What is a Web Key Directory?
Web Key Directories provide an easy way to discover public keys through HTTPS.
In contrast to the public keyservers a Web Key Directory does not publish mail addresses. And it is an authoritative pubkey source for its domain.
How does it work?
- The senders mail client (through GnuPG) checks a "well known" URL on the domain of the recipient.
- If a key is available for that address it an be downloaded via HTTPS.
- The downloaded key can now be used for automatic encryption.
Such an URL looks like: https://intevation.de/.well-known/openpgpkey/hu/g8td9rsyatrazsoiho37j9n3g5ypp34h for the mail address "email@example.com"
What does it mean for users?
A user just selects the recipients of a message and by default the encryption state of that mail will toggle if all recipients can be found in a Web Key Directory.
For a basic level of security the user does not need to check a fingerprint or do any key management manually.
How to set it up?
If you want to set up a Web Key Directory for your organisation you can find documentation in this wiki. You only need access to a webserver for your domain. See: WKDHosting
For a larger organisation it is recommended to set up a complete Web Key Service, which will help to automate Web Key Directory publishing.
Web Key Directory (WKD) / Web Key Service (WKS) what is the difference?
The Web Key Directory is the HTTPS directory from which keys can be fetched.
The Web Key Service is a tool / protocol to automatically publish and update keys in the Web Key Directory. It is optional to reduce the administrative effort of a Web Key Directory.
Documentation how to set up a Web Key Service can be found on the Web Key Service page.
You can find the concepts / technical details under WKDDetails.
Trust and security considerations are outlined as part of the AutomatedEncryption concept.
- WKD lookup is implemented in GnuPG since v2.1.12. It is enabled by default since 2.1.23..
- WKS server and client tools are part of GnuPG since v2.1.14
Any mail client which uses the --locate-keys option of GnuPG will automatically do WKD requests.
Known mail clients with WKD Support:
Known mail clients with WKS Support:
- Thunderbird/Enigmail 2.0
- KMail since Version 5.6
- Outlook with GpgOL (basic, pre-release) since Version 2.2.1 asyGpg2016)
Mail Service Providers offering WKD
- Posteo offers web key directory lookup and service for @posteo.de-addresses (Since 2016-12)
- netzguerilla offers web key directory lookup. (Since 2017-10-11)
- mailbox.org plans to offer web key directory lookup in Q2 2018 (coming with OX Guard 2.10).
- (Self)-hosted email servers that run caesonia - an OpenBSD Email Service setup.