The PGP Encryption Server Keyserver service allows remote lookups of PGP public keys and S/MIME certificates over LDAP (port 389) and LDAPS (port 636) either from the internal network or over the Internet.

This article will discuss the purpose of a Keyserver that can be enabled on the PGP Encryption Server and the best practices surrounding this topic. 

What is a Keyserver?

A Keyserver is a server that stores, manages, and makes available keys.  Keyservers are usually public either to an internal network or an external network.
An example of a public Keyserver is "keyserver.pgp.com" which is a public service provided by Broadcom to allow anyone to submit their keys.
Once the keys are submitted, anyone can then search this key repository (Keyserver) to be able to find the keys and encrypt to them.
Due to the secure nature of how keys can be validated and then uploaded, the keyserver.pgp.com service is a great way to exchange keys.

It is possible to maintain your own Keyserver , such as your own Verified Key Directory or simply to store keys on the PGP server and then allow external sources to search your server.
Keyserver searches are typically done over port 389 for LDAP, or LDAPS (Secure LDAP) 636.  Using the PGP "Universal Services Protocol" or USP, it is possible to search for keys securely as an alternative to LDAPS.

For example, the PGP Encryption Desktop client can be allowed to search anyone's public Keyserver.

Choosing the most secure option with the Keyserver

As you can see in the screenshot above, the PGP Encryption Desktop can search a Keyserver and find other user's keys.
Port 389 and 636 can be used, but if possible, 636 and USP are better options as the session itself is encrypted.

If you go to keyserver.pgp.com and search the same user, you will find the same key, but through the Global Directory's web portal:

You can't see the port being used, but the web portal always uses port 443 for secure TLS.

If you modify your Keyserver, you can change the protocol to "USP" for secure key queries:

Keyservers can be very helpful in finding recipient's keys for which many users will need to send secure data.
You can use the public Keyserver or your own.  In both cases, it's always recommended to use the secure protocols to find the keys.

PGP Command Line also does have the ability to use a "Keyserver" in order to store and manage its keys in the form of the PGP Encryption Server's "Key Management Server" or KMS.
With each purchase of PGP Command Line, the PGP Encryption Server is included so that you can store all your keys in a centralized area rather than in local keyrings local to the PGP Command Line's server it is installed on.

For example, if you have multiple servers where PGP Command Line is installed, you can host the keyring files locally, but in this case all the keys are going to be hosted manually and will be specific to each servers.

That means that one server will have its own set of keys, and you will also need to ensure that users who have access to the server do not have access to the keys.  KMS, or "USP" provides a great way to manage, store, and search for keys securely so that each of your installations of PGP Command Line can be done from a central location.

For more information on USP/Key Management Server (KMS) or USP with PGP Command Line, see the following article:

159237 - Using PGP Command Line with Encryption Management Server (USP)

When is a keyserver needed?

The Keyserver service is required only if:

The Keyserver service is enabled by default. Security practices recommend enabling only services that are being used to reduce the attack surface and disabling services that are not required.

Note that it is always recommended to update to the latest version of PGP Encryption Server to help mitigate security reports. See article 157729 for further details.