<!--
Copyright:

   Copyright (C) Amnesia <amnesia at boum dot org>
   Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation; either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program; if not, write to:

    Free Software Foundation, Inc.
    51 Franklin St, Fifth Floor
    Boston, MA 02110-1301, USA.

On Debian GNU/Linux systems, the complete text of the GNU General Public
License can be found in the /usr/share/common-licenses' directory.

The complete text of the GNU General Public License can also be found online on gnu.org <https://www.gnu.org/licenses/gpl.html>, in {{project_name_long}} virtual machine images in /usr/share/common-licenses/GPL-3 file or on Github <https://github.com/{{project_name_short}}/derivative-maker/blob/master/GPLv3>.
-->
<!--
This wiki page is a fork of the Tails Trusting Tails signing key page, from this exact source <https://git.immerda.ch/?p=amnesia.git;a=blob;f=wiki/src/doc/get/trusting_tails_signing_key.mdwn;hb=63b68fb4970361131cbd1713b40521244e88c204>.
-->
{{Header}}
{{#seo:
|description=OpenPGP, gpg, Related Tools, Links, Advanced Topics, The OpenPGP Web of Trust, Bootstrapping OpenPGP keys from the web
|image=GnuPG-Logo.svg
}}
{{verification_tools_mininav}}
[[File:GnuPG-Logo.svg|thumb|100px|GnuPG logo]]
{{intro|
OpenPGP, gpg, Related Tools, Links, Advanced Topics, The OpenPGP Web of Trust, Bootstrapping OpenPGP keys from the web
}}
[[File:hauke_laging_gepruefter_artikel.en.png|400px|link=http://www.openpgp-schulungen.de/fuer/webautoren/|[https://www.hauke-laging.de/ Hauke Laging]'s clearsigned version of this text can be found here: [[OpenPGP_Certified]]. <br />
<br />
The [http://www.openpgp-schulungen.de/fuer/webautoren/ certification] image ([https://www.whonix.org/wiki/File:Hauke_laging_gepruefter_artikel.en.png hauke_laging_gepruefter_artikel.en.png]) is copyrighted by [https://www.hauke-laging.de/ Hauke Laging].|thumb]]
= Introduction =

OpenPGP is: <ref>https://www.openpgp.org/about/</ref> <ref>https://www.openpgp.org/</ref>
<blockquote>... a non-proprietary protocol for encrypting email communication using public key cryptography. It is based on the original PGP (Pretty Good Privacy) software. The OpenPGP protocol defines standard formats for encrypted messages, signatures, and certificates for exchanging public keys.</blockquote>

<blockquote>OpenPGP is the most widely used email encryption standard. ... OpenPGP was originally derived from the PGP software, created by [https://philzimmermann.com/EN/background/index.html Phil Zimmermann].</blockquote>

The primary purpose of OpenPGP relates to end-to-end encrypted email communication, but it is also utilized for encrypted messaging, password managers and other use cases. OpenPGP provides support for all major operating systems like Windows, macOS, GNU/Linux, Android and iOS. The openPGP standard was proposed to the Internet Engineering Task Force (IETF) and accepted as a standard in 1997. The standard has been continuously improved since that time and there is no suggestion intelligence agencies can break it. <ref>https://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP</ref>

OpenPGP has an impressive resume and a host of applications, developer libraries and miscellaneous tools have implemented the OpenPGP standard either directly or with additional software. Applicable domains include:
* <u>[https://www.openpgp.org/software/ Email encryption]</u>: for various platforms, browser plugins, webmail providers with browser plugins, and webmail providers with in-browser cryptography
* <u>[https://www.openpgp.org/software/server/ Server software]</u>: webmail clients, keyservers, mailing list software and password managers
* <u>[https://www.openpgp.org/software/developer/ Developer libraries]</u>: various OpenPGP libraries, libraries supporting OpenPGP smartcards, and developer tools
* <u>[https://www.openpgp.org/software/misc/ Miscellaneous tools]</u>: web-based tools and other applications

'''Figure:''' ''How PGP Works'' <ref>https://en.wikipedia.org/wiki/File:PGP_diagram.svg</ref>

[[File:HowPGPworks.png|border]]

To learn more about this topic, refer to the following resources:
* [https://www.openpgp.org/ OpenPGP website]
* [https://github.com/openpgp OpenPGP on GitHub]
* [https://en.wikipedia.org/wiki/Pretty_Good_Privacy Pretty Good Privacy on Wikipedia]
* [[Verifying Software Signatures]]

To search for keys by email address, Key ID or Fingerprint, visit the [https://keys.openpgp.org/ <code>keys.openpgpg.org</code> server] ([http://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion/ .onion]). This publicly available service ("keyserver") enables the uploading, discovery, distribution and management of OpenPGP-compatible keys.

