PGP Tool

Learn · 6 min read · 2026-04-12

How to import and verify a public key

Anyone can claim to publish a PGP public key. Verifying it before you encrypt prevents you from sending secrets to the wrong person. Here is the workflow.

Importing a public key is trivial — paste it into the Key Inspector and you have it. Verifying it is where most people stop, and where most failures happen. A signed message to the wrong recipient is no better than no encryption at all.

This piece walks through both halves: get the key, confirm it is the right one, then use it.

What the public key actually is

A public key is a long block of armored ASCII that anyone can have. It contains the algorithm, fingerprint, identities (names + emails), and creation/expiry timestamps. The fingerprint — a 40-character hex string — is the only piece you should treat as the canonical identifier. Names and emails can be set to anything by the key's creator.

Step 1 — Get the key

  • From a keyserver: keys.openpgp.org is the modern keyserver. Search by email or fingerprint, copy the armored block.
  • From the recipient's website: many people publish their public key on a personal site or a /.well-known/openpgpkey/ route.
  • From an email signature: some folks embed their public key in their email footer.
  • In person: if you meet someone, exchange fingerprints over a USB drive or QR code and avoid the network entirely.

Step 2 — Inspect it

  1. Open the Key Inspector tool.
  2. Paste the armored key block.
  3. Read the fingerprint, expiry date, key type, and identities.
  4. Note the fingerprint — that 40-char hex string — somewhere safe.

Step 3 — Verify the fingerprint

This is the step that turns "I have a key claiming to belong to Alice" into "I have Alice's key". Compare the fingerprint you see with one you obtain from a different channel — a printed business card, a published bio, a transparency log, a phone call where Alice reads it out loud. If they match, the key is genuine.

If the fingerprints do not match, do not encrypt to that key. Either the version you imported is forged, or the version on the other channel is. Investigate before sending anything sensitive.

Step 4 — Use it

Once verified, the key is safe to use in Encrypt, JSON Encryptor, File Encrypt, or any other tool that takes a public key. Save the fingerprint with the key in your notes so you do not have to repeat the verification next time.