While the venerable Matt Rude has a great write up on compiling the latest SKS server for Ubuntu 18.04, using the one that ships with Ubuntu 18.04 is considerably easier. Given I just did this for work, this blog post has already been 99% written – handy!
The prerequisite for this guide is that you have root on an Ubuntu 18.04 server with a static, public IP address.
This is out of scope for this guide, but you should secure your server. I recommend only allowing SSH with public keys, no passwords. If possible, only allow SSH from your subnet, or from behind a VPN/firewall. Only open the ports to the internet for the keyserver (11371) and SSH (22) if you must. Keep your software up to date – consider turning on automatic updates for security releases.
Given that there’s a native Ubuntu SKS package, this one command gets you a LOT. All your config files are put in place, your user is created, a cronjob is added and there’s no compiling from source. While compiling is nice for knowing exactly what code you’re runnig, it’s slower and more laborious to get set up.
Run this as root:
apt-get -y install sks gnupg wget apache2 xz-utils
Apache functions as a reverse HTTP proxy for the SKS HTTP interface, and so binds to the SKS HTTP port (11371) only on the public IP addresses.
Create the file
/etc/apache2/sites-available/100-keyserver.conf with the following contents. Be sure to update the
SERVER_IP_HERE to be the real IP:
####################################### # Configuration for SKS reverse proxy # ####################################### Listen SERVER_IP_HERE:11371 <VirtualHost *:11371> <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass / http://127.0.0.1:11371/ ProxyPassReverse / http://127.0.0.1:11371/ ProxyVia On SetEnv proxy-nokeepalive 1 </VirtualHost>
Run the following commands as root to set up apache with the new vhost and enable the right config. The last command should yield no errors:
systemctl restart apache2
systemctl status apache2
As everything was prepped for you with the
apt-get install sks call from above, you only have to define
/etc/sks/sksconf file. The contact should be your PGP key ID. Mine is 0xA105C2764BF2C4CB, for example. The hostname is the FQDN for your server.
Initialize the SKS Database
Run the following commands to download a recent dump of the SKS database, decompress it, update permissions and import it. This puts less of a load on other SKS servers as we won’t need to synchronize much when we come online.
sks-build.sh, select the ”normalbuild” option. This loads all keys into the database, unlike the ”fastbuild” option, which uses the key dump files as a basis over which to operate, but loads the keys much faster. The bunzip2 and load process will take **several hours to complete**.
Run this as root:
mkdir -p /var/lib/sks/dump/
wget -e robots=off -r --no-parent https://mirror.cyberbits.eu/sks/dump
mv mirror.cyberbits.eu/sks/dump/*pgp .
chown -R debian-sks:debian-sks /var/lib/sks
systemctl enable sks
Note: The source of the key dump for our installation is http://keys.niif.hu/keydump/. However, a key dump may be obtained from any up-to-date SKS key server, since each is a mirror of all the others. Key dumps from public key servers are listed on sks-keyserver’s wiki on GitHub. If required, any of the sources listed on this page may be used to obtain the key dump.
If you need to rebuild the database from a fresh download for some reason, be sure to fully delete the DB file with
rm -rf /var/lib/sks/DB first.
For your keyserver to be known by others and have it’s keys be up to date via synchronizatoin, you need to contact the keyserver operators so they they list you in their membership file. That way when you list them, the servers will not not error out.
The format of
/var/lib/sks/membership is simply
After you create it, ensure it can be read by SKS:
chown -R debian-sks:debian-sks /etc/sks/memberships
Start and Test
Start your server with
systemctl start sks. That’s it! You’re done.
Monitor the log files for any problems during startup and testing:
tail -f /var/log/syslog. As well, check the output of
systemctl status sks.
To test, open a browser window to http://YOUR_SERVER:11371. Search for a few different keys to verify that key information is being retrieved correctly.
Check the SKS stats page to verify the number of keys loaded: http://YOUR_SERVER:11371/pks/lookup?op=stats
If you have peered with other servers, verify that it is showing up properly in the pool.
Great article, but one small update.
keys.niif.hu is currently using unxz and not bunzip2.
Jeff – awesome – thanks for the tip! I’ve updated the post accordingly.
You might also want to provide some current/alternate dump sources. I found the one mentioned @ https://keys.niif.hu/keydump/ to be an unverifiable train wreck today and am now re-attempting to re-download from an alternate source @ https://pgp.key-server.io/dump/current/
Anon – oh, cool – thanks for the tip!
Love the article, but your list of servers at bitbucket is dead. Bitbucket no longer supports Mercurial repositories.
Dan – oh yeah, indeed it’s all moved over to GitHub (https://github.com/SKS-Keyserver/sks-keyserver). I’ve updated the article to reflect the new URL. Thanks very much for letting me know!
I think the command to move the downloaded files is wrong. I get the following error:
/var/lib/sks/dump # mv keys.niif.hu/keydump/*pgp .
mv: cannot stat ‘keys.niif.hu/keydump/*pgp’: No such file or directory
Instead, the glob should presumably include the “.xz” extension, also it probably could have a “.” before “pgp”, so something like this:
/var/lib/sks/dump # mv keys.niif.hu/keydump/*.pgp.xz .
Thanks for your comment! It looks like you’re right.
I would update the instructions per your suggestion, but looking at the content on keys.niif.hu, I’m embarrassed to see that Anon from 2 years ago was right – content on keys.niif.hu is garbage! Apparently it’s ASCII art of the Hungarian saying, “de nagy az isten allatkertje”!?! I very much feel like I’m missing some larger context here. These are not they droids you’re looking for. But, oh, well, moving on!
To fix this, we need to look at the key servers on the GitHub page, unfortunately most of which are also not working (no DNS entry or no http server on the IP returned). The only one I found to be working is https://mirror.cyberbits.eu/sks/dump/. I’ve updated the post to reflect these latest updates.
Thanks so much for your note! It’s great to keep this content current. Though, I feel like the relevancy of PGP these days is becoming less and less :(