hagrid-keyserver--hagrid/templates-untranslated/about/usage.html.hbs

<div class="about usage">
    <center><h2><a href="/about">About</a> | <a href="/about/news">News</a> | Usage | <a href="/about/faq">FAQ</a> | <a href="/about/stats">Stats</a> | <a href="/about/privacy">Privacy</a></h2></center>

    <p>
        On this page, we collect information on how to use
        <span class="brand">keys.openpgp.org</span> with different OpenPGP
        software products.<br />
        We are still in the process of adding more. If you are missing some, please
        write to us and we'll try to add it.
    </p>

    <h2>
        <div><img src="/assets/img/enigmail.svg"></div>
        Enigmail
    </h2>
    <p>
        <a href="https://enigmail.net" target="_blank">Enigmail</a> for Thunderbird
        uses <span class="brand">keys.openpgp.org</span> by default since
        version 2.0.12.
    </p>
    <p>Full support is available since Enigmail 2.1
        (for <a href="https://www.thunderbird.net/en-US/thunderbird/68.0beta/releasenotes/" target="_blank">Thunderbird 68</a> or newer):
        <ul>
            <li>Keys will be kept up to date automatically.</li>
            <li>During key creation, you can upload and verify your key.</li>
            <li>Keys can be discovered by email address.</li>
        </ul>
    </p>

    <h2>
        <div><img src="/assets/img/gpgtools.png"></div>
        GPG Suite
    </h2>
    <p>
        <a href="https://gpgtools.org/">GPG Suite</a> for macOS
        uses <span class="brand">keys.openpgp.org</span> by default
        since August 2019.
    </p>

    <h2>
        <div><img src="/assets/img/openkeychain.svg"></div>
        OpenKeychain
    </h2>
    <p>
        <a href="https://www.openkeychain.org/">OpenKeychain</a> for Android
        uses <span class="brand">keys.openpgp.org</span> by default
        since July 2019.
        <ul>
            <li>Keys will be kept up to date automatically.</li>
            <li>Keys can be discovered by email address.</li>
        </ul>
    </p>

    <p>
        Note that there is no built-in support for upload and email address verification so far.
    </p>

    <h2>
        <div><img src="/assets/img/pignus.png"></div>
        Pignus
    </h2>
    <p>
        <a href="https://www.frobese.de/pignus/">Pignus</a> for iOS
        uses <span class="brand">keys.openpgp.org</span> by default
        since November 2019.
        <ul>
            <li>Your keys can be uploaded at any time.</li>
            <li>Keys can be discovered by email address.</li>
        </ul>
    </p>

    <h2>
        <div><img src="/assets/img/gnupg.svg" /></div>
        GnuPG
    </h2>

    <p>
        To configure <a href="https://gnupg.org">GnuPG</a>
        to use <span class="brand">keys.openpgp.org</span> as keyserver,
        add this line to your <tt>gpg.conf</tt> file:
        <blockquote>
            keyserver hkps://keys.openpgp.org
        </blockquote>
    </p>

    <h4 id="gnupg-retrieve"><a href="#gnupg-retrieve">Retrieving keys</a></h4>
    <ul>
        <li>
            To locate the key of a user, by email address:
            <blockquote>gpg --auto-key-locate keyserver --locate-keys user@example.net</blockquote>
        </li>
        <li>To refresh all your keys (e.g. new revocation certificates and subkeys):
            <blockquote>gpg --refresh-keys</blockquote>
        </li>
    </ul>

    <h4 id="gnupg-upload"><a href="#gnupg-upload">Uploading your key</a></h4>
    <p>
        Keys can be uploaded with GnuPG's <tt>--send-keys</tt> command, but
        identity information can't be verified that way to make the key
        searchable by email address (<a href="/about">what does this mean?</a>).
    </p>