= Common Misconceptions =
{{gpg_signature_timestamp}}

{{GnuPG_file_names}}

= Key Servers =
{{Box|text=
'''1.''' Test gpg.

For example, run.

{{CodeSelect|code=
gpg --keyserver keys.openpgp.org --recv A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89
}}

'''2.''' <u>Note</u>: The use of <code>--recv</code> or <code>--recv-key</code> is deprecated.

Instead, it is recommended to [[Secure Downloads|securely download]] the key from a source that is logically connected to the owner, if possible, outside the keyserver model.

'''3.''' If a keyserver is required, utilize the onion address for <code>keys.openpgp.org</code>.

At the time of writing, the following onion address is consistently functional: <code>http://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion</code>

'''4.''' Learn more about gpg configuration basics for use with <code>keys.openpgp.org</code>.

Instructions are available [https://keys.openpgp.org/about/usage here] [http://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion/about/usage (.onion)].

Also see:
* [https://forums.whonix.org/t/gpg-recv-keys-fails-no-longer-use-keyservers-for-anything/5607 gpg --recv-keys fails / no longer use keyservers for anything]
* [https://forums.whonix.org/t/new-fixed-keyserver-keys-openpgp-org/11761 new, fixed keyserver - keys.openpgp.org]
}}

= Related Tools =
Encrypt, decrypt, sign, and verify text using [[Software#OpenPGP_.28GnuPG_Frontend.29| OpenPGP (GnuPG Frontend)]].

= Issues with PGP =

PGP has very bad usability and cryptography. Common PGP clients such as GnuPG are also not very secure. Thus, it is recommended against by many cryptography experts.

* [https://blog.cryptographyengineering.com/2014/08/13/whats-matter-with-pgp/ What's the matter with PGP?]
* [https://latacora.micro.blog/2019/07/16/the-pgp-problem.html The PGP Problem]
* [https://words.filippo.io/giving-up-on-long-term-pgp/ I'm giving up on PGP]
* [https://moxie.org/2015/02/24/gpg-and-me.html GPG And Me]
* [https://secushare.org/PGP 15 reasons not to start using PGP]
* [https://buttondown.email/cryptography-dispatches/archive/505a859e-964d-4d15-9ad8-7ad0f45e1345 Cryptography Dispatches: Replace PGP With an HTTPS Form]
* [https://www.openbsd.org/papers/bsdcan-signify.html signify: Securing OpenBSD From Us To You]

Not yet reviewed: <s>
Better alternatives are [https://github.com/FiloSottile/age age] for file encryption and [https://man.openbsd.org/signify signify] for signing.
</s>

= Sequoia =
[[File:Sequoia.svg|100px|thumb|Sequoia logo]]

[https://sequoia-pgp.org/ Sequoia] might be a suitable replacement for GnuPG.

{{Install Package|package=
sq
}}

forum discussion: [https://forums.kicksecure.com/t/sequoia-pgp-gpg-replacement-openpgp/260 Sequoia-PGP (gpg replacement) - OpenPGP]

= PGPainless =
Another potential replacement for GnuPG.

* https://gh.pgpainless.org/
* https://packages.debian.org/source/bookworm/all/pgpainless

= Links =
== In English Language ==
* [https://emailselfdefense.fsf.org/en/ Email Self-Defense]
* [https://userbase.kde.org/Concepts/OpenPGP_For_Beginners OpenPGP For Beginners]
* [https://userbase.kde.org/Concepts/OpenPGP_Getting_Started OpenPGP Getting Started]
* [https://userbase.kde.org/Concepts/OpenPGP_Help_Spread OpenPGP Help Spread]
* [https://www.elstel.org/software/GnuPG-usage.html.en How to use GnuPG securely]
* See also if there are any [https://www.cryptoparty.in/location crypto parties] in your vicinity.
* Try typing "crypto party" followed by the nearest city in a search engine of your choice.
* https://github.com/lfit/itpol/blob/master/protecting-code-integrity.md

== In German Language ==
* [http://www.openpgp-schulungen.de/fuer/alle/ Informationen über OpenPGP]
* [https://www.cryptoparty.in/location#germany kostenlose Schulungsangebote]
* [http://www.openpgp-schulungen.de/fuer/unterstuetzer/ Förderung von OpenPGP]
* [https://www.elstel.org/software/GnuPG-usage.html.de Wie man GnuPG sicher verwenden kann]

= Advanced Topics =
== Air Gapped OpenPGP Key ==
See [[Air Gapped OpenPGP Key]].

