Obviously GnuPG/GPG is a privacy tool which is used to commnicate/collaborate with other people & in order to do just that you will need to EXCHANGE your cryptographic-keys with those said "other people". Now the ideal way to do it is to actually meet each other physically in real life & verify each other's existence & then exchange your PUBLIC-KEYS ONLY [Please DO NOT EVER SHARE your SECRET/PRIVATE-KEYS].
While a more realistic way to exchange your cryptographic-keys in this day & age would be to just send your keys via an Email containing your PGP-KEYFILE as an attached file or just putting the PGP-key in the ASCII-Armored format on a webpage in your website. Either way, in order to exchange your PGP-keys you will need to export your key first:
gpg --export --armor KEY_ID > FILE_NAME.asc
OR
gpg --export -a -o FILE_NAME.asc KEY_IDAs stated before it is better to use the "Armor-ASCII Format" as much as possible & it is applicable here as well [Here; "-a" also means ARMOR & "-o" means OUTPUT]. The KEY_ID can either the full 40-character FINGERPRINT or the last 12-character IDENTIFIER.
Now that you have exchanged your exported PGP-keys. Now it is time to IMPORT the key into your GPG-KeyRing, but before doing that you need to check the FINGERPRINT of the PGP-key & compare it with the FINGERPRINT given to you by your friend or the website you got your key from, the commands to CHECK THE FINGERPRINT OF THE KEY & IMPORT THE KEY respectively are given below:
gpg --show-keys --with-fingerprint KEY_FILE
AND THEN YOU CAN USE THIS COMMAND
gpg --import KEY_FILEREMINDER; the KEY_FILE can come in several File-Formats like ".gpg" & or even more commonly the ".asc" format.
PGP-KEYSERVERS ↴↴↴
However there is an even more "remote way" of getting your PGP-keys as well & it is convenient too, although a bit more let's say "less immediately-trusworthy" ?? due to it's potential for the PGP-keys to get poisoned [Basically, an attacker can substitute a malicious key] so it is advised to not blindly trust PGP-keys from a KeyServer.But you CAN determine the authenticity of the Key via some means or via looking at the signatures that was used to sign the PGP-Key retrieved from the KeyServer [Provided that you TRUST THOSE PEOPLE who signed that PGP-Key or if it was a well-know organization like "Debian.org" that signed those keys].
Then after verifying the authenticity of that Key, you can then sign the keys with your own PGP-key, indicating that you TRUST THAT KEY & then send it to the OWNER OF THE KEY who will then upload/send the now "Signed PGP-key" to the KeyServer.
You can send your PGP-keys to the KEYSERVER of your choice via this command:
gpg -- keyserver KEYSERVER_URL --send-keys KEY_IDYou can also receive a PGP-key from a KEYSERVER of your choice via this command:
gpg -- keyserver KEYSERVER_URL --recv-keys KEY_IDAnd of course you can search for a PGP-key in KEYSERVER of your choice. Now you can either use the FINGERPRINT/IDENTIFIER or the EMAIL the key is registered to via this command:
gpg -- keyserver KEYSERVER_URL --search-keys KEY_ID/EMAILHere are some PGP-KeyServers as examples:
- hkps://keyserver.ubuntu.com (DEFAULT in GnuPG since version 2.3.2)
- hkps://keys.openpgp.org
- hkps://pgp.mit.edu
- hkps://keys.mailvelope.com (Has Email-Verification)
- hkps://pgp.surf.nl
Well "HKP" stands for HTTP Keyserver Protocol or more precisely "OpenPGP HTTP Keyserver Protocol" & the "S" means secure [Kind of like the "S" in "HTTPS"]. HKP or HKPS is simply protocol used for retrieving, uploading & searching OpenPGP public keys over HTTP/HTTPS, it is commonly used by PGP-KeyServers.