// glossary / keyserver

Keyserver.

A public directory of OpenPGP public keys, searchable by email or fingerprint. Upload your public key, anyone can look you up. The modern default is keys.openpgp.org, which verifies email ownership and lets you remove keys later. Older SKS-style keyservers had neither protection.

// definition

A keyserver is an HTTPS service that stores and serves OpenPGP public keys. Users upload their keys; others search by email address or fingerprint and download. Communication uses the HKP protocol (HTTP Keyserver Protocol) or its TLS variant HKPS.

What it is.

Two generations of keyservers exist in practice today:

Modern verifying keyservers (keys.openpgp.org is the canonical example). These verify ownership of the email addresses in a key's User IDs before publishing them. They support key updates and removal. Subkeys, expiration changes, and revocations are all reflected when you re-upload.
SKS-style synchronizing keyservers (the old generation, largely deprecated). No verification — anyone could upload any key. No deletion — once uploaded, keys lived forever in the network. Susceptible to "keyserver poisoning" attacks where attackers uploaded thousands of fake signatures to a key.

Modern recommendation: use keys.openpgp.org. Avoid uploading to legacy SKS keyservers unless your specific community still relies on them.

Why it matters.

Keyservers solve the "I have someone's email address but not their key" discovery problem. Without them, every encrypted exchange would need an out-of-band key delivery step. With them, looking up a key is automated — your mail client or PGP tool searches for alice@example.com, finds the key, imports, and you can encrypt.

The trade-offs:

Pro: Universal discoverability. Anyone can find your public key by email.
Pro: Survives changes to your hosting/domain. Your key on keys.openpgp.org doesn't depend on your website being online.
Con (legacy SKS): Anyone could upload a fake key for your email. Your real key competed with impostors. Modern keys.openpgp.org fixes this with verification.
Con (legacy SKS): No deletion. Modern keys.openpgp.org supports removal via email-verification.

WKD is the increasingly common alternative — keys served from the email domain itself rather than a third-party hub. Most modern OpenPGP workflows publish to both keys.openpgp.org (for the discovery network effect) and WKD (for self-sovereign discovery).

// using gpg with a keyserver

gpg --keyserver hkps://keys.openpgp.org --search-keys alice@example.com gpg --keyserver hkps://keys.openpgp.org --recv-keys YOUR_FINGERPRINT gpg --keyserver hkps://keys.openpgp.org --send-keys YOUR_FINGERPRINT

// in PGPony The Exchange tab's Key Server section searches keys.openpgp.org by email or fingerprint and imports matching keys directly. The Show My Key section has an Upload button that publishes your public key to keys.openpgp.org. The Import Key flow's Search by Email tries WKD first then falls back to keys.openpgp.org.

Keyserver.

What it is.

Why it matters.

Related terms

Related guide

Get PGPony

Keyserver.

What it is.

Why it matters.

Related terms

Related guide

Publish your public key

Get PGPony