What is WKD? Everything You Need to Know About Web Key Directory

What is WKD?

The Web Key Directory (WKD) is a protocol that simplifies the retrieval of OpenPGP public encryption keys linked to email addresses.

By leveraging WKD, Mailfence users can conveniently access the OpenPGP public keys to encrypt emails, ensuring that only the intended recipient can decode and read the message.

This system improves the security of email communication by streamlining the encryption process.

A quick refresher on public key cryptography

To understand WKD’s importance, let’s do a quick recap on the fundamentals of public-key cryptography.

Public-key cryptography (also called asymmetric cryptography) is based on pairs of related keys:

• a public key: this key is shared openly for encrypting messages or verifying signatures;
• a private key: this key is kept confidential and used for decryption or creating signatures.

Each user wishing to use end-to-end encryption to secure his communications will need to create such a key pair. These keys are mathematically linked but a private key cannot be deduced from the corresponding public key, ensuring security.

If both the sender and the receiver have their keypairs, then the sender can encrypt a message using the recipient’s public key. On the other side, the recipient decrypts the message using their own private key.

However, this poses one challenge: how do you know the public key of a receiver? Especially if you’ve never communicated with them before?

If you’re a whistleblower reaching out to a news organization, they might have published their public keys on their website. This is the case for The Guardian for example, which publishes the public keys of all its writers on their website. Similarly, we publish our public key here if you want to contact us securely.

However, this is not always the case. So how do you discover someone’s OpenPGP public key? Enter WKD.

How WKD Operates

WKD works seamlessly behind the scenes to simplify OpenPGP public key discovery.

The first step is for an email domain to publish OpenPGP public keys for their users in a specific directory on their web servers.

This follows a standard protocol format:

• keys are typically stored under the .well-known/openpgpkey/ directory.
• you can access the key of each user via a unique URL.

When an email client needs an OpenPGP public key, it queries the WKD directory of the recipient’s domain. The client builds the query based on the email address.

The public key is then fetched via an HTTPS connection, reducing the chance of tampering during transfer.

The OpenPGP retrieved key is used to encrypt the email. The recipient of the email then decrypts it using their private key. If WKD cannot find a key, other methods like traditional key servers or manual sharing exist.

If you want to learn more, check out this guide on our best OpenPGP practices, which discusses how to discover public keys.

A quick example

Let’s look at a quick example. Alice wants to send an encrypted email to Bob, a Mailfence user, at bob@mailfence.com.

Firstly, Alice’s email client queries mailfence.com for Bob’s public key using WKD. If found, the client securely downloads Bob’s public key.

Alice can then encrypt the email with the OpenPGP key and send it. Bob will decrypt the email on his side with his OpenPGP private key, ensuring secure, end-to-end encrypted communication.

Why is WKD Useful?

To recap, here are some of the major benefits of WKD:

1. Simplified Key Retrieval. Before WKD, people needed to exchange public keys manually, which could involve email attachments, USB drives, or third-party key servers. These methods were inconvenient and prone to data privacy and security errors. WKD automates this process, allowing email clients to fetch keys directly from the recipient’s email domain without manual intervention.
   
2. Strengthened Security. Public key retrieval via WKD relies on encrypted HTTPS connections, reducing the likelihood of interception or tampering during transmission. This direct approach minimizes risks such as man-in-the-middle attacks.
   
3. Promotes Encryption Adoption. The complexity of traditional encryption methods has deterred many users. By making key discovery straightforward, WKD encourages more widespread use of encrypted email, making it a practical option for everyday communication.
   
4. Keeps Keys Up to Date. WKD retrieves public keys in real time from the recipient’s email domain, increasing the likelihood of using the most current and valid key. This reduces the chances of relying on expired or compromised keys.

How we use WKD here at Mailfence

Since 2021, Mailfence supports WKD.

This means, that when you generate an OpenPGP key pair or import it into your Mailfence account key store, the respective public key (including e-mail address and name) will be publicly available on our Web Key Directory server.

The only conditions are that:

• the associated email address is based on the “mailfence.com” domain name;
• an association of user email address is made with the key User ID. A key icon next to the “From” address in the Message composer represents it;
• the key is associated with the Mailfence account’s primary or alias address.

Users can also download OpenPGP public keys from external domains (or services) that support WKD into their Mailfence account key store. Custom domain owners will have to set it up for owned domains or can use WKD as a service.

What is WKD: Wrap-up

The Web Key Directory (WKD) protocol is a major step in making OpenPGP-based end-to-end encryption more accessible.

By automating key discovery and reducing reliance on third-party systems, WKD simplifies encryption, enabling more users to communicate securely. At Mailfence, we remain committed to supporting innovations like WKD to ensure our users enjoy safe and private online interactions.