Credativ was recently acquired by Instaclustr. Click here to learn more about this acquisition.
03 June 2020

Retrieve credativ PGP keys via WKD

Even after almost 30 years, PGP is still considered a standard for secure and confidential email communication. We use PGP internally and with our customers to transmit sensitive data. In practice SKS-Keyservers are often used for key exchange.

Because anyone can publish keys for any address there, the key need to be verified over an independent and secure channel. Unfortunately, not everyone is familiar with doing so. This is not the only point of criticism though. Therefore, email encryption is hardly adopted apart from technical users.

What is WKD?

WKD is another approach to simplify PGP key exchange while having a solid security basis the same time. A standardized path ensures, that keys can be found by clients automatically.

In order to ensure secure transmission of public keys, HTTPS is mandatory and requires a valid certificate chain. The key’s plausibility is based on the fact that only the owner of domain and server, also has control over the WKD.

A couple of email providers and open source projects already support WKD. We too want to simplify PGP key exchange for our customers and business partners with WKD. Through the integration in desktop clients like Thunderbird, encrypted mail transfer is fully transparent and mitigates MiTM attacks.

GnuPG considers multiple trust Levels. WKD therefore offers a higher security level than unverified keys from an SKS-Keyserver, or those send per email. For high security requirements verifying the fingerprint over a secure channel and Web of Trust are still the way to go.

Some desktop clients like Thunderbird (with Enigmail extension) can fetch keys via WKD automatically. Manually this can be done via gpg command too:

gpg -v --auto-key-locate clear,wkd,nodefault --locate-key

Web Key Service

WKS is an optional service and can be configured in addition to WKD. It facilitates users to publish their keys on their own, via mail. Enigmail for Thunderbird for instance, offers an option in its context menu for that.


Already after a few days after going live with WKD, the income of encrypted emails increased. If you need support with establishing a WKD, WKS or an individual solution for automated provisioning of PGP keys via WKD, our Open Source Support Center is available for you anytime. Contact us!

Categories: credativ® Inside
Tags: Security


About the author

Sascha Spettmann



Sascha Spettmann has been working for credativ in the support team since 2018. Since 2019 he has also been supporting our internal IT. In his private life, he works on corebooting and operating his own infrastructure for services such as XMPP and e-mail.

View posts

share post: