Advice on key set-up for work at employer

Daniel Kahn Gillmor dkg at
Thu Aug 4 15:13:38 CEST 2016

On Wed 2016-08-03 20:37:00 -0400, taltman wrote:
> 1. Create a new GPG keyring specific for my identity with my employer
> 2. Cross-sign my existing personal GPG key with the employer-specific
> GPG key
> 3. Do proper key hygiene things (backups, revocation certs, etc.) on
> employer-specific key

yes, this is a sensible plan.

> It seems with this set-up I can simply just turn over the password to
> the private key of the employer-specific GPG keyring if I'm ever
> obligated to give them access to their files. This keeps a nice clean
> separation between their property, and my personal GPG keyring. When it
> comes time to end my time at the employer, I can revoke the
> employer-specific key. If I no longer am able to use the
> employer-specific GPG keyring, I can at least revoke my signature of the
> employer-specific keyring if my former employer gains the password to
> the keyring.

Even better -- if you need to leave the workplace, you can:

 0) revoke the primary key entirely and publish the revocation.

 1) destroy the primary secret key.

 2) give your employers the secret key material for the
    *encryption-capable* subkey only.

The rationale for this is that while they may need access to your
confidential work-related communications, they don't need to be able to
masquerade as you (signing documents, certifying other keys, etc).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: </pipermail/attachments/20160804/6d357d28/attachment.sig>

More information about the Gnupg-users mailing list