GPG User IDs & Email Best Practices

TL;DR

Using multiple GPG user IDs with different email addresses can be useful, but it’s important to do it right. This guide covers how to add and manage them effectively, avoiding common pitfalls like catch-all address issues and key confusion.

1. Understanding User IDs

A GPG user ID links your public key to an identity – typically a name and email address. You can have multiple IDs on one key. This is helpful if you use different email addresses for different purposes (work, personal, etc.).

2. Adding User IDs

Use the gpg --edit-key command to add new user IDs.

gpg --edit-key YOUR_KEY_ID

Then, within the gpg edit session:

• Type adduid and press Enter.
• Enter your full name when prompted.
• Enter your email address when prompted.
• You’ll be asked for a passphrase to confirm.

Repeat these steps for each additional user ID.

3. Listing User IDs

To see all the user IDs associated with your key, use:

gpg --list-keys YOUR_KEY_ID

Look for the lines starting with uid to identify each ID.

4. The Problem with Catch-All Addresses

Using a catch-all email address (e.g., anything@yourdomain.com) as a GPG user ID is generally a bad idea. Here’s why:

• Key Confusion: It makes it difficult to determine which identity signed a message.
• Revocation Issues: Revoking the key becomes problematic if many unrelated emails are tied to it.
• Spam/Phishing Risk: Increases the chance of your key being used for malicious purposes.

5. Best Practices for Email Addresses

1. Use Specific Addresses: Each user ID should have a unique, dedicated email address.
2. Avoid Catch-Alls: Don’t use anything@yourdomain.com or similar.
3. Consider Subdomains: If you need many IDs within the same domain, use subdomains (e.g., work@work.yourdomain.com, personal@personal.yourdomain.com).

6. Signing with Specific Identities

When signing or encrypting messages, specify which user ID to use with the -i option:

gpg -i "Your Name <specific@email.com>" --sign myfile.txt

If you don’t specify an identity, GPG will use your default user ID.

7. Setting a Default User ID

To change the default user ID:

• Edit your key with gpg --edit-key YOUR_KEY_ID
• Type trust and press Enter.
• Select the desired user ID as ‘ultimate’ trust level. This will usually become the default.

8. Revoking a User ID

If you need to revoke a specific user ID (without revoking the entire key):

• Edit your key with gpg --edit-key YOUR_KEY_ID
• Type uid and press Enter.
• Enter the number corresponding to the user ID you want to revoke.
• Type revoke and follow the prompts.