I guess this question falls under “best practices” for PGP keys. First a very quick background. I lead an open source project, and have been getting numerous requests to publish to the “Apache Maven” repository. To do this, I need to sign each release with a PGP key.
So I used PGP and generated a public/private key on my local computer. I exported and encrypted the “secret key” and transferred it to my “build server”. The build server refuses to import the key, saying it is invalid. Further analysis lead me to believe that because our build server runs under a different user id than I used on my local computer, they are incompatible.
I would have thought, that since the PGP key pair is tied to my name, that I as a person should only own ONE PGP key? But is this really the case? Should I be generating one per machine? And just use the import/export to back them up? I can do this just fine, its when I try to replicate a PGP secret key over several machines it just seems really difficult and as though I am maybe using PGP in the wrong way. Namely, I am thinking I create one key for myself and copy it to the build server, maybe also use it to encrypt email from myself(should I need to do it), etc.
It is not unusual to have more than one PGP key. Especially if you fulfill different roles.
At key signing parties, it often happens that participants present several PGP keys. One for private communication, one for signing releases at one project, another one for signing at a different project, etc.