This was the setup for the SKS keyserver that used to run at https://gpg.mozilla.org. It ran the SKS Keyserver software.
gpg.mozilla.org was an OpenPGP Synchronizing Key Server (SKS) which participated in the global mesh of SKS servers that enabled OpenPGP users to retrieve and publish public keys.
In June of 2019 attackers showed the ease of a certificate spamming attack that can poison clients' OpenPGP installations when the affected certificates are fetched.
Robert J. Hansen, a member of the GnuPG project, was one of the people who's certificate was affected. He has a good writeup on the incident and the impact to the use of SKS keyservers like gpg.mozilla.org.
The vulnerability is recorded in CVD-2019-13050.
As a result of this type of attack being see in the wild, the problems Robert Hansen identifies in his post about mitigating this vulnerability in SKS servers and unrelated operational challenges Mozilla has encountered in operating the gpg.mozilla.org SKS server, we've decided to stop hosting the gpg.mozilla.org SKS service as of September 2020.
For users that have configured their OpenPGP client to use gpg.mozilla.org, we
recommend you either stop using the keyserver based features of OpenPGP entirely
by removing the keyserver
directive in your gpg.conf configuration or you
configure your client to use the hkps://keys.openpgp.org
keyserver instead which
is not part of the keyserver network.
Ports:11371,11372,80,443
+--------------+ +----------------+ +----------------+ +--------------------------+
| | | | | | Port 11370 | |
| GnuPG CLI +---------> | | sks recon <------------------> (sks recon) |
| | | HTTP(S) | | | | |
+--------------+ | Load Balancer | +----------------+ | 3rd party |
| (Nginx) | | |
+--------------+ | | +----------------+ | SKS Server |
| | | | | | | |
| Web Browser +---------> +------------> sks db | | |
| | | | Port 11371 | | | |
+--------------+ +----------------+ +----------------+ +--------------------------+
- TCP 11370: Used by
sks recon
which is the key synchronization server. "Recon" stands for "Reconciliation". It uses the SKS protocol and does not understand HTTP (i.e. cannot be served by an HTTP load balancer). - TCP 11371: Used by
sks db
and serves both a web interface for web browsers and for programs such asgnupg
. It uses the HTTP protocol (HKP port). - TCP 80: Not used by SKS, but generally used by a reverse proxy which hits back SKS's port 11371 (HTTP port).
- TCP 443, 11372: Not used by SKS, but generally used by a reverse proxy which hits back SKS's port 11371 and performs TLS termination (HTTPS, HKPS ports).
Since port TCP 11370 is not HTTP, it can be difficult to load-balance, and to have on a co-existing domain-name with the other ports, depending on your hosting provider.
In our case:
- TCP 11370 listens on keyserver.mozilla.org
- TCP 11371, 11372, 80, 443 listen on gpg.mozilla.org (HTTP load balancer)
Due to how SKS works, the whole /var/sks
directory is mounted as a persistent volume.
This includes the configuration, key database, web site, logs, etc.
sks-db
is the database server for SKS. It also listens on TCP port 11371
and exposes a web-server on that port
(serving sks-db/etc/web.
sks-recon
is the recon(aissance) server for SKS, which sync with other SKS peers. It listens on TCP port 11370
for
other recon servers to contact and transfer data with.
sks-cron
simply run cron style tasks for SKS such as log rotation and database vacuuming.
Note that there is currently no "real" web-server included with this repository at this time.
Serving directly from sks-db
is not recommended and you should front it with your choice of load-balancer (nginx,
apache, AWS ELB, you name it)
Type make build
.
To build individual docker files, simply go to the right directory and type make
.
For the first time use you'll probably want to establish a database with all (or most) PGP known-keys. This database is several Gb in size and you'll want to import for a database dump. You can find sources on the SKS website
Convenience functions are also provided here: make install
will automatically grab, decompress the dump and import it
for you. You can change the default sources as such: DUMP_URL=https://example.net/dump make install
Note that all configuration, database and website go to the sks
volume and thus, if you need to start from scratch,
you'll want to delete that volume.
Finally, make sure you configure as per the SKS Documentation
and change sks-db/etc/ files such as sksconf
, membership
, etc. to your liking.
A convenience function is provided to update the website on the volume:
- edit sks-db/etc/web/
- type
make update-web
Type make rebuild
.
Type make
.