1sks(8) SKS OpenPGP Key server sks(8)
2
6 SKS - Synchronizing Key Server
7
9 sks [options] -debug
10
12 SKS is a OpenPGP keyserver whose goal is to provide easy to deploy,
13 decentralized, and highly reliable synchronization. That means that a
14 key submitted to one SKS server will quickly be distributed to all key
15 servers, and even wildly out-of-date servers, or servers that
16 experience spotty connectivity, can fully synchronize with rest of the
17 system.
18 The design of SKS is deliberately simple. The server consists of two
20 single-threaded processes. The first, "sks db", fulfills the normal
21 jobs associated with a public key server, such as answering web
22 requests. The only special functionality of "sks db" is that it keeps a
23 log summarizing the changes to the key database. "sks recon" does all
24 the work with respect to reconciling hosts databases. "sks recon" keeps
25 track of specialized summary information about the database, and can
26 use that information to efficiently determine the differences between
27 its database and that of another host.
28
30 Highly efficient and reliable reconciliation algorithm
31 Follows RFC2440 and RFC2440bis carefully - unlike PKS, SKS supports new
33 and old style packets, photoID packets, multiple subkeys, and pretty
34 much everything allowed by the RFCs.
35 Fully compatible with PKS system - can both send and receive syncs from
37 PKS servers, ensuring seamless connectivity.
38 Simple configuration: each host just needs a (partial) list of the
40 other participating key servers. Gossip is used to distribute
41 information without putting a heavy load an any one host.
42 Supports HKP/web-based querying, and soon-to-be-standard machine
44 readable indices
45
47 SKS binary command options are as follows:
48 db
50 Initiates database server.
51 recon
53 Initiates reconciliation server.
54 cleandb
56 Apply filters to all keys in database, fixing some common problems.
57 build
59 Build key database, including body of keys directly in database.
60 fastbuild -n [size] -cache [mbytes]
62 Build key database, doesn't include keys directly in database,
63 faster than build. -n specifies the number of keydump files to read
64 per pass when used with build and the multiple of 15,000 keys to be
65 read per pass when used with fastbuild. -cache specifies the
66 database cache to use in megabytes.
67 pbuild -cache [mbytes] -ptree_cache [mbytes]
69 Build prefix-tree database, used by reconciliation server, from key
70 database. Allows for specification of cache for key database and
71 for ptree database.
72 dump numkeys dumpdir <filename-prefix>
74 Create a raw dump of the keys in the database. The dump is split
75 into multiple files; the numkeys parameter determines the number of
76 keys dumped in each file. The optional filename-prefix is prepended
77 to the dump file names. Without it the dump files are named
78 0000.pgp, 0001.pgp,...
79 merge
81 Adds key from key files to existing database.
82 drop
84 Drops key from database.
85 update_subkeys [-n # of updates / 1000]
87 Updates subkey keyid index to include all current keys. Only useful
88 when upgrading versions 1.0.4 or before of SKS.
89 version
91 prints SKS version and linked version of Berkeley DB to stdout
92 help
94 Prints the help message.
95
97 You won't need most of the options below for normal operation. These
98 options can be given in basedir/sksconf or as command line option for
99 the sks binary.
100 -debug
102 Debugging mode.
103 -debuglevel
105 Debugging level -- sets verbosity of logging.
106 -q
108 Number of bits defining a bin.
109 -mbar
111 Number of errors that can be corrected in one shot.
112 -seed
114 Seed used by RNG.
115 -hostname
117 Current hostname.
118 -nodename
120 Current nodename.
121 -d
123 Number of keys to drop at random when synchronizing.
124 -n
126 Number of keydump files to load at once.
127 -max_internal_matches
129 Maximum number of matches for most specific word in a multi-word
130 search.
131 -max_matches
133 Maximum number of matches that will be returned from a query.
134 -max_uid_fetches
136 Maximum number of uid fetches performed in a verbose index query.
137 -pagesize
139 Pagesize in 512 byte chucks for key db.
140 -keyid_pagesize
142 Pagesize in 512 byte chucks for keyid db.
143 -meta_pagesize
145 Pagesize in 512 byte chucks for metadata db.
146 -subkeyid_pagesize
148 Pagesize in 512 byte chucks for subkeyid db.
149 -time_pagesize
151 Pagesize in 512 byte chucks for time db.
152 -tqueue_pagesize
154 Pagesize in 512 byte chucks for tqueue db.
155 -word_pagesize
157 Pagesize in 512 byte chunks for word db.
158 -cache
160 Cache size in megs for key db.
161 -ptree_pagesize
163 Pagesize in 512 byte chunks for prefix tree db.
164 -ptree_cache
166 Cache size in megs for prefix tree db.
167 -baseport
169 Set base port number.
170 -recon_port
172 Set recon port number.
173 -recon_address
175 Set recon binding addresses. Can be a list of whitespace separated
176 IP addresses or domain names.
177 -hkp_port
179 Set hkp port number.
180 -hkp_address
182 Set hkp binding addresses. Can be a list of whitespace separated
183 IP addresses or domain names.
184 -use_port_80
186 Have the HKP interface listen on port 80, as well as the hkp_port.
187 -basedir
189 Set base directory.
190 -stdoutlog
192 Send log messages to stdout instead of log file.
193 -diskptree
195 Use a disk-based ptree implementation. Slower, but requires far
196 less memory.
