5

I'm fairly new to the world of pgp/gpg, I came to it first through Keybase and then the gpg client and now I think I'm in a place where I'm quite happy with my key setup. I've just started a new job and I use my new work email address to make git commits to our projects. To sign my git tags I need to of course add my work email address to my key. However I already have a number of email addresses attached to it, 2 gmail variants (@gmail.com and @googlemail.com) and two from different domains that I own.

My question is, is there a risk to having many uids on a gpg key, and are there any risks to adding a corporate controlled email address to my key or should I generate seperate ones for work?

My risk profile feels fairly low, I'm a relatively average and unknown software engineer. I don't work in a secure environment and the most I use my key is for signing git tags. I use a yubikey neo for my day-to-day signing, encrypting, and authentication RSA keys, and I don't intend to keep the private keys on my work laptop, I intend to only use a yubikey (or similar smartcard device). I am open to generating keys just for my job, but since my job isn't secret or something I need complete seperation for I figured managing one set of keys would be simpler.

As I said I'm pretty new to pgp and gpg, I'm enjoying learning it and feel I have a good grasp but I'm looking to ensure I don't make any major mistakes or open myself up in a silly way when considering this.

Elliot Blackburn
  • 153
  • 5

1 Answers1

3

It may be useful to use different subkeys for each distinct purpose in order to compartmentalize them. You may want to have one subkey for the email you use for your personal correspondence, and another subkey for work-related emails. You can have yet another for git. While you don't have to do this, it's often a good idea to minimize the exposure each key gets. Even if your work is not particularly sensitive or you don't think you're at risk, it's always a good idea to ensure that no one who manages to steal your key through personal channels can reuse them for other purposes.

There are a few other benefits to using multiple subkeys:

  • Each subkey can use a different password of a different strength.

  • You can set the expiration date for each subkey differently.

  • You can revoke individual subkeys, for example if you quit your job.

  • It gives better granularity if you are part of the Web of Trust.

forest
  • 64,616
  • 20
  • 206
  • 257
  • Thanks for the answer! I wasn't aware I could attach a uid to a specific key, is this the case or is it done via some sort of comment against the key / uid which people follow by convention? – Elliot Blackburn Nov 23 '18 at 10:25
  • I think I found the answer to my comment here https://security.stackexchange.com/questions/92635/is-it-possible-to-assign-different-uids-to-subkeys-for-the-purpose-of-having-mul it seems the idea would be create another signing sub-key and just use that for signing things at work. – Elliot Blackburn Nov 23 '18 at 15:22