Sending your keys to a key server
This step is optional but if you want others to easily verify your keys and GPG signatures its wise to send your public keys to a key server.
- An internet connection
- The workstation you use for GPG tasks
Download and verify the hkps cirt
First download the pem certificate.
cd ~/.gnupg wget https://sks-keyservers.net/sks-keyservers.netCA.pem
Next we should check that the certificate we downloaded to ensure its correct and has not been tampered with.
Take a look at the verification page the line you are looking for is "Key Identifier". At the time writing this the key was
"E4 C3 2A 09 14 67 D8 4D 52 12 4E 93 3C 13 E8 A0 8D DA B6 F3".
However you should always check the page your self.
Next to check the certificate file do the following:
openssl x509 -in sks-keyservers.netCA.pem -text | grep keyid
In my case this returns
We have now verified the certificate.
Next we need to tell GPG to use this new keyserver. Edit the file "~/.gnupg/gpg.conf"; then remove any line starting with "keyserver". You want to make sure GPG can only use the single secure key server we have setup.
Next insert the following:
keyserver hkps://hkps.pool.sks-keyservers.net keyserver-options ca-cert-file=$HOME/.gnupg/sks-keyservers.netCA.pem keyserver-options no-honor-keyserver-url
Ensure you change $HOME to the full path of your home directory.
This sets up the secure key server and ensures our client only uses that pool of servers. This is achieved via the "no-honor-keyserver-url" option.
Sending and receiving keys
There is a little bit of open discussion around this section. Some people say you should not ever use "--refresh-keys" as it could leek clues of who you are. Some people use "refresh-keys" via TOR, I have not worried about that. I will leave it up to the reader to decide if they want/need this.
To send your keys simply do this :
$ gpg --send-keys 76E0A15A gpg: sending key 76E0A15A to hkps server hkps.pool.sks-keyservers.net $
You should change 76E0A15A to be your key ID. "gpg --list-keys" will show that if you forgot your key ID
Next to refresh your keys run the following :
$ gpg --refresh-keys gpg: refreshing 1 key from hkps://hkps.pool.sks-keyservers.net gpg: requesting key 76E0A15A from hkps server hkps.pool.sks-keyservers.net gpg: key 76E0A15A: "Brendan Horan <email@example.com>" not changed gpg: Total number processed: 1 gpg: unchanged: 1 $
It may be wise to set up a cronjob to refresh keys nightly.
0 1 * * * /usr/bin/gpg --refresh-keys > /dev/null 2>&1
Thats it. You can now fetch keys from the key server with the command "gpg --recv-keys $KEYID"