this post was submitted on 11 Jul 2024
52 points (98.1% liked)

Selfhosted

38810 readers
275 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
52
PGP key discovery for Email - WKD (wiki.gnupg.org)
submitted 1 month ago by [email protected] to c/[email protected]
9 comments fedilink hide all child comments
 

I've run my own email server for a few years now without too many troubles. I also pay for a ProtonMail account that's been very good. But I've always struggled with PGP keys for encrypting messages to non-Proton users - basically everyone. The PGP key distribution setup just seemed half baked and a bit broken relying on central key servers.

Then I noticed that email I set from my personal email to my company provided email were being encrypted even though I wasn't doing anything to achieve this. This got me curious as to why that was happening which lead me to WKD (Web Key Directory). It's such a simple idea for providing discoverable downloads for public keys and it works really well having set it up for my own emails now.

It's basically a way of discovering the public key of someone's email by making it available over HTTPS at an address that can be calculated based on the email address itself. So if your email is [email protected], then the public key can be hosted at (in this case) https://openpgpkey.example.com/.well-known/openpgpkey/example.com/hu/pmw31ijkbwshwfgsfaihtp5r4p55dzmc?l=name this is derived using a command like gpg-wks-client --print-wkd-url [email protected]. You just need an email client that can do this and find the key for you automatically. And when setting up your own server you generate the content using the keys in your gpg key ring using env GNUPGHOME=$(mktemp -d) gpg --locate-keys --auto-key-locate clear,wkd,nodefault [email protected]. Move this generated folder structure to your webserver and you're basically good to go.

I have this working with Thunderbird, which now prompts me to do the discoverability step when I enter an email that doesn't have an associated key. On Android, I've found OpenKeyChain can also do a search based just on the email address that apps like K9-Mail (to be Thunderbird mail) can then use.

Anyway, I thought this was pretty cool and was excited to see such an improvement in seamless encryption integration. It'd be nicer if on Thunderbird and K9 it all happened as soon as you enter an email address rather than a few extra steps to jump through to perform the search and confirm the keys. But it's a major improvement.

Does your email provider have WKD setup and working or do you use it already?

top 9 comments
sorted by: hot top controversial new old
[–] [email protected] 4 points 1 month ago (1 children)

I tried setting this up a few years ago without success. Prompted by your post I took another look and I think I was trying to serve my key from a mishmash of the direct and advanced URIs (although I don't remember there being an advanced and direct method when I first tried this) and I had a TXT record setup in DNS as well for some reason. Might have been following a draft RFC? Whatever I was trying, it didn't work for me then.

No one I know other than a couple of services I have accounts with use pgp so it is of little use to me right now. But I am glad it is now working and I don't need to rely on any 3rd party keyservers. So thanks for the prompt and the write-up.

[–] [email protected] 2 points 1 month ago

It'd be nice if email clients automatically checked for public keys for any email you enter in the To fields. With a nice prompt that keys have been found to Encrypt the message with. It doesnt sound too difficult and it could lead to much wider adoption of secure emails.

Unfortunately most people get their email free because companies like reading it and stopping that means it might become a paid for service. Something I'm happy to pay for, but many wouldn't be.

[–] [email protected] 4 points 1 month ago (1 children)

I had never heard of this, but it sounds fascinating — thanks for sharing! Definitely going to try to set this up this weekend.

[–] [email protected] 1 points 1 month ago

No worries, I thought it was pretty interesting and I'd never heard of it before so thought I'd share.

The most difficult part for me was configuring nginx to properly serve the files. The gpg part was actually the easy bit.

[–] [email protected] 2 points 1 month ago (1 children)

I’ve just discovered this today too! I’m not even sure how to find my key (Proton user too). I’ve admittedly not spent too much time understanding PGP since basically no one uses it.

[–] [email protected] 2 points 1 month ago

You can download the public key from the web interface. I then imported it in to gpg with a gpg --import public.asc and then used the above commands to generate the WKD structure.

[–] [email protected] 2 points 1 month ago (1 children)

This actually sounds quite interesting. Is this controlled with DNS entries at the domain level somehow, or is the subdomain fixed/mandatory?

[–] [email protected] 3 points 1 month ago

There's 2 methods, one uses a subdomain and one doesn't. Without is called 'direct'. No special DNS entries required really. I have a wildcard subdomain entry which works for me. Just so long as the key is available over HTTPS using one method.

[–] [email protected] 1 points 1 month ago* (last edited 1 month ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
HTTPS HTTP over SSL
SSL Secure Sockets Layer, for transparent encryption
nginx Popular HTTP server

3 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.

[Thread #865 for this sub, first seen 12th Jul 2024, 05:35] [FAQ] [Full list] [Contact] [Source code]