How to setup a private PGP/GPG keyserver on Debian.
To set up a private PGP/GPG keyserver on Debian,
we can simply install the sks Debian package:
apt-get install sks
Stop the sks daemon, just to be sure:
service sks stop
Unfortunately, the keyserver's internal database
isn't set up automatically,
so we have to trigger that manually.
Note that although the sks command should not be executed as root,
it is located in /usr/sbin instead of /usr/bin.
This is a bit confusing, but switching to the debian-sks user does the trick:
su debian-sks -c '/usr/sbin/sks build'
Since this is meant to be a private keyserver, we don't want to communicate with other keyservers, so we have to disable all communication channels (email and gossip protocol):
echo '# Empty - Do not communicate with other keyservers.' >/etc/sks/mailsync echo '# Empty - Do not communicate with other keyservers.' >/etc/sks/membership
And we provide simple configuration options:
cat >/etc/sks/sksconf <<'EOF' pagesize: 16 ptree_pagesize: 16 EOF
Then, we have to enable the service:
systemctl enable sks.service
And we have to enable it again in a different place:
echo 'initstart=yes' >/etc/default/sks
Finally, we start the service:
service sks start
Have fun!
We can check that the keyserver is up and running
by visiting its HTTP interface
(replace example.com with the site's domain name or IP address):
http://example.com:11371/
We can also upload and download a GPG key
(replace example.com as before, and also replace 1234ABCD with an existing key ID):
gpg --send-key --keyserver example.com 1234ABCD gpg --recv-key --keyserver example.com 1234ABCD
In case we need a fresh start from a clean database, we have to stop the service, remove the database, rebuild it, and start the service again:
service sks stop rm -fr /var/lib/sks/DB /var/lib/sks/PTree su - debian-sks -c '/usr/sbin/sks build' service sks start