Where to upload PGP public key? Are KeyServers still surviving?

pgp

I want to upload my PGP public key on a public server. Till the time PGP was an independent organization, I heard a lot about KeyServers, but after Symantec acquired PGP, what is the future of these servers?

Is there any other alternative way to keep my public keys online?


Solution 1:

Yes, keyservers still exist (though the situation has changed since 2011):

  • The SKS Keyserver Pool (stats) is still online, but just barely. Its participants have dwindled since this post was originally written in 2011, dropping from around a hundred to just ~20.

    (Of those, only 1-2 servers participate in the "HKPS" sub-pool, which is used by GnuPG in the default configuration. If your GnuPG reports "General error" when retrieving keys, that's because the pool has completely drained and you must switch to a non-pool URL.)

    As of 2021, the pool is no longer maintained. This doesn't mean that all of the individually-run keyservers comprising it will disappear, but it does mean that the "pool.sks-keyservers.net" URLs will stop working.

  • Some keyservers, such as Ubuntu keyserver, have replaced SKS with more modern and reliable software such as Hockeypuck. They do however still synchronize with the SKS pool.

  • One of the oldest remaining keyservers is pgp.mit.edu (now running SKS software, previously PKS for a long time). It synchronizes with the SKS Keyserver Pool.

  • The old PGP Global Directory is still online, untouched since 2011. It is not part of the SKS pool and doesn't sync with other servers.

  • New standalone servers are showing up, such as keys.openpgp.org (since 2018). This particular server does not synchronize with others, and requires key owners to opt-in to being published.

The SKS software has been written to accept anything that looks vaguely like a PGP key packet to and store it forever. (Its "gossip" protocol only exchanges new packets, but by design has no way to propagate deletions.) This has caused problems for a long time, but started getting massively abused in 2018–2019, which eventually led to the SKS Keyserver Pool's slow demise. Most new keyservers don't have synchronization partly because they want to figure out how to combine opposing goals.

One of the possible alternatives is GnuPG's "Web Key Directory" (WKD) protocol, which simply allows the keys for addresses under a given @domain.tld to be published through HTTP at the same https://domain.tld/. (This of course only works if you know the email address – it's useless if you're verifying signatures and all you have is the key ID or fingerprint.)

Previously there were attempts to implement key publication through DNS (using CERT and PKA). Those methods haven't achieved broad adoption and are no longer supported by GnuPG.

Solution 2:

As of mid-Sept 2019 three months following launch keys.openpgp.org news has this to say:

It is now used by default in GPGTools, Enigmail, OpenKeychain, GPGSync, Debian, NixOS, and others.

The adoption rates are impressive. According to the news quoted keys.openpgp.org saw in increase from about 2000 to 70K verified email address in a 3 months span just this year year.

If new keyservers are seeing the kind of reception we've seen with keys.openpgp.org it would be hard to say not only are keyservers surviving, they're growing in popularity.

Related

Why does a gigabit/sec Internet connection via cable (coax) not offer symmetrical speeds like fiber?
Reload .vimrc in Vim without restart
Is there a way to listen to the input sound on Mac OS X?
How to stop Mac to convert typing double dash to emdash?
tmux disregarding the configuration file
How do I find out which package owns a file?
Must TCP use IP?
How do I physically prevent people from unplugging an Ethernet cable?
How do file permissions apply to symlinks?
VirtualBox to use dual monitors
Show only current directory name (not full path) on bash prompt
How to get parent PID of a given process in GNU/Linux from command line?