    <ul>
        <li>
            You can try this shortcut for uploading your key, which outputs
            a direct link to the verification page:
            <blockquote>
                gpg --export your_address@example.net | curl -T - {{ base_uri }}
            </blockquote>
        </li>
        <li>

            Alternatively, you can export them to a file
            and select that file in the <a href="/upload" target="_blank">upload</a> page:
            <blockquote>
                gpg --export your_address@example.net &gt; my_key.pub
            </blockquote>
        </li>
    </ul>

    <h4 id="gnupg-troubleshooting"><a href="#gnupg-troubleshooting">Troubleshooting</a></h4>
    <ul>
        <li>
            Some old <tt>~/gnupg/dirmngr.conf</tt> files contain a line like this:
            <blockquote>
                hkp-cacert ~/.gnupg/sks-keyservers.netCA.pem
            </blockquote>
            <p>
                This configuration is no longer necessary,
                but prevents regular certificates from working.
                It is recommended to simply remove this line from the configuration.
            </p>
        </li>
        <li>
            While refreshing keys, you may see errors like the following:
            <blockquote>gpg: key A2604867523C7ED8: no user ID</blockquote>
            This is a <a href="https://dev.gnupg.org/T4393" target="_blank">known problem in GnuPG</a>.
            We are working with the GnuPG team to resolve this issue.
        </li>
    </ul>

    <h4 id="gnupg-tor"><a href="#gnupg-tor">Usage via Tor</a></h4>
    <p>
        For users who want to be extra careful,
        <span class="brand">keys.openpgp.org</span> can be reached anonymously as an
        <a href="https://support.torproject.org/onionservices/#onionservices-2" target="_blank">onion service</a>.
        If you have
        <a href="https://www.torproject.org/" target="_blank">Tor</a>
        installed, use the following configuration:
        <blockquote>
            keyserver hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion
        </blockquote>
    </p>

    <h2 style="padding-left: 3%;" id="wkd-as-a-service"><a style="color: #050505;" href="#wkd-as-a-service">WKD as a Service</a></h2>

    <p> The Web Key Directory (WKD) is a standard for discovery of OpenPGP keys by email address, via the domain of its email provider.
        It is used to discover unknown keys in some email clients, such as <a href="https://www.gpg4win.de/about.html" target="_blank">GpgOL</a>.

    <p> <span class="brand">keys.openpgp.org</span> can be used as a managed WKD service for any domain.
        To do so, the domain simply needs a <tt>CNAME</tt> record that delegates its <tt>openpgpkey</tt> subdomain to <tt>wkd.keys.openpgp.org</tt>.
        It should be possible to do this in the web interface of any DNS hoster.

    <p> Once enabled for a domain, its verified addresses will automatically be available for lookup via WKD.

    <p> The <tt>CNAME</tt> record should look like this:

    <blockquote>
        $ drill openpgpkey.example.org<br>
        ...<br>
        openpgpkey.example.org.       300     IN      CNAME   wkd.keys.openpgp.org.
    </blockquote>

    <p> There is a simple status checker for testing the service:

    <blockquote>
        $ curl 'https://wkd.keys.openpgp.org/status/?domain=openpgpkey.example.org'<br>
        CNAME lookup ok: openpgpkey.example.org resolves to wkd.keys.openpgp.org<br>
    </blockquote>

    <p> For testing key retrieval:

    <blockquote>
        $ gpg  --locate-keys --auto-key-locate clear,nodefault,wkd address@example.org<br>
    </blockquote>

    <h2 style="margin-left: 3%;">API</h2>

    <p>
        We offer an API for integrated support in OpenPGP applications. Check
        out our <a href="/about/api">API documentation</a>.
    </p>

    <h2 style="margin-left: 3%;">Others</h2>

    <p>
        Missing a guide for your favorite implementation?  This site is
        a work-in-progress, and we are looking to improve it. Drop us a line at
        <span class="email">support at keys dot openpgp dot org</span> if you
        want to help out!
    </p>

</div>