== Clearsign with Multiple Keys ==
[https://lists.gnupg.org/pipermail/gnupg-users/2013-July/047118.html Clearsign text document with multiple keys?]

== The OpenPGP Web of Trust ==
{{Box|text=
If you want to be extra cautious and really authenticate a OpenPGP key in a stronger way than what standard HTTPS offers you, you could use the OpenPGP Web of Trust.

One of the inherent problems of standard HTTPS is that the trust we usually put on a website is defined by certificate authorities: a hierarchical and closed set of companies and governmental institutions approved by web browser vendors. This model of trust has long been criticized and proved several times to be vulnerable to attacks [[Warning|as explained on our warning page]].

We believe instead that users should be given the final say when trusting a website, and that designation of trust should be done on the basis of human interaction.

The OpenPGP [https://en.wikipedia.org/wiki/Web_of_trust Web of Trust] is a decentralized trust model based on OpenPGP keys. Let's see that with an example.

''You're a friend of Alice and really trust her way of managing OpenPGP keys. You've validated Alice's key.''

''Furthermore, Alice met Bob in a conference, and signed Bob's key.''

This scenario creates a trust path from you to Bob's key that could allow you to validate it without having to depend on certificate authorities.

This trust model is not perfect either and requires both caution and intelligent supervision by users. The technical details of creating, managing and trusting OpenPGP keys are outside of the scope of this document.

We also acknowledge that not everybody might be able to create good trust path since it based on a network of direct human relationships and the knowledge of quite complex tools such as GnuPG.
}}

== Bootstrapping OpenPGP Keys from the Internet ==
Some OpenPGP users are unsure how to stay totally anonymous or what steps to take if there is no trusted path to an OpenPGP key.

Some people just write an unencrypted mail to the recipient and ask them to send their public key. The recipient will most likely either send their public key or at least its fingerprint.

This method works against passive attacks since an observer will not know what has been discussed in the following encrypted mails. However, this method totally fails against active attacks. A [[Warning#Man-in-the-middle_Attacks|man-in-the-middle]] could replace the recipient's key with their own malicious key. The sender would then use the wrong key, the man-in-the-middle would decrypt the message, read it, and re-encrypt it with the legitimate key and forward it to the recipient. Neither the sender nor recipient would ever discover that their messages were being read by an adversary. This is the whole reason why the trust model path and key signing is recommended in the first place.

As an alternative, some people also publish their OpenPGP fingerprint or their OpenPGP public key on their personal or other websites. This method is more secure if the website is accessible over TLS -- even more so when both server and client are using [https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security HSTS] (and [https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions DNSSEC]) -- and/or as an [[Onion_Services#How_Onion_Services_Connections_Work|onion service]] with a <code>.onion</code> domain. Of course, this presupposes the visitor is aware what kind of transportation mechanism is provided. In this case, the adversary would have to:
* break the TLS or onion encryption where someone wants to obtain the key or fingerprint; or
* compromise the server
Depending on the adversary this may take more resources. It should be noted that both the public CA system of TLS and Tor onion services have security issues; see [[SSL|TLS]] and [[Onion_Services#Onion_Services_Security|Onion Services Security]] for further information.

Based on the preceding discussion, it is safest if the same website is accessible over both http'''s''' and <code>.onion</code>. This configuration allows the user to visit both sites and then check if the OpenPGP fingerprint/key results match.

