Publishing Your Public Keys

Why Publishing Your Public Key Matters

After creating your PGP keys, the next crucial step is to make your public key readily available to others. Remember, the whole purpose of public key cryptography is that people need your public key to:

Send you encrypted messages that only you can read
Verify the authenticity of messages you've digitally signed

If your contacts can't easily find your public key, they simply can't communicate securely with you. It's like having a secure mailbox but not telling anyone your address!

Tip

Public vs. Private Keys

Remember: Your public key is safe to share widely—that's its purpose. Your private key must be kept strictly confidential.

Preparing Your Public Key for Distribution

Before publishing your key, let's ensure it's in the right format for easy sharing.

Exporting Your Public Key

In Secure Mail Client, you can export your public key by:

Navigate to Key Management in the main menu
Select your key from the list
Click Export Public Key
Choose ASCII Armored format (this is a text-based format ideal for sharing)
Save the file with a .asc extension (e.g., yourname_public_key.asc)

For command-line users, you can export your public key with:

Export your public key

      
        
# Replace [email protected] with your actual email
gpg --armor --export [email protected] > yourname_public_key.asc

The resulting file contains your public key in a text format that begins with -----BEGIN PGP PUBLIC KEY BLOCK----- and ends with -----END PGP PUBLIC KEY BLOCK-----.

Know Your Key Information

Before publishing, make sure you know your key's identifiers:

Key ID: A short identifier (e.g., A1B2C3D4)
Fingerprint: A longer, more secure identifier (e.g., 1234 5678 90AB CDEF 1234 5678 90AB CDEF 1234 5678)
Associated Email: The email address(es) connected to your key

In Secure Mail Client, this information is displayed in the Key Details view. For command-line users:

View your key details

      
        
# List keys with fingerprints
gpg --fingerprint [email protected]

Methods for Publishing Your Public Key

There are several ways to make your public key available to others. Using multiple methods increases the chances that your contacts will find your key when they need it.

1. Publishing to Public Key Servers

Key servers are specialized directories that store and distribute PGP public keys. They allow anyone to search for keys by email address or key ID.

Popular Public Key Servers

keys.openpgp.org

Modern, privacy-focused server with email verification

keyserver.ubuntu.com

Well-maintained server within the SKS keyserver network

pgp.mit.edu

One of the oldest and most widely used key servers

Using Secure Mail Client to Publish Your Key

Secure Mail Client provides a simple interface for key server publication:

Navigate to Key Management
Select your key
Click Publish to Key Server
Select the desired key server (or use the default)
Click Publish

Using Command-Line Tools

For command-line users, you can publish your key with:

Publish your key to a keyserver

      
        
# Using keys.openpgp.org (recommended)
gpg --keyserver keys.openpgp.org --send-keys YOUR_KEY_ID

# Or using keyserver.ubuntu.com
gpg --keyserver keyserver.ubuntu.com --send-keys YOUR_KEY_ID

# Replace YOUR_KEY_ID with your actual key ID

Tip

Choose the Right Key Server

We recommend keys.openpgp.org for new users because:

It verifies email addresses before publishing them
It has good privacy practices
It's well-maintained and regularly updated

Verifying Key Publication

After publishing, verify that your key was successfully uploaded by searching for it:

Verify your key is on the server

      
        
# Search by email
gpg --keyserver keys.openpgp.org --search-keys [email protected]

# Or search by key ID
gpg --keyserver keys.openpgp.org --search-keys YOUR_KEY_ID

Some key servers like keys.openpgp.org will send you a verification email. You must click the verification link in this email to fully publish your key with your email address.

2. Sharing Your Public Key Directly

While key servers are convenient, direct sharing ensures your recipient gets exactly the right key.

Email Attachment

The simplest approach is to attach your public key file to an email:

Compose a new email to your contact
Attach your exported public key file (yourname_public_key.asc)
Include a brief explanation in the email body

Email Signature

Including your public key in your email signature makes it available with every message you send:

Configure your email client to include your public key as an attachment to your signature
Or include a link to where your key can be downloaded

Note

Signature Example

Best regards,
Your Name
[email protected]

My PGP key: https://example.com/publickey.asc
Fingerprint: 1234 5678 90AB CDEF 1234 5678 90AB CDEF 1234 5678

3. Publishing on Your Website or Social Media

If you have a personal website, blog, or active social media profiles, these are excellent places to publish your public key.

Website Publication

On your website:

Create a dedicated page or section for your public key
Include both a downloadable file and the key text directly on the page
Add your key fingerprint for verification

For advanced users, consider using the standard location:

Standard website PGP key location

      
        
https://yourwebsite.com/.well-known/openpgpkey/hu/[hash]

This follows the OpenPGP Web Key Directory standard, which allows automatic discovery of keys.

