Setting up WKD for automated key fetching

Setting up WKD for automated key fetching


Web Key Directory (WKD) allows hosting of public PGP keys without maintinaing a Web Key Server (WKS). This way, compatible services can automatically fetch a recipient's public PGP key and seamlessly encrypt messages without needing to ask the recipient for their key beforehand.


Like with an MTA-STS policy, you will need a web hosting plan or a web server where to host the keys. It is possible to use GitHub Pages, using a similar setup than the one I wrote about for MTA-STS.

Alternatively, the OpenPGP Keyserver ( offers WKD as a service. You do need your key uploaded to their key server in order to use this, but that is relatively easy and it gives you the added benefit of already seeding your key to clients who use that keyserver. Setting this up is pretty easy, just a add a CNAME record that points to their infrastructure. For details, head to their site.

Exporting the key

GnuPG 2.2.12 and higher has an improved gpg-wks-client tool which can be used to create a local file structure that you will need to upload to the server. It takes the public keys from the GnuPG keyring, so the keys need to be known to GnuPG.

Open a terminal window and run:

export PATTERN=""
gpg --list-options show-only-fpr-mbox  -k $PATTERN | gpg-wks-client -v --install-key -C /path/to/desktop-or-documents

If you get -bash: gpg-wks-client: command not found you will need to specify the full path to the program. In my case, it was /usr/local/MacGPG2/libexec/gpg-wks-client

Once the command runs, go to the folder you specified in the command and you should see a folder with your domain name on it. Inside it, there is going to be another folder called hu, which in turn has a file with your key hash in it.

Uploading to server

On your web server, create the following folder structure on the web root
.well-known/openpgpkey. Then, upload the hu folder and it's contents inside the openpgpkey folder.

The domain where you're hosting this must match the domain of the email address tied to the key.

Make sure that there is no automatic directory listing for .well-known/openpgpkey/hu

You will also need to upload an empty file called policy (no suffix) to the openpgpkey folder.

That's it! You now have published your key via WKD, and compatible clients like ProtonMail or Enigmail will now fetch your key automatically if the sender doesn't have it.

Keep in mind that each email address needs its own key hash to be uploaded, unless the key has multiple userid's. If you have multiple email addresses on the same domain and each has a separate key, generate and upload the hash to the hu folder for each.

Previous Post Next Post