Handling an identity over multiple devices

Ingo Klöcker kloecker at kde.org
Fri Feb 19 11:33:01 CET 2021


On Donnerstag, 18. Februar 2021 22:35:16 CET Luke via Gnupg-users wrote:
> Now in the case of multiple device, not using subkeys would mean
> creating different keypais, and different identities, which doesn't
> sound nice, right?

I think Andrew's suggestion to use a hardware token is good advice. I'm using 
an OpenPGP token with three subkeys (sign, encrypt, authenticate). The main 
key stays on one device, preferable offline.

Back to your question. I don't think using different subkeys for different 
devices makes much sense.

For encryption subkeys it makes no sense at all because almost all existing 
applications will encrypt only to a single subkey (typically the most recently 
created one). This means that only one of your devices will be able to decrypt 
something encrypted to you.

For signing subkeys it makes little sense. Yes, it would allow you to replace 
the device-specific signing subkey in case the device is compromised. But I 
don't see an advantage over simply replacing a common signing subkey in case 
of a compromise. (Okay, one advantage would be that the replacement subkey 
only needs to be deployed on one device.) Using a hardware token is much 
better because it protects against compromise in the first place.

For authentication subkeys it makes sense (unless you use a hard token) 
because this allows you for example to control which devices can ssh to which 
machines. But you could also use plain ssh keys for this.

Regards,
Ingo
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210219/eefde4f1/attachment.sig>


More information about the Gnupg-users mailing list