Setting up Web Key Directory (WKD) for a domain

I recently purchased a domain from Cloudflare Registrar, primarily for the purpose of managing my digital identification. I’ve set up M‌X records (and DMARC, etc.) for email routing just fine, but publishing GPG keys is decidedly less straightforward.

I initially attempted to set up an IPGP certificate, hosting the public key in a Backblaze B2 bucket via redirect, but this has proven buggy and prone to TLS certificate issues. I’ve decided to attempt replacing it with WKD, but this demands hosting specific files at specific URLs rather than using DNS records alone.


My question is this: What is a straightforward method of providing static files at specific URLs?[1] I’d like to avoid maintaining a cloud server just for this if I can, but I’m not sure object storage is suitable for this. If I can run this entirely within Cloudflare[2], that would be ideal. I’d also like to do this in a manner that avoids other uses of the domain: redirecting all traffic for the entire domain is unacceptable.

I’m defining success as being able to satisfy this online checking tool.


  1. https://openpgpkey.[root domain]/.well-known/openpgpkey/[root domain]/hu/[32 octet string]?l=[user]

    https://openpgpkey.[root domain]/.well-known/openpgpkey/[root domain]/policy
    This file will be empty, but is still required. ↩︎

  2. Using features that are intended for the purpose, that is: I don’t want fragile tricks or unnecessary layers. ↩︎

Can’t see why you wouldn’t be able to host the relevant files on Cloudflare Pages

I ended up using Keybase to host the files[1], though I’m sure Cloudflare Pages would work as well.


  1. To be precise, I made a Keybase team, gave the Keybase Pages bot read-only access, and added the relevant files to that.

    Oddly enough, it only works if you don’t proxy the CNAME record through Cloudflare. It took me ages to work that out. ↩︎

As far as I understood, you want to set up WKD.

I use WKD, so that ProtonMail (and other WKD enabled E-Mail providers) users can send me PGP encrypted E-Mails.

So here is what I did:

Step 1. Upload your public key (NOT THE PRIVATE) on keys.openpgp.org
Step 2. Create a CNAME

openpgpkey.example.com. 300     IN      CNAME   wkd.keys.openpgp.org.

Step 3. Test it on metacode.biz/openpgp/web-key-directory

I am truly happy there are PGP/GPG users here :))

Using a public keyserver sort of defeats the purpose of WKD. It’s an option, sure, but it’s more of a last resort.

You must upload it to the key server so that the WKD can serve it.

Thunderbird and other WKD enabled clients retrieve the key from the WKD, not the key server.

So basically that’s the only way to upload your key as far as I know.

You’re supposed to host your key as a static file on your own domain, thus using DNS to vouch for the key’s connection to the UID: when you use CNAME like that, you are delegating that job to the key server.

https://wiki.gnupg.org/WKD

You can self-host it if you want and can.

I don’t since I’m not good at securing servers, so I leave the job to them.

So if you don’t want to self-host it, then you can do what I explained above.

And I think I may didn’t explain myself earlier, in order to the WKD provide the key you need to upload it to the key server. So because they have your key, people who use WKD can get it, and people who don’t use WKD (because they didn’t update Thunderbird etc.) they can still get your key from the key server.
I think that’s a good idea since WKD is not that popular yet, and may have to change in the future.
And that key server is the default key server on most E-Mail clients like Thunderbird etc.

WKD is intended for a minimal subset of your public key: you have to remove all the UIDs except the one being checked, for instance. A key server can be used in addition to that (and specified in the UID), which allows someone with the minimal key to pull the rest of it as desired.

Oh, well I don’t know what to say then, I’m still a PGP/GPG newbie, so you tell me.

You can see on wiki.gnupg.org/WKD that guardianproject.info have the same config.