What are the critical files I need to backup from GPG? I guess my private key would qualify of course, but what else?


The most critical are your secret/private keys:

gpg --export-secret-keys > secret-backup.gpg

secret-backup.gpg is then the file to keep safe.

Otherwise the ~/.gnupg/ directory contain all private and public keys(secring.gpg and pubring.gpg respectively) as well as configuration and trustdb which could be convenient to have stored.


There is nothing special. Let's assume [email protected] is your ID.:

Export keys and ownertrust:

gpg --export --armor [email protected] > [email protected]
gpg --export-secret-keys --armor [email protected] > [email protected]
gpg --export-secret-subkeys --armor [email protected] > [email protected]_priv.asc
gpg --export-ownertrust > ownertrust.txt

Import keys and ownertrust:

gpg --import [email protected]
gpg --import [email protected]
gpg --import [email protected]_priv.asc
gpg --import-ownertrust ownertrust.txt

Ultimately trust the imported key:

gpg --edit-key [email protected]
gpg> trust
Your decision? 5 (Ultimate trust)

The easiest way would be to grab the entire GnuPG directory - usually ~/.gnupg/, it contains all private keys you have, as well as the public keyring and other useful data (trustdb, etc.)


In addition to @serghei's answer, check the documentation of gnupg. It says that you should backup:

  • ~/.gnupg/gpg.conf (standard configuration file)
  • ~/.gnupg/pubring.gpg (legacy public keyring)
  • ~/.gnupg/pubring.kbx (new public keyring using keybox format)
  • ~/.gnupg/openpgp-revocs.d/ (revocation certificates)

It suggests also to backup the ownertrust

gpg --export-ownertrust > otrust.txt

Of course, you should backup your secret keys as well. If I understand correctly, the quickest way would be using tar to backup the whole ~/.gnupg except revocation certificates ~/.gnupg/openpgp-revocs.d/. You may consider to print revocation certificates as a QR code (qrencode) or instead, print out secret keys with the utility paperkey (see reference). Remember that if you keep your private keys and revocation certificates in one device, an attacker can revoke your public key and issue a new one claiming to be you.

Reference: An Advanced Introduction to GnuPG, Neal H. Walfiel section 6.3.8 (creating a backup).


You definitely want to backup your private key and the revocation file you created.