Private Keyserver on Debian

by Volker Diels-Grabsch

How to setup a private PGP/GPG keyserver on Debian.

Created 2014-01-27, Last updated 2017-07-05

Installation and Configuration

To set up a private PGP/GPG keyserver on Debian, we can simply install the sks Debian package:

apt-get install sks

Stop the sks daemon, just to be sure:

service sks stop

Unfortunately, the keyserver's internal database isn't set up automatically, so we have to trigger that manually. Note that although the sks command should not be executed as root, it is located in /usr/sbin instead of /usr/bin. This is a bit confusing, but switching to the debian-sks user does the trick:

su debian-sks -c '/usr/sbin/sks build'

Since this is meant to be a private keyserver, we don't want to communicate with other keyservers, so we have to disable all communication channels (email and gossip protocol):

echo '# Empty - Do not communicate with other keyservers.' >/etc/sks/mailsync
echo '# Empty - Do not communicate with other keyservers.' >/etc/sks/membership

And we provide simple configuration options:

cat >/etc/sks/sksconf <<'EOF'
pagesize: 16
ptree_pagesize: 16

Then, we have to enable the service:

systemctl enable sks.service

And we have to enable it again in a different place:

echo 'initstart=yes' >/etc/default/sks

Finally, we start the service:

service sks start

Have fun!


We can check that the keyserver is up and running by visiting its HTTP interface (replace with the site's domain name or IP address):

We can also upload and download a GPG key (replace as before, and also replace 1234ABCD with an existing key ID):

gpg --send-key --keyserver 1234ABCD
gpg --recv-key --keyserver 1234ABCD

Reset Database

In case we need a fresh start from a clean database, we have to stop the service, remove the database, rebuild it, and start the service again:

service sks stop
rm -fr /var/lib/sks/DB /var/lib/sks/PTree
su - debian-sks -c '/usr/sbin/sks build'
service sks start