Secure Email: Public Key Exchange Options

TL;DR

You need to securely share your public key with people you want to email safely. This guide covers easy-to-use options, from simple web services to more advanced methods using GPG.

1. Understanding the Problem

To send encrypted emails, both sender and receiver need each other’s public keys. The public key locks the message; only the recipient’s private key can unlock it. Sharing these keys securely is crucial – if someone intercepts your public key and replaces it with their own, they can read your messages.

2. Key Exchange Options

1. Key Servers (PGP/GPG): These are publicly accessible databases for storing and retrieving public keys.
2. Web-based Key Sharing Services: Several websites let you upload your key and share a link.
3. Email Attachment (with Caution): You can attach your public key to an email, but this is the least secure method.
4. Direct Transfer (USB Drive/In Person): The most secure option if feasible.

3. Using Key Servers

Key servers are a common way to share GPG keys.

1. Upload your key: Use the following command (replace your_email@example.com with your actual email address):

   gpg --keyserver hkps://keys.openpgp.org --send-keys YOUR_KEY_ID

   You’ll need to know your key ID, which you can find using gpg --list-keys.

2. Retrieve someone else’s key:

   gpg --keyserver hkps://keys.openpgp.org --recv-keys THEIR_KEY_ID

3. Verify the fingerprint: Always verify the fingerprint of a key you download with the owner out-of-band (e.g., by phone or in person) to ensure it hasn’t been tampered with. Use:

   gpg --fingerprint THEIR_KEY_ID

4. Web-based Key Sharing Services

These services provide a simpler interface than key servers, but rely on the service’s security.

• Keys.OpenPGP.org: Offers key management and sharing features.
  https://keys.openpgp.org
• Keybase.io (now part of Zoom): While Keybase has changed, it still offers some key hosting functionality.
  https://keybase.io

Upload your public key to the service and share the provided link with the person you want to exchange keys with.

5. Email Attachment (Use with Extreme Caution)

Attaching a public key directly to an email is vulnerable to man-in-the-middle attacks. Only do this if other options are unavailable and you have verified the recipient’s identity through another secure channel.

1. Export your public key:

   gpg --armor --export YOUR_KEY_ID > my_public_key.asc

2. Attach my_public_key.asc to an email.
3. Warn the recipient: Tell them to verify the fingerprint before using the key!

6. Direct Transfer

Copy your public key onto a USB drive and hand it directly to the person you want to exchange keys with, or meet in person to share it. This is the most secure method.

7. Important Security Considerations

• Fingerprint Verification: Always verify fingerprints out-of-band (phone call, video chat, in person).
• Revocation Certificates: Create a revocation certificate for your key and store it securely. This allows you to invalidate your key if it’s compromised.

  gpg --output revoke.asc --gen-revoke YOUR_KEY_ID

• Key Management: Keep your private key secure! Do not share it with anyone.