About keys.openpgp.org

OpenPGP keyservers are public repositories of OpenPGP public keys that applications use to discover the public keys of contacts.

In Tails 4.1 (December 2019), we changed the default GnuPG configuration to use https://keys.openpgp.org/, also available on http://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion/, as the default OpenPGP keyserver.

  • keys.openpgp.org is more trustworthy than other OpenPGP public keyservers because it only references an OpenPGP public key after sending a confirmation email to each email address listed in the key.

  • keys.openpgp.org does not distribute third-party signatures, which are the signatures on a key that were made by some other key. Third-party signatures are the signatures used to create the OpenPGP Web of Trust.

  • keys.openpgp.org prevents OpenPGP certificate flooding attacks, which can make your OpenPGP keyring unusable and crash your computer.

To learn more about keys.openpgp.org, read their About and FAQ pages.

Updating your Tails to use keys.openpgp.org

If you have GnuPG keys stored in your Persistent Storage since before Tails 4.1, you should update your keyserver configuration.

If you only use OpenPGP in Thunderbird, you don't need to follow these instructions. Thunderbird automatically uses keys.openpgp.org.

Tails was previously configured to use the SKS keyserver network, which has been subject to OpenPGP certificate flooding attacks since June 2019.

Downloading a public key that has been flooded can corrupt your GnuPG keyring, make your keyring extremely slow to operate, and possibly overheat and crash your computer. Only a few keys in the SKS keyserver network have been flooded. Downloading a flooded public key does not compromise the security of your private keys.

To update your keyserver configuration:

  1. Open the Text Editor.

  2. Click Open and choose Other Documents....

  3. Navigate to the Home folder.

  4. Right-click (on Mac, click with two fingers) on the list of files in the right pane and choose Show Hidden Files.

  5. Open the .gnupg folder.

  6. Edit the gpg.conf file in the .gnupg folder.

    Replace its content with the content of our default gpg.conf file:

    config/chroot local-includes/etc/skel/.gnupg/gpg.conf

  7. Edit the dirmngr.conf file in the .gnupg folder.

    Replace its content with the content of our default dirmngr.conf file:

    config/chroot local-includes/etc/skel/.gnupg/dirmngr.conf

  8. Save both files and close the Text Editor.