Email Address & Key: Can It Trace Back to You?

TL;DR

Whether an email address linked to a cryptographic key can trace back to you depends on how the key and email were created, where they’re stored, and what other information is available. It’s possible, but not guaranteed. This guide explains the risks and steps you can take.

Understanding the Risks

A cryptographic key (like for PGP or SSH) isn’t directly tied to your identity. However, it often gets linked to an email address. Here’s how:

• Key Servers: When you publish a public key to a key server, you usually associate it with your email address. This makes it easier for others to find and verify your key.
• Registration: Some services require an email address when registering a key.
• Email Signatures: Using an email signature linked to your key means every email is digitally signed, connecting the key to your email.
• Account Recovery: If you use that email for account recovery on other platforms, it creates links between services.

Steps to Check if Your Key Is Linked

1. Key Server Search: Use a key server search tool (like Ubuntu’s keyserver or MIT PGP Key Server) to see if your public key is listed and what email addresses are associated with it.

   gpg --search-keys <your_email_address>

2. Check Public Records: Search for your email address on websites that collect publicly available PGP keys (e.g., Keyoxide).
3. Review Service Registrations: Check any services where you’ve registered the key to see what information they have stored.

Steps to Reduce Risk

1. Use a Dedicated Email Address: Create an email address specifically for cryptographic keys, separate from your personal or main accounts. This limits the impact if that key is compromised.
2. Don’t Publish Your Key: If you don’t need others to find your key easily, avoid publishing it to public key servers.
3. Remove From Key Servers (If Possible): Some key servers allow you to revoke or remove your key. The process varies depending on the server.

   gpg --keyserver keyserver.ubuntu.com --send-key <your_key_id>

4. Avoid Email Signatures: If you’re concerned about traceability, don’t use email signatures linked to your key.
5. Use Strong Passwords and 2FA: Protect the email account associated with your key with a strong password and two-factor authentication (2FA).
6. Consider Key Revocation: Create a revocation certificate for your key. This allows you to invalidate it if it’s compromised.

   gpg --output revoke.asc --gen-revoke <your_key_id>

7. Be Careful with Account Recovery: Avoid using the dedicated email address for account recovery on other platforms, as this creates links between services.

What if Your Key *Is* Linked?

If your key is linked to an email address, it doesn’t automatically mean you’ll be identified. It just means there’s a potential connection. The risk depends on how much other information is publicly available about you and that email address.

• Monitor Your Email: Be vigilant for any suspicious activity in the associated email account.
• Consider Creating a New Key: If you’re highly concerned, generate a new key pair and follow the steps above to minimize risk.