197 -nodiskptree
199 Use in-mem ptree.
200 -max_ptree_nodes
202 Maximum number of allowed ptree nodes. Only meaningful if
203 -diskptree is set.
204 -prob
206 Set probability. Used for testing code only.
207 -recon_sync_interval
209 Set sync interval for reconserver.
210 -gossip_interval
212 Set time between gossips in minutes.
213 -dontgossip
215 Don't gossip automatically. Host will still respond to requests
216 from other hosts.
217 -db_sync_interval
219 Set sync interval for dbserver.
220 -checkpoint_interval
222 Time period between checkpoints.
223 -recon_checkpoint_interval
225 Time period between checkpoints for reconserver.
226 -ptree_thresh_mult
228 Multiple of thresh which specifies minimum node size in prefix
229 tree.
230 -recon_thresh_mult
232 Multiple of thresh which specifies minimum node size that is
233 included in reconciliation.
234 -max_recover
236 Maximum number of differences to recover in one round.
237 -http_fetch_size
239 Number of keys for reconserver to fetch from dbserver in one go.
240 -wserver_timeout
242 Timeout in seconds for webserver requests.
243 -reconciliation_timeout
245 Timeout for reconciliation runs in minutes.
246 -stat_hour
248 Hour at which to run database statistics.
249 -initial_stat
251 Runs database statistics calculation on boot.
252 -reconciliation_config_timeout
254 Set timeout in seconds for initial exchange of config info in
255 reconciliation.
256 -missing_keys_timeout
258 Timeout in seconds for get_missing_keys.
259 -command_timeout
261 Timeout in seconds for commands set over command socket.
262 -sendmail_cmd
264 Command used for sending mail.
265 -from_addr
267 From address used in synchronization emails used to communicate
268 with PKS.
269 -dump_new_only
271 When doing a database dump, only dump new keys, not keys already
272 contained in a keydump file.
273 -max_outstanding_recon_requests
275 Maximum number of outstanding requests in reconciliation.
276 -membership_reload_interval
278 Maximum interval (in hours) at which membership file is reloaded.
279 -disable_mailsync
281 Disable sending of PKS mailsync messages. ONLY FOR STANDALONE
282 SERVERS! THIS IS THE MECHANIASM FOR SENDING UPDATES TO NON-SKS
283 SERVERS.
284 -disable_log_diffs
286 Disable logging of recent hashset diffs.
287 -server_contact
289 Set OpenPGP KeyID of the server contact
290 --help, -help
292 -stdin
293 Read keyids from stdin (sksclient only)
294 Displays list of options.
296
298 Information about important files located in your SKS basedir.
299 bin/sks
301 The main SKS executable.
302 bin/sks_add_mail
304 The executable responsible for parsing incoming mails from PKS key
305 servers.
306 bin/sks_build.sh
308 Script to generate an initial database.
309 mailsync
311 The mailsync should contains a list of email addresses of PKS
312 keyservers. This file is important, because it ensures that keys
313 submitted directly to an SKS keyserver are also forwarded to PKS
314 keyservers. IMPORTANT : don't add someone to your mailsync file
315 without getting their permission first!
316 membership
318 With SKS, two hosts can efficiently compare their databases then
319 repair whatever differences are found. In order to set up
320 reconciliation, you first need to find other SKS servers that will
321 agree to gossip with you. The hostname and port of the server that
322 has agreed to do so should be added to this file.
323 sksconf
325 The configuration file for your SKS server.
326
328 membership
329 keyserver.ahost.org 11370 # Comments are allowed
330 keyserver.foo.org 11370 # Another host with default ports
331 sksconf
333 membership_reload_interval: 1
334 initial_stat:
335 hostname: keyserver.example.com
336 from_addr: pgp-public-keys@keyserver.example.com
337 Procmail
339 PATH=/path/of/sks/exectuables
340 :0
341 * ^Subject: incremental
342 | /path/of/sks_add_mail /path/to/sks/directory
343 /etc/aliases
345 pgp-public-keys: "|/path/of/sks_add_mail /path/to/sks/directory"
346
348 The SKS website is located at https://bitbucket.org/skskeyserver/sks-keyserver/.
349
351 The first draft was written by Thomas Sjogren
352 <thomas@northernsecurity.net>.
3530.1 2014-05-03 sks(8)