GPG Tools: location of private keys

macos gnupg osx-el-capitan pgp

By default, the GnuPG keyrings are stored in the (hidden) folder ~/.gnupg; with other words the .gnupg folder in your home directory. You can simply copy the whole folder to the new machine. If GnuPG doesn't work properly afterwards or shows some error message indicating broken permissions, make sure to take ownership afterwards (even if your user name is the same, the internal IDs could be different) by running following command in the Terminal application (it will query for your user password):

sudo chown -R $USER:staff ~/.gnupg

Alternatively, you can export your secret keys using the

gpg --export-secret-keys [key-id] >secret-keys.gpg

command. As you want to recover the keys from your old disk, connect it to your computer. To work on the old disk's GnuPG keyring, use the --homedir option, which will result in something like

gpg --homedir /Volumes/[old-disks-name]/Users/[username]/.gnupg --list-secret-keys

to list the secret keys available, and

gpg --homedir /Volumes/[old-disks-name]/Users/[username]/.gnupg --export-secret-keys [key-id] > secret-keys.gpg

to export them. You can also directly import them to your new GnuPG keyring instead of storing in an intermediate file (observe the missing --homedir parameter in the GnuPG call after the pipe):

gpg --homedir /Volumes/[old-disks-name]/Users/[username]/.gnupg --export-secret-keys [key-id] | gpg --import

Update for 2019 / macOS Catalina:

Time machine backups can be mounted, but they can't be modified in place. Which means that a chown will fail, and that you can't use the --homedir option with gpg without getting a stream of this:

gpg: failed to create temporary file '/Volumes/<Backup Drive>/Backups.backupdb/<Compute Name>/Latest/Macintosh HD/Users/<name>/.gnupg/': Permission denied
gpg: can't connect to the agent: Permission denied

The chown will fail with a stream of messages like this:

$ sudo chown -R user:staff .gnupg

chown: .gnupg/tofu.db: Operation not permitted
chown: .gnupg/trustdb.gpg: Operation not permitted
chown: .gnupg: Operation not permitted

Copy the .gnupg folder out of the Time Machine backup, chown it, and see/extract the private keys as above:

$ mkdir ~/gpg_recovery
$ cp -r /Volumes/<Backup Drive>/Backups.backupdb/<Compute Name>/Latest/Macintosh HD/Users/<name>/.gnupg ~/gpg_recovery/
$ cd ~/gpg_recovery/
$ sudo chown -R $USER:staff .gnupg
Password:
$ gpg --homedir ~/gpg_recovery/.gnupg --list-secret-keys

$ gpg --homedir ~/gpg_recovery/.gnupg --export-secret-keys | gpg --import
gpg: key xxxxxxxxxxxxxxxx: public key "xxxxxxxxxxxxxxxxxxxxxxx" imported
gpg: key xxxxxxxxxxxxxxxx: secret key imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1

Windows

On windows systems you may use a software like Gpg4win. In this case you can migrate your (private) keys by copying the following files to your new computer:

  • File %AppData%\gnupg\pubring.kbx
  • File %AppData%\gnupg\trustdb.gpg
  • Entire folder %AppData%\gnupg\private-keys-v1.d

To list your current recognized (installed) local keys use gpg --list-secret-keys --keyid-format LONG. Tested with gpg (GnuPG) 2.3.4 (2021) installed via Gpg4win 4.0.0.

Related

If I plug in an empty USB flash drive — that had deleted files — can a computer save those files so they can be recovered by recovery tool?
Print not working for MS Word docs with tables of contents (other factors seem N/A)
Shortcut for "Next" window in Windows 8 (or 7 or XP)
Change default folder where claws-mail stores mails
Setting $DISPLAY with cron
Waking an acer laptop from sleep with the lid closed
How to run an Android emulator in Ubuntu 13.04
How do I use Ubuntu's web application integration?
What are the alternatives to Ubuntu One? [closed]
XUbuntu: Make Shift+NumPad work like Windows
A2DP on PulseAudio - terrible choppy/skipping audio
System tray icons disappeared after upgrading Ubuntu