Project

General

Profile

Adding Secondary Email Addresses to GPG Keys

Note: In general, it is good idea to limit a given GPG key's functional scope. That is:
  • If working on wholly separate projects, it is a good idea to have at least one GPG key per project or project-set.
  • If using multiple privilege-sets within the same project or project-set, create a GPG key per privilege-set

That said, there may be times where a GPG user wishes to associate multiple email addresses to a given key. This document walks through how to associate multiple email addresses to a given key. The following assumes that the user has already generated a base GPG key:

  1. Identify the key to be modified using `gpg --list-secret-keys --keyid-format LONG` This will result in output similar to the following:
    /home/myuser/.gnupg/secring.gpg
    ------------------------------------
    sec   4096R/3AA5C34371567BD2 2016-03-10 [expires: 2017-03-10]
    uid                          Annabelle Noreen O'Nymous (Signing-key for git tasks) <gituser@dicelab.net>
    ssb   4096R/42B317FD4BA89E7A 2016-03-10
    

    If the user has already generated more than one key, the output will look more like:
    /home/myuser/.gnupg/secring.gpg
    ------------------------------------
    sec   4096R/3AA5C34371567BD2 2018-03-10
    uid                          Annabelle Noreen O'Nymous (Signing-key for git tasks) <gituser@dicelab.net>
    ssb   4096R/42B317FD4BA89E7A 2018-03-10
    
    [...elided...]
    
    sec   4096R/98C2012C0D3BAB76 2018-07-22
    uid                          Annabelle Noreen O'Nymous (Signing-key for personal emails) <anonymous@gmail.com>
    ssb   4096R/2B3315E24E2E35F2 2018-07-22
    
    
  2. Take note of the key-identifier: this is the hex-string following the 4096R on the sec line. In this case, one key was labeled as being generated for use in signing git commits. Thus, the key-identifier to note is "3AA5C34371567BD2".
  3. Use the GPG key-editing command-option, --edit-key, with the previously-noted key ID (i.e., `gpg --edit-key 3AA5C34371567BD2`).
  4. This will open an interactive session within the gpg utility. All operations within this session will be performed against the selected key. This interactive-session will be identified by the command-prompt changing to "gpg>"
  5. At the "gpg>" prompt, type adduid
  6. Follow the prompts, adding the new email address and identifying comment. Type an "O" to save the new information.
  7. Type a "q" to exit the GPG key-editor session.
  8. Verify the addition of the secondary email address by typing `gpg --list-secret-keys --keyid-format LONG`, again. Output should now look like:
    /home/myuser/.gnupg/secring.gpg
    ------------------------------------
    sec   4096R/3AA5C34371567BD2 2018-03-10
    uid                          Annabelle Noreen O'Nymous (Signing-key for git tasks) <gituser@dicelab.net>
    uid                          Annabelle Noreen O'Nymous (Signing-key for artifactory tasks) <artifactoryuser@dicelab.net>
    ssb   4096R/42B317FD4BA89E7A 2018-03-10
    
    [...elided...]
    
    sec   4096R/98C2012C0D3BAB76 2018-07-22
    uid                          Annabelle Noreen O'Nymous (Signing-key for personal emails) <anonymous@gmail.com>
    ssb   4096R/2B3315E24E2E35F2 2018-07-22