WKD stands for Web Key Directory and is a standard for making your public key available trough a server and https.
There are several email clients (such as Enigmail in Thunderbird) that will use this standard to automatically fetch a user's public key, when writing an e-mail to them.
For setting this up you need your own domain, a valid TLS certificate and a webserver. For more information read this wiki.
There's two ways of making your public keys accessable this way, the advanced and the direct way. First I will talk about the direct setup and second the advanced setup.
First step is creating the following folder in your webroot folder:
mkdir /your/webroot/.well-known/openpgpkey/hu/
The "hu" part of the newly created folder stands for hashed userid.
After creation of the mentioned folder we need to add an empty policy file. The reason is to let clients know that a WKD service is setup.
touch /your/webroot/.well-known/openpgpkey/hu/policy
The third step is adding your public key in the folder "/your/webroot/.well-known/openpgpkey/hu".
gpg --with-wkd-hash -k yourmail@example.org
pub rsa4096 2018-11-17 [SC]
C5D0FBBA20E4F90B5EEF8CC9EAA87BC436FEA4B32
uid [ultimate] Your Name mail@example.org
hacaflesgoaklnagwgh3huwijkleeg3@example.org
Copy the string with random numbers aka the hash, in front of the @ sign. in this case "hacaflesgoaklnagwgh3huwijkleeg3" to the clipboard.
Next you need to save your public key in a file which has the hash of your public key as filename.
gpg --export yourmail@example.org > /your/webroot/.well-known/openpgpkey/hu/hacaflesgoaklnagwgh3huwijkleeg3
Next you need to configure nginx to serve your public key to the world through WKD. Add the code snippet below to your nginx configuration file.
location ^~ /.well-known/openpgpkey {
default_type application/octet-stream;
add_header Access-Control-Allow-Origin * always;
}
After restarting nginx you can check your setup via using this website:
https://metacode.biz/openpgp/web-key-directory
For the advanced implementation, create the following folder inside your webroot folder for sub-domain openpgpkey.example.org:
mkdir /.well-known/openpgpkey/example.org/hu/
Next create an empty policy file in the newly created folder.
touch /.well-known/openpgpkey/example.org/hu/policy
Get the hash of your public key (see above in the direct method for more details):
gpg --with-wkd-hash -k yourmail@example.org
Export the hash of your public key to hu folder:
gpg --export yourmail@example.org > /your/webroot/.well-known/openpgpkey/example.org/hu/hacaflesgoaklnagwgh3huwijkleeg3
below an example nginx configuration for the openpgpkey.example.org subdomain.
server {
# SSL configuration
#
listen 443 ssl http2;
ssl_certificate /path/to/your/certificate/openpgpkey.example.org/fullchain.pem;
ssl_certificate_key /path/to/your/certificate/openpgpkey.example.org/privkey.pem;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /path/to/your/certificate/chain.pem;
resolver 192.168.20.1 valid=300s;
resolver_timeout 5s;
root /path/to/your/webroot/for/subdomain/openpgpkey.example.org/openpgpkey;
server_name openpgpkey.example.org;
location ^~ /.well-known/openpgpkey {
default_type application/octet-stream;
add_header Access-Control-Allow-Origin * always;
}
}
Next step is setting your DNS A and SRV records.
A Record
openpgpkey.example.org Your external ip 3600
SRV Record
_openpgpkey._tcp.openpgpkey.example.org 1 443 openpgpkey.example.org 3600 1
After restarting nginx and setting your DNS SRV and A values, you can check your setup via using this website:
https://metacode.biz/openpgp/web-key-directory