Brendan Horan Avatar

Overview

This step is optional but if you want others to easily verify your keys and GPG signatures its wise to send your public keys to a key server.

For this we will be using sks-keyservers over the secure hkp protocol.

Requirements

  • An internet connection
  • The workstation you use for GPG tasks

Steps

Download and verify the hkps cirt

First download the pem certificate.

cd ~/.gnupg
wget https://sks-keyservers.net/sks-keyservers.netCA.pem

Next we should check that the certificate we downloaded to ensure its correct and has not been tampered with.

Take a look at the verification page the line you are looking for is "Key Identifier". At the time writing this the key was
"E4 C3 2A 09 14 67 D8 4D 52 12 4E 93 3C 13 E8 A0 8D DA B6 F3".

However you should always check the page your self.
Next to check the certificate file do the following:

openssl x509 -in sks-keyservers.netCA.pem -text | grep keyid

In my case this returns

keyid:E4:C3:2A:09:14:67:D8:4D:52:12:4E:93:3C:13:E8:A0:8D:DA:B6:F3

We have now verified the certificate.

Configuring GPG

Next we need to tell GPG to use this new keyserver. Edit the file "~/.gnupg/gpg.conf"; then remove any line starting with "keyserver". You want to make sure GPG can only use the single secure key server we have setup.

Next insert the following:

keyserver hkps://hkps.pool.sks-keyservers.net
keyserver-options ca-cert-file=$HOME/.gnupg/sks-keyservers.netCA.pem
keyserver-options no-honor-keyserver-url

Ensure you change $HOME to the full path of your home directory.
This sets up the secure key server and ensures our client only uses that pool of servers. This is achieved via the "no-honor-keyserver-url" option.

Sending and receiving keys

There is a little bit of open discussion around this section. Some people say you should not ever use "--refresh-keys" as it could leek clues of who you are. Some people use "refresh-keys" via TOR, I have not worried about that. I will leave it up to the reader to decide if they want/need this.

To send your keys simply do this :

$ gpg --send-keys 76E0A15A
gpg: sending key 76E0A15A to hkps server hkps.pool.sks-keyservers.net
$

You should change 76E0A15A to be your key ID. "gpg --list-keys" will show that if you forgot your key ID

Next to refresh your keys run the following :

$ gpg --refresh-keys
gpg: refreshing 1 key from hkps://hkps.pool.sks-keyservers.net
gpg: requesting key 76E0A15A from hkps server hkps.pool.sks-keyservers.net
gpg: key 76E0A15A: "Brendan Horan <brendanhoran@basstech.net>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1
$

It may be wise to set up a cronjob to refresh keys nightly.

0 1 * * * /usr/bin/gpg --refresh-keys > /dev/null 2>&1

Thats it. You can now fetch keys from the key server with the command "gpg --recv-keys $KEYID"