To further improve the situation the key holder can spread its fingerprint and/or OpenPGP key to other websites. Some key holders attach their OpenPGP fingerprint to their email signature (a short attachment to any mail) and to public mailing lists they are participating in. This behavior makes it difficult for an adversary to successfully spoof all these information avenues. Spreading the fingerprint and/or key in various domains is only helpful if the person searching is either aware of that fact or has undertaken research on their own initiative.

https://api.github.com/users/<username>/gpg_keys

example: https://api.github.com/users/adrelanos/gpg_keys

{{Anchor|Hardware Protection vs gpg key encryption}}

== GnuPG Key Encryption vs OpenPGP Hardware Protection ==

{{mbox
| type    = notice
| image   = [[File:Ambox_notice.png|40px|alt=Info]]
| text    = This comparison is incomplete.
}}

'''Table:''' ''GnuPG Key Encryption vs OpenPGP Hardware Protection Comparison''

{| class="wikitable" style="background-color:#fff;text-align:center"
|- style="background-color: #f9f9f9"

| style="height:30px"| '''Domain''' || style="width:200px"| '''GnuPG Encryption of OpenPGP Private Key''' || style="width:200px"| '''Hardware Protection''' <ref>Token or smartcard.</ref>
|-

| style="height:35px;width:400px;background-color: #f9f9f9"| OpenPGP private key can be protected by software encryption
| {{Yes}} <ref>If a secure password has been chosen to protect the OpenPGP private key.</ref>
| {{No}} <ref>The OpenPGP private key is stored unencrypted on the storage of the smartcard or token.</ref>
|-

| style="height:35px;width:70px;background-color: #f9f9f9"| OpenPGP private key can be stored encrypted on storage
| {{Yes}} <ref>Stored on HDD, SSD, USB etc.</ref>
| {{No}} <ref>Stored on the memory chip of the smartcard or token.</ref> <ref name=combination_of_software_encryption_and_hardware_protection>Source: <br />* gnupg-users mailing list: [https://lists.gnupg.org/pipermail/gnupg-users/2013-December/048576.html Possible to combine smartcard PIN with key password?] <br />* Patrick Schleizer specifically asked Werner Koch about this at c3c1. This is neither possible nor a planned or likely future feature.</ref>
|-

| style="height:35px;width:70px;background-color: #f9f9f9"| Software or device implementation: 100% Freedom Software
| {{Yes}}
| {{No}} <ref>The specification may be Freedom Software, but currently there are no blueprints for smartcards or tokens that meet this definition.</ref>
|-

| style="height:35px;width:70px;background-color: #f9f9f9"| Can be independently reproduced and audited
| {{Yes}}
| {{No}} <ref>Due to the absence of blueprints and copyright, no other company can reproduce/audit security.</ref>
|-

| style="height:35px;width:70px;background-color: #f9f9f9"| Number of people capable of auditing the implementation
| style="background-color: {{Yellow}}"| Small <ref>Written in C and using cryptography. This is a difficult endeavor and beyond most individuals.</ref>
| style="background-color: {{Red}}"| Very small <ref>Hardware is more difficult than software and this particular type of hardware is even harder. Only the manufacturing engineers are capable of understanding it. In the case of closed hardware implementations, which is the case for most (if not all) tokens and smartcards , open and independent audits are impossible.</ref>
|-

| style="height:35px;width:70px;background-color: #f9f9f9"| OpenPGP private key is protected by hardware, making it very difficult to extract the key from the device's storage
| {{No}}
| {{Yes}} <ref>It is very difficult to read the storage of smartcards and tokens. Professional data recovery companies usually decline requests for recovery from such storage.</ref>
|-

| style="height:35px;width:70px;background-color: #f9f9f9"| Wipes OpenPGP private key once physical tampering is detected ([https://en.wikipedia.org/wiki/FIPS_140-2#Level_3 FIPS 140-2 Level 3])
| {{No}}
| {{No}} (?) <ref>The author is unaware of any OpenPGP tokens or smartcards that claim to possess this security feature.</ref>
|-

| style="height:35px;width:70px;background-color: #f9f9f9"| OpenPGP private key access notification
| {{No}}
| style="background-color: {{Yellow}}"| Some, yes (?) <ref>It is understood some external smartcard readers blink a flashlight and/or tone when the key is being accessed.</ref>
|-

| style="height:35px;width:70px;background-color: #f9f9f9"| Secret <ref>Password versus pin.</ref> can be entered on a secure external device <ref>On an external device that is usually not infected by malware.</ref>
| {{No}}
| style="background-color: {{Yellow}}"| Some, yes <ref>For example spr332 devices.</ref>
|-