Social Media Profiles

For social media:

Include your key fingerprint in your bio or profile
Add a link to where your full key can be downloaded
For platforms with fixed profile fields, include this information in your bio

Verifying and Helping Others Find Your Key

Creating a Key Discovery Strategy

To maximize the chances of others finding your key when they need it:

Use multiple publication methods (key servers, website, email)
Always include your key fingerprint when referencing your key
Keep the information consistent across all platforms
Update all locations if you generate a new key

Testing Your Key Discovery

Before relying on your published key, test the discovery process:

Use a different device or ask a friend to try finding your key
Try searching by email address and by key ID
Verify that the fingerprint matches your expected key
Test importing the key into PGP software

Security Alert

Beware of Key Server Limitations

Keep in mind that public key servers have some important limitations:

Keys generally cannot be fully deleted once published
Updates to your key may not propagate to all servers immediately
Some servers may not verify email ownership before publishing keys
There's no guarantee that a key on a server actually belongs to the named person

This is why verification through fingerprints and multiple publication methods is important.

Using Secure Mail Client's Key Publication Features

Secure Mail Client simplifies the key management process with built-in features:

Secure Mail Client Key Distribution Tools

Automatic Key Server Publication

•
One-click publishing to multiple key servers
•
Verification status tracking
•
Automatic refreshing of published keys

Email Integration

•
Automatic key attachment options
•
Email signature key inclusion
•
One-click key sharing with contacts

Key QR Code Generation

•
Create QR codes containing your public key
•
Easy sharing during in-person meetings
•
Quick scanning via mobile devices

Web Key Directory Support

•
Generate WKD-compatible key files
•
Instructions for website integration
•
Automatic key discovery from WKD-enabled domains

To access these features in Secure Mail Client:

Navigate to Key Management in the main menu
Select your key
Click Distribution Options to see all available sharing methods

Storing the Public Key URL on YubiKey

If you're using a YubiKey for your PGP keys, you can store a URL pointing to your public key directly on the YubiKey itself. This creates a self-referencing system where anyone with your YubiKey can find your public key.

Why Store the URL on Your YubiKey?

Automated retrieval: Some PGP software can automatically fetch your public key using this URL
Seamless key rotation: When you update your key, just update the hosted key at the same URL
Simplified sharing: In person verification becomes easier when the key location is built into the device
Reduced user error: Eliminates the problem of using incorrect or outdated keys

Setting the URL Field on Your YubiKey

In Secure Mail Client, you can configure this feature through the YubiKey Management interface:

Go to Key Management > YubiKey Settings
Select Edit OpenPGP Application
Navigate to the URL Settings tab
Enter the URL where your public key can be accessed
Save the changes to your YubiKey

For command-line users, you can set the URL using GnuPG:

Set public key URL on YubiKey

      
        
# Connect to your YubiKey
gpg --card-edit

# Inside the card editor, use the "url" command
gpg/card> admin
Admin commands are allowed

gpg/card> url
URL to retrieve public key: https://example.com/pubkey.asc

# Review the changes
gpg/card> list

# Save and exit
gpg/card> quit

Tip

Recommended URL Types

For the URL field, you can use:

Your personal website: https://yourdomain.com/pubkey.asc
Key server with direct key link: https://keys.openpgp.org/vks/v1/by-fingerprint/YOUR_FINGERPRINT
GitHub Gist URL: https://gist.github.com/yourusername/abcd1234.../raw
Web Key Directory URL: https://yourdomain.com/.well-known/openpgpkey/hu/hash

Ensure the URL is stable and unlikely to change. Secure HTTPS links are strongly preferred.

How Key Verification Works with YubiKey URLs

When you store a URL on your YubiKey, you're creating a powerful verification mechanism:

Verification Process Flow

1

When a user encounters your signature, they can see it was created by a specific subkey
2

The software looks up the corresponding master public key using the URL stored on your YubiKey
3

It verifies that the signature subkey belongs to the master key (subkeys are certified by the master key)
4

Finally, it confirms the signature is valid using the subkey

Important Security Note

The signature subkey and the master key don't need identical fingerprints—they're designed to be different. The chain of trust connects them: the master key certifies the subkey, which makes the signature.

This is why the URL field is so valuable—it provides the automatic connection between your subkeys (on the YubiKey) and your master key (stored securely elsewhere).

When using this feature, always verify that the URL is accessible and returns the correct key before relying on it.

When to Update Your Published Keys

Your published keys should be kept up-to-date. Republish your public key when:

You've extended the key's expiration date
You've added or revoked subkeys
You've added new user IDs (email addresses) to your key
You've gained new certifications (signatures) from other users
You've created an entirely new key and are transitioning to it

The process for updating is generally the same as the initial publication—send the updated key to key servers and update any directly shared copies. If you're using the YubiKey URL feature, make sure to update the key at the referenced URL.

Summary and Next Steps

Publishing your public key is an essential step in using PGP encryption effectively. By making your key easily discoverable through multiple channels, you ensure that others can communicate securely with you whenever needed.

Use key servers for broad availability
Share directly with important contacts
Include your key or a link to it in your online profiles
Verify that others can find and access your key
Keep your published keys updated

Next Steps

Now that you've published your public key:

Set up your email client to work with your PGP keys
Learn how to receive and validate other people's public keys
Begin sending encrypted and signed messages
Create a regular schedule to verify and update your published keys