Handling an identity over multiple devices
Ingo Klöcker
kloecker at kde.org
Fri Feb 19 11:33:01 CET 2021
On Donnerstag, 18. Februar 2021 22:35:16 CET Luke via Gnupg-users wrote:
> Now in the case of multiple device, not using subkeys would mean
> creating different keypais, and different identities, which doesn't
> sound nice, right?
I think Andrew's suggestion to use a hardware token is good advice. I'm using
an OpenPGP token with three subkeys (sign, encrypt, authenticate). The main
key stays on one device, preferable offline.
Back to your question. I don't think using different subkeys for different
devices makes much sense.
For encryption subkeys it makes no sense at all because almost all existing
applications will encrypt only to a single subkey (typically the most recently
created one). This means that only one of your devices will be able to decrypt
something encrypted to you.
For signing subkeys it makes little sense. Yes, it would allow you to replace
the device-specific signing subkey in case the device is compromised. But I
don't see an advantage over simply replacing a common signing subkey in case
of a compromise. (Okay, one advantage would be that the replacement subkey
only needs to be deployed on one device.) Using a hardware token is much
better because it protects against compromise in the first place.
For authentication subkeys it makes sense (unless you use a hard token)
because this allows you for example to control which devices can ssh to which
machines. But you could also use plain ssh keys for this.
Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210219/eefde4f1/attachment.sig>
More information about the Gnupg-users
mailing list