keyoxide-web/guides/web-key-directory.md

# Uploading keys using web key directory

[[toc]]

## Web key directory

[Web key directory](https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/) or WKD refers to the method of uploading one's public key to their website in a specific location to make it easily accessible by other services supporting WKD. The key will be discoverable using an identifier similar to an email address: **username@domain.org**.

The benefit of WKD is having full control over the key while still having it widely available. It does however require a domain and some form of file hosting. Luckily, [openpgp.org](https://keys.openpgp.org/about/usage#wkd-as-a-service) have made a WKD-as-a-service. Read more at the end of the guide.

It exists in two variants: the Direct setup and the Advanced setup. Despite their names, both require roughly the same steps.

## The Direct setup

To make your keys available via WKD using the Direct setup, you'll need two paths on your server:

**https://domain.org/.well-known/openpgpkey/policy**: this is an empty file

**https://domain.org/.well-known/openpgpkey/hu/LOCALPART**: this is the binary public key (so NOT ASCII armored)

The LOCALPART above is actually the username hashed using the SHA-1 algorithm and encoded using the Z-Base-32 method. As it's not humanly possible to compute this by ourselves, Keyoxide provides a [small utility to do this for you](/util/wkd).

So if you wish to make your key available as **jimothy@dm.com**, according to the [small utility](/util/wkd), the URL would become:

`https://dm.com/.well-known/openpgpkey/hu/n9utc41qty791upt63rm5xtiudabmw6m`

## The Advanced setup

While not necessary if the Direct setup works, there is a second setup to make WKD work: the Advanced setup. The paths needed are:

**https://openpgpkey.domain.org/.well-known/openpgpkey/domain.org/policy**: this is an empty file

**https://openpgpkey.domain.org/.well-known/openpgpkey/domain.org/hu/LOCALPART**: this is the binary public key (so NOT ASCII armored)

Indeed, quite similar to the Direct setup, except for the **openpgpkey** subdomain and the additional **domain.org** in the path of the public key.

The public key for **jimothy@dm.com** would be available at:

`https://openpgpkey.dm.com/.well-known/openpgpkey/hu/dm.com/n9utc41qty791upt63rm5xtiudabmw6m`

## WKD-as-a-service

In case hosting is problem, Openpgp.org has a handy [WKD-as-a-service](https://keys.openpgp.org/about/usage#wkd-as-a-service).
Rewrite guides in markdown 2020-08-07 17:04:28 -06:00			`# Uploading keys using web key directory`

			`[[toc]]`

			`## Web key directory`

			`[Web key directory](https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/) or WKD refers to the method of uploading one's public key to their website in a specific location to make it easily accessible by other services supporting WKD. The key will be discoverable using an identifier similar to an email address: username@domain.org.`

			`The benefit of WKD is having full control over the key while still having it widely available. It does however require a domain and some form of file hosting. Luckily, [openpgp.org](https://keys.openpgp.org/about/usage#wkd-as-a-service) have made a WKD-as-a-service. Read more at the end of the guide.`

			`It exists in two variants: the Direct setup and the Advanced setup. Despite their names, both require roughly the same steps.`

			`## The Direct setup`

			`To make your keys available via WKD using the Direct setup, you'll need two paths on your server:`

			`https://domain.org/.well-known/openpgpkey/policy: this is an empty file`

			`https://domain.org/.well-known/openpgpkey/hu/LOCALPART: this is the binary public key (so NOT ASCII armored)`

			`The LOCALPART above is actually the username hashed using the SHA-1 algorithm and encoded using the Z-Base-32 method. As it's not humanly possible to compute this by ourselves, Keyoxide provides a [small utility to do this for you](/util/wkd).`

			`So if you wish to make your key available as jimothy@dm.com, according to the [small utility](/util/wkd), the URL would become:`

			`https://dm.com/.well-known/openpgpkey/hu/n9utc41qty791upt63rm5xtiudabmw6m`

			`## The Advanced setup`

			`While not necessary if the Direct setup works, there is a second setup to make WKD work: the Advanced setup. The paths needed are:`

			`https://openpgpkey.domain.org/.well-known/openpgpkey/domain.org/policy: this is an empty file`

			`https://openpgpkey.domain.org/.well-known/openpgpkey/domain.org/hu/LOCALPART: this is the binary public key (so NOT ASCII armored)`

			`Indeed, quite similar to the Direct setup, except for the openpgpkey subdomain and the additional domain.org in the path of the public key.`

			`The public key for jimothy@dm.com would be available at:`

			`https://openpgpkey.dm.com/.well-known/openpgpkey/hu/dm.com/n9utc41qty791upt63rm5xtiudabmw6m`

			`## WKD-as-a-service`

			`In case hosting is problem, Openpgp.org has a handy [WKD-as-a-service](https://keys.openpgp.org/about/usage#wkd-as-a-service).`