How should I distribute my public key?

  • I've just started to use GPG and created a public key. It is kind of pointless if no-one knows about it. How should I distribute it? Should I post it on my profile on Facebook and LinkedIn? How about my blog? What are the risks?

    I guess it depends on what you use your GPG key for??? Signing emails? Encrypting email content? Encrypted files attached to email? Distributing trustworthy software that you wrote? Storing local files? What size are the files? Are you using mostly symmetric or asymmetric keys (GPG supports both)? Who is going to be needing your pubkey and why?

  • Best way to distribute your key is by using one of the key servers that are available, such as keyserver.ubuntu.com, pgp.mit.edu or keyserver.pgp.com.

    If you use Seahorse (default key manager under Ubuntu), it automatically syncs your keys to one of these servers. Users can then look up your key using your email address or keyid.

    If you wanted to post your public key on LinkedIn or your blog, you can either upload the key to your server or just link to the page for your key on one of the keyservers above. Personally, I would upload it to one of the keyservers and link to it, as it is easier to keep it up-to-date in one place, instead of having the file in loads of different locations. You could also share your keyid with people, and they can then receive your key using gpg --recv-keys.

    If you wanted to post your public key on Facebook, there is a field to place it under the Contact Info section of your profile. You can also change your Facebook security settings to use this same public key to encrypt their emails to you.

    For example, here's my public key.

    To my knowledge, there are no risks associated with publishing your public key.

    There are no major risks with publishing your public key far and wide. You'll want it in the keyserver system as Mark points out so it can be automatically imported. But it's safe to distribute other ways too.

    Note that publishing the key on PGP keyservers is rather pointless if it is not signed by others. In this case, you should prefer secure distribution means like an SSL homepage. Also, having your little brother sign your key will only provide a trust relationship between you two. Key signing parties or SSL-protected homepages are useful if you aim for secure correspondence with a wider audience.

    My experience is that key servers are somewhat #fail. I have lots of old keys that I've lost from '99 and '00 on pgp.mit.edu for example. It really does not solve the problem properly.

    Shouldn't you use the https link for distributing your key, so you can be sure the public key wasn't altered en-route?

    What if I upload my SSH key to GitHub? Then someone hacks github, changes the key, and poses as me. Would that be MITM?

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM