How to share an OpenPGP public key easily in three steps!

End-to-end encryption is an essential part of Mailfence secure and private email platform. For using end-to-end encryption, sharing or exchanging OpenPGP public keys in a secure and reliable manner can be challenging. In this blogpost, we will present some easy yet reliable ways to exchange OpenPGP public keys. We covered this in a stepwise fashion: where to get an OpenPGP public key, how to obtain its fingerprint separately – and finally how to verify that it belongs to its claimed owner.

Step – 1: Exchange OpenPGP public key:

The first and foremost step is to share or exchange the OpenPGP public key with your recipient. Following are some of the most common and efficient ways to perform this step.

Digitally signed email

Send a digitally signed email with your public key attached to your recipient. Your recipient should do the same. This will require you to have the email address of your recipient in advance.

At mailfence, take following steps:

  1. Compose your message
    OpenPGP public key
  2. Attach your public key
  3. Digitally sign your message

Note:

  • Make sure the email address you sending to or received from is the right one (obtained via a trusted side-channel: meeting in person, telephone, …) as it can be spoofed.

Instant messaging apps

There are various mobile messaging apps, that allow you to send files as well. This will require you to have the mobile number of your recipient in advance and you both should be available (registered) on the corresponding app.

Following are some of the mobile apps to share or exchange your public key with your recipient.

  • WhatsApp
  • Signal (recommended)

Note:

  • Use the right mobile number of your recipient (obtained via a trusted side-channel: meeting in person, telephone, …) as it can be spoofed.
  • If you are not certain of the identity of your contact, then follow the contact verification steps specific to each app.

Social media accounts

A lot of people today are on social media (facebook, twitter, …). However, there are several restrictions on sending direct messages to other users specific to each platform.

Use one of the following social platforms

  • Twitter
    Simply copy your OpenPGP public key text and send it as a direct message to your recipient
  • Facebook
    Simply copy your OpenPGP public key text and send it as a direct message to your recipient

You can use other platforms like Google+, … in the same manner.

You can sometimes find the OpenPGP public key fingerprint on a user’s website/or other online presence. At mailfence, you can use your document storage to share your public key via the Direct access link.

  1. Go to your Mailfence account document storage, click on the wheel and click on ‘Create public folder’
  2. Upload your OpenPGP public key
  3. Right-click on your public key and click on ‘Direct access’
  4. Share the given link under ‘Public access’ with your recipients and other people

Note:

  • Fake social media profiles are common, make sure you use the right one (by doing some checks in order to establish some level of trust).
  • Social profiles get compromised. Always check your recipient’s profile for suspicious flags.  just to be sure that it has not been compromised.

Open Public key repositories: Keybase.io

A public key repository is a place where public keys of different people are stored. Keybase.io is a public key repository, that allows users to link their key with connected devices and attach various social accounts as well. This brings more legitimacy to their identity, which can be cross-checked across other social platforms. It also facilitates the verification of digital signatures.  Keybase.io is perfectly aligned with Mailfence interoperable OpenPGP feature.

  1. Create your account
  2. Upload your PGP public key (this will also require you to sign it, using your private key in the following wizard)
  3. Install various devices and connect multiple social accounts – to make your identity more legitimate

Other open Public key repositories

There are other open-public key servers, that do not require you to create an account and/or sign your public key before uploading it. However, publishing public keys on them is a non-reversible process (your key cannot be deleted nor modified, except changing expiration date, adding sub-keys, …). An additional disadvantage of such keyservers is that your UID (name & email address) becomes public.

If you do want to publish on other public key servers via mailfence, take the following steps:

  1. Go to Settings -> Messages -> Encryption and click on your Personal key
  2. Click on ‘Publish on public key server’

Note:

  • As anyone can publish a public key on these open public key servers, make sure you have established some level of trust before copying the public key fingerprint
  • Avoid copying the fingerprint of a revoked and/or expired public key

Step – 2: Get the OpenPGP public key fingerprint using a different channel!

After sharing or exchanging the public key with your recipient, the next and foremost step is to acquire the fingerprint of the respective public key using a different channel. Public keys get spoofed, don’t skip this step.

Digitally signed email

Send a digitally signed email. It should include your public key fingerprint in the message body and ask your recipient to do the same.

At mailfence, this can easily be done by taking following steps:

  1. Compose your message, while including your OpenPGP public key fingerprint
  2. Digitally sign & send your message

Note:

  • Make sure the email address you are sending email to or have received an email from is the right one (obtained via a trusted side-channel: meeting in person, telephone, …) as it can be spoofed.

Instant messaging apps or a call

This will require you to have the mobile number of your recipient in advance. A simple telephone call will suffice. In case of instant messaging: you and your recipient should be available (registered) on the corresponding app.

Following are some of the mobile apps to share or exchange your public key fingerprint with your recipient.

  • WhatsApp
  • Signal (recommended)

Note:

  • Make sure you have the right mobile number of your recipient (obtained via a trusted side-channel: meeting in person, telephone, …) as it can be spoofed.
  • If you are not certain of the identity of your contact, then follow the contact verification steps specific to each app.

Social media accounts

A lot of people today are on social media (facebook, twitter, …). This makes it an easy channel for sharing or exchanging your public key fingerprint. However, there are several restrictions on sending direct messages to other users specific to each platform.

Use one of following social networks:

  • Twitter
    Simply copy your OpenPGP public key fingerprint and send it as a direct message to your recipient

    You can also include your OpenPGP public fingerprint in your profile ‘About’ section
  • Facebook
    Simply copy your OpenPGP public key fingerprint and send it as a direct message to your recipient

    Include your OpenPGP public fingerprint in your profile ‘About’ section

Use other platforms like Google+, … in the same manner.

You can sometimes find the OpenPGP public key fingerprint on a user’s website/or other online presence. At mailfence, you can use your document storage to share your public key fingerprint via the Direct access link.

  1. Go to your Mailfence account document storage, click on the wheel and click on ‘Create public folder’
  2. Upload your OpenPGP public key
  3. Right-click on your public key and click on ‘Direct access’
  4. Share the given link under ‘Public access’ with your recipients and other people

Note:

  • Fake social media profiles are common, make sure you use the right one (by doing some checks in order to establish some level of trust)
  • Social profiles also get compromised. Check your recipient’s profile for suspicious flags, just to be sure that it has not been compromised.

Open Public key repositories

You can use any public key repository (e.g., Keybase.io or other open public key servers) to acquire public key fingerprints. The goal is to get the public key fingerprint using a separate channel.

  • Keybase.io
  • Public key server (e.g., https://pgp.mit.edu)

At mailfence, take following steps:

  1. Go to Settings -> Messages -> Encryption -> Add public key -> Search in public key servers
  2. Type the Name or email ID or Key ID of your recipient and hit enter. The fingerprint of the public key(s) will be displayed

Note:

  • Avoid copying fingerprint of a revoked and/or expired public key
  • The goal is to acquire the fingerprint using a separate channel. Look for as many channels as possible, and crosscheck the acquired public key fingerprint

Step – 3: Verify that the OpenPGP public key indeed belongs to its claimed owner!

Finally, after obtaining your recipient(s) public key and the fingerprint using a different channel, the verification process is rather plain and simple. You just have to match the obtained fingerprint of your recipient’s public key against the acquired fingerprint. If it matches, you can be sure that the obtained public key indeed belongs to its claimed owner.  Now you can use it securely to communicate with your recipient(s).

At mailfence, take following steps:

  1. Go to Settings -> Messages -> Encryption -> Click on you recipient public key
  2. Copy the Obtained OpenPGP public key fingerprint (in step 2) and use the ‘find’ feature of your browser (e.g. press Ctrl+F )
  3. If it matches, you can be sure that the obtained public key belongs to its claimed owner.  You can use it to securely communicate with your recipient(s).

SIDE-CASE

Meeting in person: If you know your recipient in advance and it is possible to meet in person, then this is probably the most suitable option. You can share or exchange the public key using a flash-drive.  Then exchange its fingerprint orally, or by any other possible means that is secure and reliable. Step 3 still applies in this situation.

A final note:  Don’t forget to check the revocation or expiration of the public key.

See also:

Reclaim your email privacy!

Follow us on twitter/reddit and keep yourself posted at all times.

– Mailfence Team


Spread the word !

M Salman Nadeem

Information Security Analyst - Security Team | Mailfence

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *