How to backup GPG?

backup disaster-recovery gpg

What are the critical files I need to backup from GPG? I guess my private key would qualify of course, but what else?


The most critical are your secret/private keys:

gpg --export-secret-keys > secret-backup.gpg

secret-backup.gpg is then the file to keep safe.

Otherwise the ~/.gnupg/ directory contain all private and public keys(secring.gpg and pubring.gpg respectively) as well as configuration and trustdb which could be convenient to have stored.


There is nothing special. Let's assume [email protected] is your ID.:

Export keys and ownertrust:

gpg --export --armor [email protected] > [email protected]
gpg --export-secret-keys --armor [email protected] > [email protected]
gpg --export-secret-subkeys --armor [email protected] > [email protected]_priv.asc
gpg --export-ownertrust > ownertrust.txt

Import keys and ownertrust:

gpg --import [email protected]
gpg --import [email protected]
gpg --import [email protected]_priv.asc
gpg --import-ownertrust ownertrust.txt

Ultimately trust the imported key:

gpg --edit-key [email protected]
gpg> trust
Your decision? 5 (Ultimate trust)

The easiest way would be to grab the entire GnuPG directory - usually ~/.gnupg/, it contains all private keys you have, as well as the public keyring and other useful data (trustdb, etc.)


In addition to @serghei's answer, check the documentation of gnupg. It says that you should backup:

  • ~/.gnupg/gpg.conf (standard configuration file)
  • ~/.gnupg/pubring.gpg (legacy public keyring)
  • ~/.gnupg/pubring.kbx (new public keyring using keybox format)
  • ~/.gnupg/openpgp-revocs.d/ (revocation certificates)

It suggests also to backup the ownertrust

gpg --export-ownertrust > otrust.txt

Of course, you should backup your secret keys as well. If I understand correctly, the quickest way would be using tar to backup the whole ~/.gnupg except revocation certificates ~/.gnupg/openpgp-revocs.d/. You may consider to print revocation certificates as a QR code (qrencode) or instead, print out secret keys with the utility paperkey (see reference). Remember that if you keep your private keys and revocation certificates in one device, an attacker can revoke your public key and issue a new one claiming to be you.

Reference: An Advanced Introduction to GnuPG, Neal H. Walfiel section 6.3.8 (creating a backup).


You definitely want to backup your private key and the revocation file you created.

Related

How to determine the "age" of a linux system since installation?
su not working on mac os x?
Does Apache Webserver use log4j (CVE-2021-44228)?
SSH connection lost during server upgrade - How to reconnect to process?
How can I tell which config file Apache is using?
How to find memory usage of individual Windows services?
What is a T1 in modern terms?
How do I list all users with root?
What is a good solution to encrypt some files in unix? [closed]
Where did "Wait 30 seconds before turning it back on" come from?
How to update cURL CA bundle on RedHat?
Rogue DHCP Server Can't be found