey.dm.com/.well-known/openpgpkey/hu/dm.com/n9utc41qty791upt63rm5xtiudabmw6m

WKD-as-a-service

In case hosting is problem, Openpgp.org has a handy WKD-as-a-service.