How to share an OpenPGP public key easily in three steps!

End-to-end encryption is an essential part of Mailfence secure and private email platform. Generally for using end-to-end encryption, sharing or exchanging OpenPGP public keys in a secure and reliable manner can be challenging. In this blogpost, we will present some easy yet reliable ways to exchange OpenPGP public keys. We covered this in a step-wise fashion: where to get an OpenPGP public key, how to obtain its fingerprint separately – and finally how to verify that it belongs to its claimed owner.

Step – 1: Exchange OpenPGP public key:

The first and foremost step is to share or exchange the OpenPGP public key with your recipient. Following are some of the most common and efficient ways to perform this step.

Digitally signed email

Send a digitally signed email with your public key attached to your recipient. Subsequently your recipient should do the same. This will require you to have the email address of your recipient in advance.

This Knowledge-base article will provide you exact steps in this regard.

Note: Make sure the email address you sending to or received from is the right one (obtained via a trusted side-channel: meeting in person, telephone, …).

Instant messaging apps

There are various mobile messaging apps, that allow you to send files as well. However, this will require you to have the mobile number of your recipient in advance and you both should be available (registered) on the corresponding app.

Following are some of the mobile apps to share or exchange your public key with your recipient.

Note:

  • Use the right mobile number of your recipient (obtained via a trusted side-channel: meeting in person, telephone, …).
  • If you are not certain of the identity of your contact, then follow the contact verification steps specific to each app (Signal: verify the person, WhatsApp: Verify security code).

Social media accounts and other online spaces

A lot of people today are on social media (facebook, twitter, …). However, there are several restrictions on sending direct messages to other users specific to each platform.

Use one of the following social platforms.

  • Twitter:
    Simply copy your OpenPGP public key text and send it as a direct message to your recipient
    OpenPGP public key text
  • Facebook:
    Simply copy your OpenPGP public key text and send it as a direct message to your recipient.
    OpenPGP public key text

You can use other platforms like Google+, … in the same manner.

You can sometimes find the OpenPGP public key fingerprint on a user’s website/or other online presence. For instance, at Mailfence, you can use your document storage to share your public key via the Direct access link.

  1. Go to your Mailfence account document storage, click on the wheel and click on ‘Create public folder’
    public folder mailfence
  2. Upload your OpenPGP public key
  3. Right-click on your public key and click on ‘Direct access’
    public key direct access
  4. Share the given link under ‘Public access’ with your recipients and other people

Note:

  • Fake social media profiles are common, make sure you use the right one (by doing some checks).
  • Social profiles get compromised. Always check your recipient’s profile for suspicious flags, just to be sure that it has not been compromised.

Public key repositories: Keybase.io

A public key repository is a place where public keys of different people resides. Keybase.io is a public key repository, that allows users to link their key with connected devices and attach various social accounts as well. In addition, this brings more legitimacy to their identity, which can be cross-checked across other social platforms. It also facilitates the verification of digital signatures.

  1. Create your account
    Create account mailfence
  2. Upload your PGP public key (this will also require you to sign it, using your private key in the following wizard)
  3. Hook your devices and connect multiple social accounts and other online spaces – to make your identity more legitimate
    Mailfence openpgp public key

Note: Keybase has been acquired by Zoom. Zoom has questionable security reputation and it has been reported that they have been (mistakenly they claim) running servers in China. If you prefer, you can use validating repositories like OpenPGP.org.

Other open Public key repositories

There are other open-public key servers (SKS based), that do not require you to create an account and/or sign your public key before uploading it. However, publishing public keys on them is a non-reversible process (your key cannot be deleted). An additional disadvantage of such key-servers is that your UID (name & email address) becomes public.

If you do want to publish on SKS public key servers via mailfence, take the following steps:

  1. Go to Settings -> Messages -> Encryption and click on your Personal key
  2. Click on ‘Publish on public key server’

Note:

  • As anyone can publish a public key on these open public key servers, make sure you have established some level of trust before copying the public key fingerprint
  • Avoid copying the fingerprint of a revoked and/or expired public key

Step – 2: Get the OpenPGP public key fingerprint using a different channel!

After sharing or exchanging the public key with your recipient, the next and foremost step is to acquire the fingerprint of the respective public key using a different channel. Public keys get spoofed, so don’t skip this step.

Digitally signed email

Send a digitally signed email. Therefore it should include your public key fingerprint in the message body and ask your recipient to do the same.

