Advice on key set-up for work at employer
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Aug 4 15:13:38 CEST 2016
On Wed 2016-08-03 20:37:00 -0400, taltman wrote:
> 1. Create a new GPG keyring specific for my identity with my employer
> 2. Cross-sign my existing personal GPG key with the employer-specific
> GPG key
> 3. Do proper key hygiene things (backups, revocation certs, etc.) on
> employer-specific key
yes, this is a sensible plan.
> It seems with this set-up I can simply just turn over the password to
> the private key of the employer-specific GPG keyring if I'm ever
> obligated to give them access to their files. This keeps a nice clean
> separation between their property, and my personal GPG keyring. When it
> comes time to end my time at the employer, I can revoke the
> employer-specific key. If I no longer am able to use the
> employer-specific GPG keyring, I can at least revoke my signature of the
> employer-specific keyring if my former employer gains the password to
> the keyring.
Even better -- if you need to leave the workplace, you can:
0) revoke the primary key entirely and publish the revocation.
1) destroy the primary secret key.
2) give your employers the secret key material for the
*encryption-capable* subkey only.
The rationale for this is that while they may need access to your
confidential work-related communications, they don't need to be able to
masquerade as you (signing documents, certifying other keys, etc).
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: </pipermail/attachments/20160804/6d357d28/attachment.sig>
More information about the Gnupg-users
mailing list