How to backup GPG?
What are the critical files I need to backup from GPG? I guess my private key would qualify of course, but what else?
The most critical are your secret/private keys:
gpg --export-secret-keys > secret-backup.gpg
secret-backup.gpg is then the file to keep safe.
Otherwise the ~/.gnupg/ directory contain all private and public keys(secring.gpg and pubring.gpg respectively) as well as configuration and trustdb which could be convenient to have stored.
There is nothing special. Let's assume [email protected]
is your ID.:
Export keys and ownertrust:
gpg --export --armor [email protected] > [email protected]
gpg --export-secret-keys --armor [email protected] > [email protected]
gpg --export-secret-subkeys --armor [email protected] > [email protected]_priv.asc
gpg --export-ownertrust > ownertrust.txt
Import keys and ownertrust:
gpg --import [email protected]
gpg --import [email protected]
gpg --import [email protected]_priv.asc
gpg --import-ownertrust ownertrust.txt
Ultimately trust the imported key:
gpg --edit-key [email protected]
gpg> trust
Your decision? 5 (Ultimate trust)
The easiest way would be to grab the entire GnuPG directory - usually ~/.gnupg/
, it contains all private keys you have, as well as the public keyring and other useful data (trustdb, etc.)
In addition to @serghei's answer, check the documentation of gnupg. It says that you should backup:
-
~/.gnupg/gpg.conf
(standard configuration file) -
~/.gnupg/pubring.gpg
(legacy public keyring) -
~/.gnupg/pubring.kbx
(new public keyring using keybox format) -
~/.gnupg/openpgp-revocs.d/
(revocation certificates)
It suggests also to backup the ownertrust
gpg --export-ownertrust > otrust.txt
Of course, you should backup your secret keys as well. If I understand correctly, the quickest way would be using tar
to backup the whole ~/.gnupg
except revocation certificates ~/.gnupg/openpgp-revocs.d/
. You may consider to print revocation certificates as a QR code (qrencode
) or instead, print out secret keys with the utility paperkey
(see reference). Remember that if you keep your private keys and revocation certificates in one device, an attacker can revoke your public key and issue a new one claiming to be you.
Reference: An Advanced Introduction to GnuPG, Neal H. Walfiel section 6.3.8 (creating a backup).
You definitely want to backup your private key and the revocation file you created.