GPG keys for multiple email accounts

atair atair04 at googlemail.com
Sat Jul 6 20:32:17 CEST 2013 

Hi all,

I want to introduce encryption to my email accounts and hesitate
already for almost a year to set up the keys/infrastructure because I
see some severe problems. Maybe you can tell me your experiences/ideas
about the concerns I have...

Situation:
I want so set up a GnuPG infrastructure for my (lets say) 20 email accounts.

1. Possible ways to implement and my concerns:
(1) I create one key pair for each email account. In case one key gets
compromised the possible damage is limited to one email account.
However, as drawback I'd have to (1) remember 20 passphrases (with for
example 20-40 characters each) and (2) type them every time I want to
read the emails. This does not seem to be very convenient... (*)
(2) I create one key with several sub keys for each email account. If
this key gets compromised I'd have to exchange all keys. This could be
a lot of work (for me and others).
(3) I create independent keys (with several sub keys) for groups of
email accounts (private/official/work/...).
(4) I create independent keys (without sub keys) and use one key for
multiple email accounts.
(*) additionally, all senders of emails to me would have to choose the
right keys for the account to send the email to. (related to 3.)

2. Maintenance:
Usually, I keep all (important) old emails locally on my hard disk.
But how should this be done with encrypted emails since the private
key might get lost or compromised one day? So far, I think it would be
necessary to decrypt all emails before archiving and store them
(unencrypted) on the encrypted (LUKS etc.) hard disk.

3. Spam/Privacy:
In case one has the public key, he/she also has the email address
attached to that key. In my opinion, this is not very useful since it
might open the door for lots of spam. Usually, I want to give my
public key only to people I know in person. So they'd know my email
address either way. Does it create problems to attach a fake email
address to the key (e.g. @example.com)? Would I be less trustworthy to
other people (that I might not know in person) or do they on the
network of trust (respectively, the number of people who signed my key
even there's an obvious fake email inscribed)?

4. Transport private keys other computers:
Since I read my emails on laptop and PC, I need to copy the private
key to both computers. This is against the normal intention of a
"private key". How is/should this be usually done?

Thanks for suggestions,
-- atair

More information about the Gnupg-users mailing list