Endpoint Encryption

Hello Everybody  :)

Currently we have a company that sends us a pgp encrypted file using my public key against my email address, We will be in be very near future recieving other pgp encrypted files. Should I send the same key to the other companies or should I generate a new key for each company? If I generate key for each company what email address should I use?

I probably answered my own question but I wanted know what others think.

Thanks in adavance

Darren

If you are receiving encrypted emails from external companies, they need to encrypt them to your public key. So, you need to provide your public key to external companies. If you need to reply them with encrypted emails, you need to get their public keys.

Thank you for your reply w-d,

I'm not encrypting emails I'm receiving PGP encrypted files. I un-encrypt using a key I provided to the vendor.

We will soon be having other vendors sending us PGP encrypted files.

My question is/was is it ok to send my current public key to the other vendors or should I create new keys using a differnent email address for each vendor.   

hi, sorry I missed your answer. As I wrote earlier, vendors will need to encrypt emails to your public key so you can decrypt with your private key. You can send your public key to all of them, you don't have to create separate keys.

w-d,

OK let me explain...

We are not sending/receiving pgp encryted emails.

Our current vendor is encrypting a CSV File to pgp using my public key, I then recieve this by means of SFTP. I then decrpyt using my private key.

There will be new vendors that will be doing the same but I dont wont to provide the same public key. So my question still stands:

Should I generate a new key for each company? If I generate key for each company what email address should I use?

Darren,

There shouldn't be any need to create separate keys to be used by vendors to encrypt files to you.  I have seen customers that do so if they want to have a name that sounds specific to the third parties or separate keys by department if only certain groups are supposed to have access to the key, but public keys are just that.  Public.  Any number of third parties should be able to use your same public key to encrypt to you unless you have a specific business need to use different keys.  If the recipient of the encrypted files stays the same, the same key should be used to keep it simple.

An example of using different keys:
Company A works with your HR department.  Users in HR have shared access to a server where Symantec Encryption Desktop is installed.  They can each log in to the server to decrypt incoming files.  Company A also works with your IT department, and the setup is similar.  I would recommend having an IT key and an HR key.  If you then have Company B start working with HR for a similar purpose, you could use the existing HR key, and would not necessarily need a different key.  Company C starts working with your IT department, but has a security policy that they can only encrypt to a key that will not be used by any other company for encryption (it seems silly if you think about it, since all of the incoming encrypted files can still only be decrypted by the private key holder, which would be the same in this case regardless of what keypair is used for encryption, but I have seen this type of policy out there).  Since they have a policy in place requiring that, you could generate a new key.

If you want to have a different key for each company, be sure to keep track of all the passphrases, and you could use the same email address for each if you choose to.