What's the best way of keeping a PGP private key file generated by GnuPG?

What's the best way of keeping a PGP private key file generated by GnuPG?

I will just store my public key online, in Gmail, on many of my computers. Where/how best to protect and store the private key file?


Use your favorite encryption software, or just leave it alone on your desktop somewhere or anywhere you want on your computer (assuming physical access to your computer is secured, there is little/no chance that someone will be able to get the key).


TL;DR a flash drive or a CD in a safe place.

Seeing as this is a security question, I would be very hesitant to entrust my private key to Google or any other major cloud service. Call me paranoid, but your PGP key is your signature. I hate to remind you of the simple, but with your PGP key I "am" you. Personally, I would back up my key across any/all computers I own and for good measure put a labeled CD or flash drive somewhere safe. (like a gun safe)

edit: oops, sorry @soandos had the same idea first.


I found paperkey. Your private key also contains a copy of the public key. Since the public key is backed up to dozens of key servers you only need to worry about the private key without the included public key. Paperkey extracts only this essential information and gives you a plain text hexdump with checksums.

In case of an emergency, when everything else fails you can still manually (or with scanner and OCR) type in the hex dump and recreate your private key.

In addition to that there is optar. Optar is not related to cryptography. It just takes any file and gives you a QR-code like very dense encoding of these bytes. You might also feed the output of paperkey through optar to save you from manually typing when recovering your key. But make sure to also print the plain paperkey output since you're doomed if you've only the optar output but not the optar software anymore.

Paperkey is available in Debian, optar not yet.

In addition to those paper based backups you should take an USB stick with your private key and the scans of the most important documents (birth certificate, insurances, work references, certificates) and deposit it at a fire, robbery and law enforcement save place. (I personally would not trust banks with that.)


Although others recommend to use different software, you cannot be sure that it will still be available in eg 20 years.

However, you can benefit from the fact that the key is present in plain text: Print it out and store it in a safe place. Plain text simply means: no need for some special software. Still, you do not have to type it back in, since there is a vast variety of (free) text-recognition software available and will most probably always be.

Needless to say, that if everything fails, you could still sit down and type the key in (bit I doubt that this will ever be the case).


If you go for storing your private keys online to some untrusted location, encrypt the keys themselves, also consider an additional level of protection like steganography (hide the keys in some media files like images).