32

https://sks-keyservers.net/ (Internet Archive snapshot) says

This service is deprecated. This means it is no longer maintained, and new HKPS certificates will not be issued. Service reliability should not be expected.

Update 2021-06-21: Due to even more GDPR takedown requests, the DNS records for the pool will no longer be provided at all.

Which keyservers can I use for gpg --keyserver "$keyserver1" --recv-key keyid that I can expect not will go away anytime soon?

Lawrence Velázquez
  • 105
  • 7
Ole Tange
  • 33,591
  • 31
  • 102
  • 198

5 Answers5

26

Which keyservers can I use for gpg --keyserver "$keyserver1" --recv-key keyid that I can expect not will go away anytime soon?

The recommendation is to use keys.openpgp.org, however this keyserver only includes User IDs for keys whose owners have personally confirmed via email (basically eliminating large swaths of of the PGP ecosystem). It also does not include any 3rd party signatures on keys to mitigate the possibility of a "poisoned key" attack. As of December 2021, this is the default (if none is configured by the user) keyserver for GnuPG packaged by Debian since gnupg2 2.2.17-1 (released in 2019).

Personally, I'd recommend a Hockeypuck-based keyserver like keyserver.ubuntu.com, which isn't so limited (although it does strip 3rd party signatures). GnuPG has since changed this to the default as of versions 2.2.29 and 2.3.2.

Anthony Geoghegan
  • 12,605
  • 7
  • 59
  • 62
fuzzydrawrings
  • 1,606
  • 5
  • 12
  • I've upvoted your answer as being nice and succinct. There's lots of good documentation about `keys.opengp.org` and Hagrid but I haven't really researched Hockeypuck yet. – Anthony Geoghegan Dec 22 '21 at 00:58
  • `keyserver.ubuntu.com` processes [takedown requests from users](https://askubuntu.com/a/1449440/1112981), so it should not give up under GDPR pressure. Unlike `keys.openpgp.org`, it is [comitted to keep peering](https://keyserver.ubuntu.com/#about) with [other servers](https://github.com/pgpkeys-eu). Finally, [GnuPG now uses it by default.](https://unix.stackexchange.com/a/352774/423679) – Roman Riabenko Aug 22 '23 at 07:01
8

keys.gnupg.net is also gone.

At least keyserver.ubuntu.com is still functional. I was able to use it from GnuPG only after adding a hkps:// prefix and a :443 suffix:

gpg2 --keyserver hkps://keyserver.ubuntu.com:443 --recv-keys XXXXXXXXXXXXXXXX

Notice that its web front-end and many others like https://pgp.key-server.io/ don't let you search for a key by its ID if you enter it like XXXXXXXXXXXXXXXX or XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX, but searching for 0xXXXXXXXXXXXXXXXX or 0xXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX works fine. It also works on https://pgp.mit.edu/, but the lookup is very slow there, and I couldn't get it working via GnuPG.

selurvedu
  • 185
  • 8
  • 3
    Upvoted. I'd point out that when configuring a HKPS keyserver, you can either specify the `hkps://` schema or the `:443` port number: either will suffice to use HKP over TLS. An advantage of HKPS is that it provides greater privacy and if the user is behind a corporate firewall, port 11371 could be blocked while 443 is unlikely to be. – Anthony Geoghegan Dec 22 '21 at 00:37
  • 1
    `pgp.mit.edu` [say that they do not process takedown requests](https://pgp.mit.edu/faq.html), so it is not clear how they survive the GDPR, which is the concern in the OP's question. Also, they still use the SKS server software, which is [told to be susceptible to certificate spamming attacks](https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d6955275f#the-certificate-spamming-attack). Finally, they [do not list gossip peers anymore](http://pgp.mit.edu/pks/lookup?op=stats), so they do not [exchange keys with other servers](https://security.stackexchange.com/a/82297/241015). – Roman Riabenko Aug 22 '23 at 07:13
7

Alternate public PGP key servers that support access via HKP (like SKS keyservers used to):

Access via other protocols that are supported by GnuPG:

Due to the fact that the SKS key servers were taken down due to GDPR relevant problems, we should be prepared that, on the long run, only verifying key servers remain available. Verifying key servers demand that the user verifies their email address before the PGP key is published.

(Parts of the information collected from PGP Key Retrieval)

not2savvy
  • 225
  • 2
  • 8
5

SUMMARY

The Old

To add a little more detail to what not2savvy has written:

Basically, PGP Keyservers were running on SKS-Keyserver code written decades ago and unmaintained. They got hacked in June 2019 and got taken down permanently. For details, see this post by the maintainer of the GnuPG FAQ Robert J. Hansen SKS Keyserver Network Under Attack.

The New

Several new PGP Keyservers have been written since which implement the HKP Protocol

Verifying Keyservers - (Use)*

Verifying keyservers are new servers which verify the email addresses of uploaded keys, and are designed to be ”resistant to the abuse and privacy issues that plague old SKS Keyservers”.

I would suggest using verifying keyservers:

The Ubuntu keyserver below does not verify your keys email address but is a new maintained keyserver which may implement verification in the future.

not2savvy
  • 225
  • 2
  • 8
Tony Barganski
  • 370
  • 4
  • 9
1

I chose to use

  • pgp.surf.nl
  • keyserver.bazon.ru
  • agora.cenditel.gob.ve
  • pgp.benny-baumann.de
AdminBee
  • 21,637
  • 21
  • 47
  • 71
Ole Tange
  • 33,591
  • 31
  • 102
  • 198
  • 7
    Your question acknowledged that SKS is deprecated and all keyservers using it will eventually be unreliable... what makes you think the SKS-based keyservers you listed will remain reliable? – fuzzydrawrings Oct 06 '21 at 16:28
  • 4
    It would be great that people stop spread servers that aren't compliant with the EU GDPR. – lpuerto May 15 '22 at 18:12