GPG Key Backup for Storage and Transfer

Published . Nil revisions.

Understanding the GPG Directory

Explore the GPG directory structure and content:

tree ~/.gnupg

The content of the GPG directory includes:

  • openpgp-revocs.d. Revocation certificate to retire old or compromised keys.
  • private-keys-v1.d. Directory to store private keys.
  • pubring.kbx. Encrypted file containing public keys, including yours, and meta-data about them.
  • pubring.kbx~. Backup of the pubring.kbx file. It is updated just before changes are made to the original file.
  • trustdb.gpg. File that holds the trust relationships established for your own keys and any accepted public keys belonging to other people.

Find Keys to Backup

List the keys:

gpg --list-secret-keys --keyid-format LONG

The output states that GPG is looking inside the pubring.kbx file. None of what appears is the secret key. Multiple keys pairs may be displayed.

  • sec. The secret key details. Shows the encryption method and number of bits; the key ID; the key creation date; and the means for which the key can be used (S for digital signatures, C for certification).
  • Below the sec line is the fingerprint of the key.
  • uid. The ID of the owner of the key.
  • ssb. The secret sub-key details. Shows the encryption method and number of bits; the key ID; the key creation date; and the means for which the key can be used (E for encryption).

Backup Keys

Any public keys that were collected and trusted will be included in the backup.

  • The --export-options backup option ensures that all GPG-specific meta-data is included to allow the correct importation of the keys on another computer.
  • The --output option sends the output to the specified file instead of the terminal.

To backup a particular identity, specify the email address associated with the key. To backup all identities, do not specify an email in the below commands.

For the public keys:

gpg --export --export-options backup --output public.gpg <user@domain.com>

For private keys (one will need to enter the password used when the key was first created): 

gpg --export-secret-keys --export-options backup --output public.gpg <user@domain.com>

Backup the trust relationships:

gpg --export-ownertrust > trust.gpg

View the three files:

lf -hl .gpg

These files are now ready for long-term storage as a backup, or transfer to another computer for importation.

Importing Keys

Copy the public.gpg, private.gpg, and trust.gpg files to the home directory of the new computer.

Import the private keys (this will automatically create a trust relationship database): 

gpg --import public.gpg

Import the private keys (one will need to enter the password used when the key was first created): 

gpg --import private.gpg

Import the trust relationships:

gpg --import-ownertrust trust.gpg

Check that everything has been imported correctly, the output from the below command should match what was produced before exportation: 

gpg --list-secret-keys --keyid-format LONG