SKS: Synchronizing Key Server

The sks package installs a OpenPGP keyserver which can sync keys with other key servers so that keys can be quickly be distributed.

Install SKS on Centos 6.6

yum install sks
mkdir /srv/sks
cd /srv/sks/
sks build
mkdir /etc/sks
cp /usr/share/doc/sks-1.1.5/sampleConfig/sksconf.typical /etc/sks/sksconf
chown sks: /etc/sks
chown sks: /srv/sks

Configure the SKS server

On Centos the init script contains bare minimal settings, you can extent these by editing the start up command in the init scirpt with variables from the sysconfig or skconf

vi /etc/sks/sksconf
vi /etc/init.d/sks-db

An example extended startup command:

daemon --user=${RUN_AS} ${EXEC} ${SKS_CMD}
-debuglevel "$DEBUGLEVEL"
-hkp_port "$hkp_port"
-server_contact "0x1edeabf83d5702e2"
-hostname "$HOSTNAME"
-basedir "$BASEDIR"
-stat_hour "$STAT_HOUR" 2>/dev/null & || failure

Setting up the web interface

The web interface allows you to access the database via a web browser, search entries and submit acsi armourd entries.

cp -r /usr/share/doc/sks-1.1.5/sampleWeb/HTML5 /srv/sks/web
rm -rvf /srv/sks/web/*.orig
chown -Rv sks: /srv/sks/web
/etc/init.d/sks-db restart

Allowing access on port 80

On debian the config is a little more finetuned, the init script contains both the db and recon start / stop controls, the sks option "use_port_80" works, and all options in the config file are pulled in correctly.

On Centos however the option "use_port_80" has no effect, this can be corrected with the following iptables rule:

iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 11371

A Benefit of allowing traffic on port 80 aswell as the default 11371 is that you'll be able to access the service from behind most firewalls.

Testing the config

as the sks user, cd into /srv/sks and run the sks db daemon with no options, this will confirm the file permissions and db setup, or you'll see the errors printed out.

sks db

Start the SKS services

/etc/init.d/sks-db restart
/etc/init.d/sks-recon restart

Send and Recieve a key

To send a key to the keyserver you can either create an asci armouded key and enter it using the web interface of have gpg directly connect to your server.

mike@mike-laptop3:~$ gpg --keyserver pgp.mj2.uk --send-key 3D5702E2
gpg: sending key 3D5702E2 to hkp server pgp.mj2.uk

Once uploaded you'll be able to search for your key on the server; example; http://pgp.mj2.uk/pks/lookup?search=mikejonesey&op=vindex

mike@mike-laptop3:~$ gpg --keyserver pgp.mj2.uk --recv-key 3D5702E2
gpg: requesting key 3D5702E2 from hkp server pgp.mj2.uk
gpg: key 3D5702E2: "Michael Jones (mikejonesey) " not changed
gpg: Total number processed: 1
gpg:              unchanged: 1