Much easier Email crypto, by fetching pubkey via HTTPS

How does it work?

As an email user, you just select the recipient(s) and can see that the email will be encrypted.

If you and your peers use email-providers offering this "web key service", it works by the first email. Otherwise encryption will start after you have exchanged some emails.

Technically your email client will automatically

An email-provider offering the "web key service" technically has to

Details / Discussion of the proposal

Pubkey Distribution Concept <- the (technical) details

The elaborated proposal is a result of the EasyGpg2016 contract.


GnuPG "modern"

Mail User Agents

Mail Service Providers

Hosting a Web Key Directory

Ideally a Web Key Directory will be created and maintained through a Web Key Service but organisations or individuals may want to just host a Web Key Directory without a Web Key Service.:



You can either export all the keys in your keyring which belong to a domain or provide an explicit keyring containing the keys you want to publish.

The call:

    ./generate-openpgpkey-hu hu

Will create a directory called hu containing all the keys with mail addresses.

If there are multiple valid keys for a user in your keyring this command will error out. In that case you can prepare a keyring with only the keys you want to publish.


    gpg --export 94A5C9A03C2FE5CA3B095D8E1FDF723CF462B6B1 | \
    gpg --no-default-keyring --keyring ./wkd-keyring.gpg --import

And then provide that keyring to generate-openpgpkey-hu:

    ./generate-openpgpkey-hu hu wkd-keyring.gpg


The hu directory has to be published on your server as

On your server create the according directory and set the permissions according to your system.

This Makefile automates the hu directory generation and publishing. Edit the variables at the top of the makefile to your RSYNC_TARGET The KEYRING variable is optional and can be empty.

WKD (last edited 2016-10-27 07:35:33 by thomas)