| style="height:35px;width:70px;background-color: #f9f9f9"| OpenPGP private key can no longer be abused once detached from malware infected machine
| {{No}} <ref>A skilled adversary will take a copy of both the OpenPGP private key and the passphrase, just in case that the user manages to move to a malware-free machine.</ref>
| {{Yes}} <ref>Since adversaries cannot extract the key to get a copy, once the compromise has been undone -- either by chance, by doing a clean re-installation which the malware did not survive or because the malware is noticed -- future files/mails encrypted to the private key can no longer be decrypted by the adversary. No new malicious signatures can be made anymore. Revoking previously compromised keys would still be advisable, because the adversary may have created a large number of signatures for all sorts of texts and/or files.</ref>
|-

| style="height:35px;width:70px;background-color: #f9f9f9"| User difficulty in remembering secret
| style="background-color: {{Yellow}}"| Medium <ref>A long passphrase.</ref>
| style="background-color: {{Green}}"| Easy <ref>A medium-sized pin.</ref>
|-

| style="height:35px;width:70px;background-color: #f9f9f9"| Usability
| style="background-color: {{Yellow}}"| Medium <ref>Arguably, OpenPGP is not that simple. In comparison, OTR has a smaller feature set (for example, no signatures for publicly released files), but encryption is much more usable. OTR is younger and has more users.</ref>
| style="background-color: {{Red}}"| Difficult <ref>Initial setup is harder than GnuPG private key password encryption and generally difficult.</ref>
|-

| style="height:35px;width:70px;background-color: #f9f9f9"| OpenPGP private key security once lost (without machine compromise) <ref>Assumptions: <br />* no malware on user's computer <br />* either the storage (HDD, SSD, USB etc.) holding the OpenPGP private key vs token or smartcard has been lost or stolen.</ref>
| style="background-color: {{Green}}"| Protected by software encryption <ref>The adversary would require either: <br />* a backdoor in GnuPG itself; or <br />* a backdoor in the distribution that shipped GnuPG; or <br />* found a vulnerability in GnuPG; or <br />* found an effective weakness in the encryption algorithm used by GnuPG.</ref> <ref>No vulnerabilities in GnuPG's private OpenPGP key encryption has ever been reported.</ref>
| style="background-color: {{Yellow}}"| Protected by hardware <ref>Quote [https://en.wikipedia.org/wiki/Smart_card#Security Wikipedia]: <blockquote>Smart cards can be physically disassembled by using acid, abrasives, or some other technique to obtain unrestricted access to the on-board microprocessor. Although such techniques involve a fairly high risk of permanent damage to the chip, and irrecoverable loss of the secret keys therein, they permit much more detailed information (e.g. photomicrographs of encryption hardware) to be extracted.</blockquote></ref> <ref>Other, non-OpenPGP smartcards have been cracked in the past using ultra-expensive electron-scanning microscopes. Source: theguardian, [https://www.theguardian.com/technology/2002/mar/13/media.citynews How codebreakers cracked the secrets of the smart card]</ref> <ref>https://www.cl.cam.ac.uk/~sps32/mcu_lock.html</ref> <ref>More information is required on how realistic, difficult and expensive these attacks are. Additional reader contributions on this issue are most welcome.</ref>
|-

| style="height:35px;width:70px;background-color: #f9f9f9"| OpenPGP private key cannot be used by malware <ref>If the machine in use has been compromised by malware like a trojan horse.</ref> when key attached <ref>On storage (HDD, SSD, USB etc.) vs on token or smartcard.</ref> and passphrase stolen <ref>By keylogger or extracted from memory once cached.</ref> or pin cached
| {{No}}
| {{No}}
|-

| style="height:35px;width:70px;background-color: #f9f9f9"| OpenPGP private key cannot be extracted, deleted or revoked by malware
| {{No}} <ref>Therefore make sure to have a backup on storage that is never attached to that machine.</ref>
| {{Yes}}
|-

| style="height:35px;width:70px;background-color: #f9f9f9"| Encryption of user's data is still effective once malware infected
| {{No}} <ref>An adversary who managed to compromise the user's machine can use a keylogger to sniff the OpenPGP private key password once it is entered next time or extract it from memory if it is still cached. Any of the user's encrypted email, files, etc. (that are read from the user's devices or that have been extracted from other sources, such as by man-in-the-middle attacks or obtained from the user's mail provider and so forth) can then be decrypted.</ref>
| {{No}} <ref>An adversary who managed to compromise the user's machine can wait until the user caches its pin next time. Otherwise, same as above. Once a machine has been compromised, nothing it shows can be trusted anymore, even if the PIN is never cached. If the PIN is cached or not is up to the software on the user's machine which can be no longer trusted once compromised. The adversary could install their own key caching software (gnupg-agent). Instead of the user's request "decrypt mail X", malware can also intercept this and make it "decrypt mail Y and X".</ref>
|-

| style="height:35px;width:70px;background-color: #f9f9f9"| Signatures cannot be created by malware
| {{No}}
| {{No}}
|-

| style="height:35px;width:70px;background-color: #f9f9f9"| Signature counter on hardware device
| {{No}}
| {{Yes}} <ref>Users could attach their smartcard to other computers, perhaps non-compromised, perhaps offline machines and check the signature counter. For example output, see: [https://spin.atomicobject.com/2014/02/09/gnupg-openpgp-smartcard/ Using an OpenPGP Smartcard with GnuPG].</ref>
|-

| style="height:35px;width:70px;background-color: #f9f9f9"| Signature counter on computer display trustworthy if attached on malware infected computer
| Not applicable
| {{No}} <ref>Once malware is running on a machine, nothing the machine displays can be trusted. It could be manipulated by the malware.</ref>
|-

| style="height:35px;width:70px;background-color: #f9f9f9"| Signature counter trustworthy if attached on malware-free machine <ref>Assumption: The token or card reader has not been compromised by malware running on the user's machine.</ref>
| Not applicable
| {{Yes}}
|-

|}

In conclusion, both options have unique advantages. Unfortunately, it is not yet possible to combine both options. <ref name=combination_of_software_encryption_and_hardware_protection />

= FAQ =

'''Why aren't the SKS keyserver wiki steps always functional?'''

The SKS keyserver network has recently come under attack after a critical vulnerability was discovered which allows certificates to be spammed using a flaw in the OpenPGP protocol itself. Future releases of OpenPGP software will likely mitigate this flaw, but high profile contributors to the protocol suggest that data should not be retrieved form the network at present if possible. For more details, see [https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f here]. <ref>New, experimental keyservers have been established which afford protection against this attack.</ref> <ref>The author notes the potential downsides of this attack: <blockquote>
* If you fetch a poisoned certificate from the keyserver network, you will break your GnuPG installation.
* Poisoned certificates cannot be deleted from the keyserver network.
* The number of deliberately poisoned certificates, currently at only a few, will only rise over time.
* We do not know whether the attackers are intent on poisoning other certificates.
* We do not even know the scope of the damage.</blockquote></ref>
-----
'''Is the OpenPGP keyserver part of the SKS pool?'''

The [https://keys.openpgp.org/about/faq OpenPGP keyserver FAQ] notes:
<blockquote>No. The federation model of the SKS pool has various problems in terms of reliability, abuse-resistance, privacy, and usability. We might do something similar to it, but keys.openpgp.org will never be part of the SKS pool itself.</blockquote>
-----
'''Why can't I receive a key using the new keyserver <code>keys.openpgp.org</code>?'''

At the time of writing, the clearnet keyserver will sometimes lead to the following error:
<pre>gpg: keyserver receive failed: No keyserver available</pre>

As recommended [[#Key_Servers|here]], either:
* Securely download the key from a source outside the keyserver model; or
* If that is not possible, utilize the keyserver v3 onion address instead: <code>http://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion</code>

= See Also =
* [[Verifying Software Signatures]]
* [[OpenPGP]]
* [[Verify the images]]
* [[Signing Key|{{project_name_short}} Signing Key]]
* [[Software Signature Verification Usability Issues and Proposed Solutions]]

= Footnotes =
{{reflist|close=1}}

= License =
The [http://www.openpgp-schulungen.de/fuer/webautoren/ certification] image ([https://www.whonix.org/wiki/File:Hauke_laging_gepruefter_artikel.en.png hauke_laging_gepruefter_artikel.en.png]) is copyrighted by [https://www.hauke-laging.de/ Hauke Laging].

The rest of this page is under the following license.

<blockquote>{{project_name_short}} OpenPGP wiki page Copyright (C) Amnesia <amnesia at boum dot org>
{{project_name_short}} OpenPGP wiki page Copyright (C) 2012 - 2024 ENCRYPTED SUPPORT LP <adrelanos@whonix.org>

This program comes with ABSOLUTELY NO WARRANTY; for details see the wiki source code.
This is free software, and you are welcome to redistribute it under certain conditions; see the wiki source code for details.</blockquote>

{{Footer}}

[[Category:Documentation]]