After some months of entertaining the idea of setting up a public gpg keyserver I finally managed to find some time and do it this weekend.<\/p>\n
Habemus keys.void.gr<\/a><\/strong> Keyserver!<\/p>\n Some history<\/strong> The setup<\/strong> For ports 80,443 the connection path looks like: client -> nginx -> sks keys.void.gr is available in both IPv4 and IPv6.<\/p>\n I’ve also setup an onion\/hidden service for the keyserver, so if you prefer visiting the onion address, here it is: wooprzddebtxfhnq.onion<\/a><\/strong> (available on port 11371 as well).<\/p>\n Difficulties<\/strong> The pool<\/strong> If people place this line in their membership config file and you place theirs, then the keyservers start communicating, or “gossiping” as it is called in the sks language. It needs to be mutual.<\/p>\n Because of the minimal traffic I was seeing on the mailing list archives I thought that finding peers would take weeks, if not months. I was very very wrong. I got 6 replies to my email in less than 2 hours. Impressive. Thanks a lot people!<\/p>\n UI<\/strong> TODO<\/strong> Stats<\/strong> Enjoy!<\/p>\n","protected":false},"excerpt":{"rendered":" After some months of entertaining the idea of setting up a public gpg keyserver I finally managed to find some time and do it this weekend. Habemus keys.void.gr Keyserver! Some history The first time I set up a gpg keyserver was 3 years ago. Its purpose was to make it possible for a researcher to […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"footnotes":""},"categories":[6,5,414,3,8,4],"tags":[33,82,579,301,604,606,608,607,474,605],"class_list":["post-1996","post","type-post","status-publish","format-standard","hentry","category-encryption","category-internet","category-ipv6-networking","category-linux","category-networking","category-privacy","tag-debian","tag-gpg","tag-hidden-service","tag-ipv6","tag-keys","tag-keyserver","tag-onion-service","tag-sks","tag-tor","tag-wot"],"aioseo_notices":[],"views":13765,"_links":{"self":[{"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/posts\/1996","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/comments?post=1996"}],"version-history":[{"count":19,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/posts\/1996\/revisions"}],"predecessor-version":[{"id":2016,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/posts\/1996\/revisions\/2016"}],"wp:attachment":[{"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/media?parent=1996"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/categories?post=1996"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.void.gr\/kargig\/blog\/wp-json\/wp\/v2\/tags?post=1996"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\nThe first time I set up a gpg keyserver<\/a> was 3 years ago. Its purpose was to make it possible for a researcher to get more results than the default on a single query from a keyserver. Using that keyserver the Greek PGP Web of Trust 2012 edition<\/a> was created. After the original import of the keys, I refreshed the keys just 2 or 3 times in the following years.<\/p>\n
\nThe keyserver is running on Debian Linux with SKS<\/a> version 1.1.5. Port 80 and 443 are being handled by nginx which acts as a reverse proxy for SKS. I originally had port 11371, the default port that gpg client uses, behind nginx as well but I had to remove it due to the following issue. I like using HSTS header<\/a> for the HTTPS port, but browsers trying to access http<\/strong>:\/\/keys.void.gr:11371, were switching to https<\/strong>:\/\/keys.void.gr:11371 (because of HSTS) which couldn’t work because port 11371 does not use TLS. So once a browser visited https:\/\/keys.void.gr and got the HSTS header, every future connection towards http:\/\/keys.void.gr:11371 would fail. The solution was to use a protocol multiplexer called sslh<\/a>. What this does, is that it sniffs the connections coming towards port 11371 and if it finds a TLS connection, it sends it to port 443, if it finds an HTTP connection it sends it to port 80. That way you can either visit http:\/\/keys.void.gr:11371 or https:\/\/keys.void.gr:11371 and they both work. <\/p>\n
\nFor port 11317 the connection path looks like: client -> sslh -> nginx -> sks<\/p>\n
\nI’m not sure if it’s the Debian package’s fault or I did something stupid, but if you plan on running your own keyserver be very careful with permissions on the your filesystem. sks errors are not very friendly. Make sure that \/var\/spool\/sks, \/var\/lib\/sks and \/var\/log\/sks are all owned by debian-sks:debian-sks.
\n# chown -R debian-sks:debian-sks \/var\/spool\/sks \/var\/lib\/sks \/var\/log\/sks <\/code>
\nDon’t run the DB building script as root, run it as debian-sks user:
\n# sudo -u debian-sks \/usr\/lib\/sks\/sks_build.sh<\/code>
\nThere are a quite some tunables referenced in the sks man page regarding pagesizes, I went with the default options for now.<\/p>\n
\nTo enter the pool of keyservers and start interacting with other keyservers you have to join the sks-devel mailing list<\/a> and announce your server existence by sending your “membership line” which looks like this:
\nkeys.void.gr 11370 # George K. <keyserver [don't spam me] void [a dot goes here] gr> #0x721006E470459C9C<\/code><\/p>\n
\nI’ve taken the boostrap-ed HTML from https:\/\/github.com\/mattrude\/pgpkeyserver-lite<\/a>.<\/p>\n
\nhkps support will be added in the following days or weeks.<\/p>\n
\nkeys.void.gr Keyserver statistics<\/a>
\nsks-keyservers.net pool Status for keys.void.gr<\/a><\/p>\n