I’ve been using GPG for a while now, mainly for encrypting emails and securing files. Recently, I’ve found myself juggling multiple GPG keys for different purposes (personal, work, and a couple of side projects). It’s starting to feel a bit overwhelming to keep track of everything.
I’m curious if anyone here has some tips or best practices for managing multiple GPG keys efficiently? How do you organize them, and are there any tools or workflows that make the process smoother?
from my experience your setup as to be simple enough to be usable in many situations and for a long time. So using and managing one key pair well is a good start from my perspective. Even if this key pair is used for personal work and side things. It is all you, so often it is okay to have one keypair.
Another thing I believe is a good idea is to set key expiration times on all public keys. Personally I the signature main key pair is 10 years and then I use encryption subkeys for each 2 years. But this is a personal choise, this maybe too long or too short depending on your envisoned use cases.
For the main (signature) key pair, you really have to notify everybody and in previous years you should have signed the new key with the old one and have an overlapping period (let’s say a year or six months.)
I think these days it is more important to offer your pubkey via the web key directory, so it is well accessible. You can also use the new pubkeyserver network, but please refrain from central or validating keyservers.
Hope I could give you some ideas!
Bernhard
ps.: Another source of many ideas (and opions) would be the gnupg-users@ mailinglist.
