Could Someone Give me Guidance on GnuPG Key Management for Multiple Projects?

General
1

Hello there,

I am new to GnuPG and have been gradually incorporating it into my workflow for securing communications and managing cryptographic keys. I am working on several projects; each with its own set of collaborators and security requirements.

As my involvement in these projects grows; I find myself in need of some advice on best practices for managing multiple keys effectively.

Is it advisable to use separate key pairs for each project; or is it generally acceptable to use a single key pair across multiple projects? What are the pros and cons of each approach?

What are the recommended methods for securely storing multiple private keys? I am aware of hardware security modules (HSMs) and USB security tokens; but I am curious about any other strategies or tools that the community might recommend.

How should I handle key expiration and revocation when managing multiple keys? Should I set a shorter expiration date for keys used in more transient projects? How do I efficiently manage the process of renewing and distributing updated keys to collaborators? :thinking:

What are the best practices for backing up multiple keys to ensure they can be recovered in case of loss or hardware failure? Are there specific tools or techniques that the community finds particularly effective?

Also, I have gone through this post; https://forum.gnupg.org/t/issue-with-encryption-and-multiple-keys-mlops/ which definitely helped me out a lot.

Are there any scripts or tools that can help automate the process of key management, especially when dealing with multiple projects? I am particularly interested in solutions that can integrate with CI/CD pipelines.

Thank you in advance for your help and assistance. :innocent:

2

Hi @roberrttt,
welcome to GnuPG and end-to-end crypto with Free Software! :slight_smile:

As you have so many questions, I probably cannot answer them all. Another source for recommendations are The Gnupg-users Archives .

In many cases, one well managed key pair per person is good enough. (And enough effort to handle.) There maybe special circumstances where several key pairs maybe useful, but I wouldn’t do it until having a very good reason.

Assuming that you refer to Free Software Initiatives (Let’s end all Free Software “projects” quickly! — Bernhard's Blog) then I’d say that it is accepted to operated with one person key pair. There could be another one for signing the artifacts on behalf of the initiative.

To a USB security token is a HSM. One token can often store several secrets keys so it all depends on who should have access to the device in the future. It if is always you, then you can do them all in the same token. (As always: Think about backup or recovery methods.)

You could use different expiration times, but most important is to use expiration at all. So you can do the recommended 2 years for encryption subkeys for all your key pairs.

That depends on the common infrastructure you are using in this group. A good way is to associated a pubkey with an email address and serve the current pubkey by the web key directory close to your email provider. For several key pairs, you could use several email addresses.

Just like one keypair. If you use hardware devices, have second one to be placed safely (e.g. in a safe if you have).

I am particularly interested in solutions that can integrate with CI/CD pipelines.

That is a special case as those key pairs have to be available for automatic use, which means the cannot really have a passphrase. Using hardware (e.g. with USB) is making in more secure, but if someone cracks the machine that does the automatic crypto operations, they can make use of the attached hardware as often as they like until you notice. For this I would use several key pairs, and the most important point here is to secure the machines and the CI/CD processes as much as possible.

HTH Regards,
Bernhard