Personal and Profesional Identities on One Key
OpenPGP provides the ability to associate a key with multiple email addresses. This is handy if you are both john.doe@example.com and jd@example.com at work and adding both identities to your OpenPGP key is best because you cannot control what address outsiders use for you. But you might also have a personal email account at Gmail or Hotmail. Should you add this identity to the same key as your work addresses?
If the key is only used to provide digital signatures, the only question is whether you want the email address to actually be associated with you. If your personal email address is john.doe@gmail.com or something similarly innocuous, you will be fine.
But encryption keys are another matter. If a recipient has multiple encryption subkeys on their OpenPGP key, they cannot specify a prefered key for any purpose. The sender is free to choose. So one subkey cannot be designated as professional versus another. As a result, an employer may well suggest that an encryption subkey stays with the business, since a subkey will always decrypt corresponding ciphertext, even if revoked.
There are a few considerations that suggest it may not be worth while, however. Encryption tools are not electronic methods for solving social problems. If an employee wants to steal data from the business, forcing them to use separate keys will not prevent them doing so. Especially since they may steal deciphered plain text or even the encryption keys. And employers may need to securely contact employees in a personal capacity, for instance, during a continuity of operations event, and establishing a consistent set of trusted keys for personnel can smooth communications.
