How should I distribute my public key?

Best way to distribute your key is by using one of the key servers that are available, such as keyserver.ubuntu.com, pgp.mit.edu or keyserver.pgp.com.

If you use Seahorse (default key manager under Ubuntu), it automatically syncs your keys to one of these servers. Users can then look up your key using your email address or keyid.

If you wanted to post your public key on LinkedIn or your blog, you can either upload the key to your server or just link to the page for your key on one of the keyservers above. Personally, I would upload it to one of the keyservers and link to it, as it is easier to keep it up-to-date in one place, instead of having the file in loads of different locations. You could also share your keyid with people, and they can then receive your key using gpg --recv-keys.

If you wanted to post your public key on Facebook, there is a field to place it under the Contact Info section of your profile. You can also change your Facebook security settings to use this same public key to encrypt their emails to you.

For example, here's my public key.

To my knowledge, there are no risks associated with publishing your public key.


There is no risk of exposing your private key or invalidating your public key, by publishing your public key in the ways you and @Mark described. As @pboin stated, it is designed to be available to the world.

However, there is another issue at hand... One of the core purposes of having and publishing your public key (indeed, this is probably THE MAIN purpose), is to authenticate yourself to other users, enable them to verify the authenticity of any messages or data you sign, and protect/encrypt data for your eyes only.
But how would those users know that it's really YOUR public key? For example, if I want to send a private message to @Mark Davidson, using his published key at http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xE493B06DD070AFC8, how do I know that it was the REAL Mark Davidson that published that key or that pointed me there?
It would be trivial for me to publish my OWN public key, either on mit.edu, on LinkedIn, Facebook, etc, and simply call myself Bill Clinton (or Bill Gates). How could you know otherwise?
Moreover, if somehow I know this is really the right person (e.g., I want to contact an anonymous blogger, via the pk published on his blog - I don't care who he really is, the owner of the site - and thus the pk publisher - is the correct person anyhow) - what's to guarantee the public key was not tampered en route? All the links and sites mentioned so far (ok, with the exception of the PGP keyserver) are HTTP - i.e. no channel protection, i.e. can easily be altered between server and browser.

When using the X.509 / PKI model, there is always somebody trusted that vouches for you. E.g. a well-known Certificate Authority (trusted because the browser vendors vetted them, and added their root certificate to the Trusted Roots Store in the browser) verified your identity, and signed your public key/certificate. Thus, anyone who wants to verify you are who you say you are, can simply check the signature, and then check out the identity of whoever is vouching for you (and then repeat until finding the well-known trusted root CA).

However, in the PGP model, there is usually no central, trusted authority (though current versions DO allow this). Instead, PGP is based on the web-of-trust model, wherein if you trust someone, they can vouch in turn for someone else's identity.

Regardless, just putting your public key out there does not help anyone verify your identity, nor ensure that encrypted messages will be viewable by the correct person only.

What you CAN do:

  • Publish your public key, much as you and @Mark said - but then provide a public-key token (basically a hash of the public key, like a fingerprint) via a secure channel. E.g. this is now short enough to read over a telephone if he knows you personally... I've even seen someone put his pk token on his business card, handed out a conference (admittedly this was from a vendor).
  • Start signing your emails, then verifying to the recipient that it was your signature through an out-of-band channel (e.g. over the telephone or in person (gasp!!))
  • Complicate the situation, get a standard X.509 cert and implement SSL (preferably EV) on your website, then anyone can download your pk safe in the knowledge that it came from whoever owns that domain name... (Okay, maybe that works better for big companies...)
    Check out how Microsoft does it...

Aaaaall that aside, it really depends on what this pk is for - if it's just to wow your mother, then don't bother with all that :)
On the other hand, if you have really sensitive communications, or with security-conscious clients, then all the above is important...


A general solution is to upload it to a keyserver. Another good idea might be to make an entry at Biglumber. This helps to get in contact with other people and maybe to sign each other keys.

Furthermore you should have a look into your inbox and look for contacts who already sign their emails. You could send them an informal mail, that you now have a key and point them to a resource.

A blog entry about your key is also fine. You should provide a link to download your key.

If you use signatures in your mail, you can point to your new key and of course sign every mail.

Remind that you can't delete your key after it is uploaded to a keyserver (and distributed amongst them). Of course, you can revoke it. Furthermore it is assumed that spammers look for those email addresses and send you some "nice offers". When you do keysignings and upload the new signatures, the signature reveals where you've been at a specific date.