Should I publish my public key on a keyserver?

Should I publish my public key on a keyserver?

Keyservers are public databases for OpenPGP keys. This article explains when you should use keyservers - and why eclipso's auto-import is the better alternative for most users.


eclipso's automatic key exchange makes keyservers unnecessary for 90% of users. Public keys are automatically imported from signed emails - without manual keyserver search!
 

• What are keyservers?

  • Keyservers are public databases for OpenPGP keys
  • Anyone can upload and search for public keys
  • Most well-known servers: keys.openpgp.org, pgp.mit.edu, keyserver.ubuntu.com
  • Traditional problem: Alice wants to send Bob an encrypted email → Must first search for Bob's public key on keyserver
  • eclipso's solution: Bob sends signed email → eclipso automatically imports key → Alice can immediately reply encrypted!

• Short answer: It depends!

  • For normal users: ❌ NO - eclipso's auto-import is sufficient
  • For journalists/activists: ✅ YES - whistleblowers must be able to find you
  • For business customers: ⚠️ MAYBE - depends on your industry
  • For privacy purists: ❌ NO - your email address becomes public!

• Pro: When you SHOULD use a keyserver

  • ✅ You are a journalist or activist
    • Whistleblowers must be able to contact you anonymously
    • Keyservers allow finding your public key without prior email contact
    • Example: ProPublica, Guardian, WikiLeaks publish their keys on keyservers
  • ✅ You run a business or service
    • Customers should be able to easily contact you encrypted
    • Your email is already public (on website, imprint)
    • Service feature: "We offer encrypted communication"
  • ✅ You are a public figure
    • Politicians, lawyers, doctors, consultants
    • Trust-sensitive communication is part of your profession
    • Public nature of your key is not a problem
  • ✅ You want maximum reachability
    • Anyone should be able to contact you encrypted - even without prior contact
    • You accept increased spam risk

• Contra: When you should NOT use a keyserver

  • ❌ You want maximum privacy
    • Your public key contains your email address
    • This becomes permanently publicly visible on keyservers
    • Crawlers can collect your address → more spam
    • Important: Once uploaded, you can NOT delete your key (only revoke)!
  • ❌ You use eclipso's auto-import
    • 90% of encryption happens with known contacts (friends, family, colleagues)
    • With eclipso: Key exchange works automatically via signed emails
    • Keyservers are only relevant for first contact with strangers
  • ❌ You have changing email addresses
    • Old keys remain permanently on keyservers (can only be revoked)
    • Outdated keys confuse senders
  • ❌ You only communicate privately
    • For friends/family: Simply send signed email → auto-import works
    • No added value from keyservers

• The eclipso advantage: Keyservers mostly UNNECESSARY

  • Traditional PGP problem:
    1. Alice wants to send Bob an encrypted email
    2. Alice needs Bob's public key
    3. Alice must search keyserver for "bob@example.com"
    4. Alice imports key manually
    5. Only then can Alice write encrypted
  • eclipso's auto-import solution:
    1. Bob sends Alice a signed email (e.g., normal reply to inquiry)
    2. eclipso recognizes the signature and automatically imports Bob's public key
    3. Alice can immediately reply encrypted - without keyserver search!
  • Result: Keyservers are only needed for first contact with strangers
  • Advantage: Your email remains private, no spam from keyserver crawlers

• GDPR Note (important for Europe!)

  • ⚠️ Legal gray area: Keyservers store personal data (email address)
  • Problem:
    • Many keyservers are abroad (USA, Netherlands)
    • No GDPR guarantee for data deletion
    • Old SKS keyservers do NOT allow deletion (only revocation)
  • Exception: keys.openpgp.org
    • Privacy-friendly: Email address is verified (opt-in)
    • Allows deletion of key (not just revocation)
    • Recommended if you want to use a keyserver
  • Recommendation: Only use keys.openpgp.org, avoid old SKS servers

• Practical recommendation by use-case

  Use-Case	Use keyserver?	Reasoning
  Normal user (private)	❌ NO	eclipso auto-import sufficient, privacy more important
  Journalist/Activist	✅ YES	Whistleblowers must be able to find you
  Business/Freelancer	✅ YES	Service feature, email already public
  Privacy purist	❌ NO	Metadata leakage unacceptable
  Open-source developer	✅ YES	Community standard, easy reachability
  Family/Friends	❌ NO	Direct key exchange better

• If you decide FOR keyserver: Step-by-step

  • Recommendation: Use keys.openpgp.org (privacy-friendly, more GDPR-compliant)
  • Upload process:
    1. Go to https://keys.openpgp.org/upload
    2. In eclipso: Settings > E-Mail | PGP Keyring > Your key > "Export public key"
    3. Copy the key (starts with "-----BEGIN PGP PUBLIC KEY BLOCK-----")
    4. Paste it into the upload form on keys.openpgp.org
    5. Click "Upload"
    6. Important: You will receive a confirmation email - click the link!
    7. Only after confirmation is your key publicly visible
  • Verification:
    • After 5 minutes: Search keys.openpgp.org for your email
    • Your public key should be displayed
  • Revocation (if needed):
    • If your key was compromised: Create a revocation certificate
    • Upload it to keys.openpgp.org - your key will be marked as "revoked"

• Alternative: Publish public key on your own website

  • Advantage: Full control, GDPR-compliant, no spam
  • How:
    1. Export your public key from eclipso
    2. Create a page on your website (e.g., www.example.com/pgp.html)
    3. Publish the key there (HTML example below)
    4. Link the page in your email signature: "PGP key: www.example.com/pgp"
  • HTML example:

    <h1>My OpenPGP Key</h1>
    <p>For encrypted communication please use this key:</p>
    <pre>
    -----BEGIN PGP PUBLIC KEY BLOCK-----
    
    [Your public key here]
    
    -----END PGP PUBLIC KEY BLOCK-----
    </pre>
    <p>Fingerprint: 1234 5678 90AB CDEF 1234 5678 90AB CDEF 1234 5678</p>
                

  • Advantage over keyserver: You can delete/update the key anytime

• eclipso's planned features (future)

  • Phase 4.1: Optional "Publish to keyserver" button in key management
  • Functionality:
    • One-click upload to keys.openpgp.org
    • Modal dialog with privacy warning:
      • ☐ I understand that my email becomes public
      • ☐ I understand that the key cannot be deleted
      • ☐ I accept increased spam risk
    • Only after confirming all checkboxes: Upload possible
  • Phase 4.2: Optional keyserver search for external keys
  • Phase 5: DNS OPENPGPKEY records (alternative to keyservers, privacy-friendly)
  • Important: All features are optional - auto-import remains standard!

• Comparison: Keyserver vs. eclipso auto-import

  Feature	Keyserver (classic)	eclipso Auto-Import
  Setup	Manual upload	✅ Automatic when writing
  Privacy	⚠️ Email public	✅ Email private
  Spam risk	⚠️ High (crawlers)	✅ Low
  GDPR	⚠️ Gray area	✅ Compliant
  Deletable	❌ No (only revoke)	✅ Yes (anytime)
  Discovery	✅ Anyone finds you	⚠️ Only contacts
  Use-case	Journalist, public figure	✅ Normal user (90%!)

  
  Winner for individuals: eclipso auto-import! (Privacy + convenience)

• Frequently Asked Questions

  • Q: Can I delete my key from keys.openpgp.org again?
    A: Yes! keys.openpgp.org allows deletion (unlike old SKS servers). Only use this server!
  • Q: What happens if I publish my key on multiple keyservers?
    A: The servers partially synchronize with each other. Better: Only use keys.openpgp.org.
  • Q: Does everyone see my encrypted emails if my key is public?
    A: No! The public key is ONLY for encrypting. Only you with the private key can decrypt.
  • Q: Do I need keyservers to communicate with ProtonMail users?
    A: No! ProtonMail also uses auto-import. Simply send a signed email.
  • Q: How do I find external keys without keyservers?
    A: Ask the person to send you a signed email - eclipso imports automatically!

• Important Notes

  • For 90% of eclipso users, keyservers are not needed - auto-import works better
  • If you use keyservers: Only keys.openpgp.org (privacy-friendly, more GDPR-compliant)
  • Your email becomes public - accept increased spam risk
  • Once uploaded = permanent (only revocation, no deletion on old servers)
  • Alternative: Publish public key on your own website (more control)
  • eclipso will offer optional keyserver upload function in future - with clear privacy warnings

• What is OpenPGP and how does it work with eclipso? ↗
• How do I set up OpenPGP encryption in 60 seconds? ↗
• What's the difference between signing and encrypting? ↗