At mailfence, this can easily be done by taking following steps:

  1. Compose your message, while including your OpenPGP public key fingerprint
  2. Digitally sign & send your message

Note:

  • Make sure the email address you are sending email to or have received an email from is the right one (obtained via a trusted side-channel: meeting in person, telephone, …).

Instant messaging apps or a call

This will require you to have the mobile number of your recipient in advance. A simple telephone call will suffice. In case of instant messaging: you and your recipient should be available (registered) on the corresponding app.

Following are some of the mobile apps to share or exchange your public key fingerprint with your recipient.

Note:

  • Use the right mobile number of your recipient (obtained via a trusted side-channel: meeting in person, telephone, …).
  • If you are not certain of the identity of your contact, then follow the contact verification steps specific to each app (WhatsApp: Verify security code, Signal: verify the person).

Social media accounts

A lot of people today are on social media (facebook, twitter, …). Consequently, this makes it an easy channel for sharing or exchanging your public key fingerprint. However, there are several restrictions on sending direct messages to other users specific to each platform.

Use one of following social networks:

  • Twitter:
    Simply copy your OpenPGP public key fingerprint and send it as a direct message to your recipient

    You can also include your OpenPGP public fingerprint in your profile ‘About’ section
  • Facebook:
    Simply copy your OpenPGP public key fingerprint and send it as a direct message to your recipient

    Include your OpenPGP public fingerprint in your profile ‘About’ section
    Mailfence_sharing_OpenPGP_public_key

Other platforms like Google+, … can also be used in the same manner.

You can sometimes find the OpenPGP public key fingerprint on a user’s website/or other online presence. For instance, at mailfence, you can use your document storage to share your public key fingerprint via the Direct access link.

  1. Go to your Mailfence account document storage, click on the wheel and click on ‘Create public folder’
  2. Upload your OpenPGP public key
  3. Right-click on your public key and click on ‘Direct access’
  4. Share the given link under ‘Public access’ with your recipients and other people

Note:

  • Fake social media profiles are common, make sure you use the right one (by doing some checks).
  • Social profiles also get compromised. Check your recipient’s profile for suspicious flags, just to be sure that it has not been compromised.

Open Public key repositories

You can use any public key repository to acquire public key fingerprints. The goal is to get the public key fingerprint using a separate channel.

  • Validating key serve (keys.openpgp.org)
  • SKS key server (e.g., https://pgp.mit.edu)

At mailfence, take following steps:

  1. Go to Settings -> Messages -> Encryption -> Add public key -> Search in public key servers
  2. Type the Name or email ID or Key ID of your recipient and hit enter. Then the fingerprint of the public key(s) will be displayed

Note:

  • Avoid copying fingerprint of a revoked and/or expired public key.
  • The goal is to acquire the fingerprint using a separate channel. Furthermore look for as many channels as possible, and crosscheck the acquired public key fingerprint

Step – 3: Verify that the OpenPGP public key indeed belongs to its claimed owner!

Finally, after obtaining your recipient(s) public key and the fingerprint using a different channel, the verification process is rather plain and simple. In this case, you just have to match the obtained fingerprint of your recipient’s public key against the acquired fingerprint. If it matches, you can be sure that the obtained public key indeed belongs to its claimed owner.  Now you can use it securely to communicate with your recipient(s).

At mailfence, take following steps:

  1. Go to Settings -> Messages -> Encryption -> Click on your recipient public key
  2. Copy the Obtained OpenPGP public key fingerprint (in step 2) and use the ‘find’ feature of your browser (e.g. press Ctrl+F )
    OpenPGP public key fingerprint
  3. If it matches, you can be sure that the obtained public key belongs to its claimed owner. In addition you can use it to securely communicate with your recipient(s).

The whole work-flow and last step in particular can be summarized through following info-graphic.

Share OpenPGP public key infographic
An example work-flow.

SIDE-CASE

Meeting in person: If you know your recipient in advance and it is possible to meet in person, then this is probably the most suitable option. You can share or exchange the public key using a flash-drive. Then exchange its fingerprint orally, or by any other possible means that is secure and reliable. Step 3 still applies in this situation.

A final note:  Don’t forget to check the revocation or expiration of the public key.

See also:

Get your secure email

Follow us on twitter/reddit and keep yourself posted at all times.

– Mailfence Team

Avatar for Mailfence Team

Mailfence Team

End-to-end encrypted e-mail service that values and respects your privacy without compromising the ease-of-use. @mailfence @mailfence_fr

You may also like...