v1.24.0

Uploading public key to keyserver (GPG)

How to upload GPG public key to keyserver

Prerequisites
  • Access to your public key
  • GnuPG
    • To configure GnuPG to use keys.openpgp.org as keyserver, add this line to your .gnupg/gpg.conf file: 
      keyserver hkps://keys.openpgp.org

Intro

As a developer I want to upload my public key to the keys.openpgp.org keyserver.

Why?

  • Anyone who wants to verify your signatures or send you encrypted messages needs your public key. Instead of sending it to each person manually, they can just search a keyserver (like keys.openpgp.org, pgp.mit.edu, or keyserver.ubuntu.com) and fetch it directly.

  • Some keyservers support key verification processes (e.g., keys.openpgp.org requires email confirmation), which helps others trust that the key really belongs to you. This helps build a web of trust, especially in open source or professional communities.

  • If you sign Git commits or software releases, having your key on a keyserver lets people easily verify your identity. Platforms like GitHub or GitLab may also reference keyservers to show verified signatures on commits or tags.

  • If you revoke/extend the expiration of your subkeys or update your key, publishing it to a keyserver helps distribute that update quickly. Others syncing from that keyserver will know not to trust an old/revoked key or get the new changes.

Why use the keyserver keys.openpgp.org

Good
  • It doesn’t distribute email addresses unless you’ve verified ownership. This helps reduce spam and privacy leaks that plagued older SKS keyservers.
  • You must confirm your email address before it appears with your key. This gives others more confidence that the key actually belongs to that email—reducing impersonation risk.
  • Unlike traditional SKS keyservers (which are decentralized and can contain duplicated, stale, or even poisoned keys), keys.openpgp.org:
    • Rejects garbage and malicious keys.
    • Does not allow uploading of signatures from others—keeping your key data clean.
    • Accepts updates from the key owner only.
  • Older SKS keyservers were vulnerable to key poisoning attacks (where attackers spammed keys with bogus data). keys.openpgp.org is not part of the SKS pool, so it avoids this entirely.

Bad
  • It only shows verified email addresses—so if you don't verify yours, people won’t be able to find your key by email.
  • It strips third-party signatures (which are useful for the web of trust, if you rely on that).

Export

In my case the most recent public key I have generated is always stored on my USB device. But here is how you can export the current public key on your vm.

Export

# ASCII-armored (text) format
gpg --export --armor <KEYID>
# Binary format
gpg --export <KEYID>
# Email works as well
gpg --export --armor <EMAIL>

Upload

Export and Upload public key (current) on vm to keyserver.

gpg --export your_address@example.net | curl -T - https://keys.openpgp.org

Or export public key (current) to file and select that file in the upload page:

gpg --export your_address@example.net > my_key.pub
# https://keys.openpgp.org/upload

In my case the most recent public key I have generated is always stored on my USB device.

export USB="/mnt/encrypted-storage"
export DEVICE="/dev/sdb1" # see lsblk
 
# Insert USB and decrypt and mount
sudo cryptsetup luksOpen $DEVICE gnupg-secrets
sudo mkdir -p $USB
sudo mount /dev/mapper/gnupg-secrets $USB
 
# Upload public key to keyserver
# Public Key is stored in format: $KEYID-$(date +%F).asc
cat $USB/gnupg/<public-key> | curl -T - https://keys.openpgp.org
 
# Unmount and close the encrypted volume
sudo umount $USB
sudo cryptsetup luksClose gnupg-secrets

Retrieving keys

To locate the key of a user, by email address:

gpg --auto-key-locate keyserver --locate-keys user@example.net

To refresh all your keys (e.g. new revocation certificates and subkeys):

gpg --refresh-keys