How to backup GPG?

Question

What are the critical files I need to backup from GPG? I guess my private key would qualify of course, but what else?

score 47 · Accepted Answer · answered Nov 18 '09 at 22:17

47

The most critical are your secret/private keys:

gpg --export-secret-keys > secret-backup.gpg

secret-backup.gpg is then the file to keep safe.

Otherwise the ~/.gnupg/ directory contain all private and public keys(secring.gpg and pubring.gpg respectively) as well as configuration and trustdb which could be convenient to have stored.

answered Nov 18 '09 at 22:17

hultqvist

701
5
13

2

If a public key was lost, would the private key be useless? – Buttons840 May 04 '19 at 15:49
1

@Buttons840 The public key is a subset of the private key so you should be able to extract the public key from the private. – hultqvist May 04 '19 at 18:21
2

Recent versions of GnuPG do not have pubring.gpg, but pubring.kbx and private keys are in a separate directory. – jarno May 03 '20 at 06:11
Use `gpg --import ~/secret-backup.gpg` to restore the exported private keys. – 030 Jul 30 '21 at 14:27

serghei · Answer 2 · 2021-01-05T22:39:52.250

There is nothing special. Let's assume your@id.here is your ID.:

Export keys and ownertrust:

gpg --export --armor your@id.here > your@id.here.pub.asc
gpg --export-secret-keys --armor your@id.here > your@id.here.priv.asc
gpg --export-secret-subkeys --armor your@id.here > your@id.here.sub_priv.asc
gpg --export-ownertrust > ownertrust.txt

Import keys and ownertrust:

gpg --import your@id.here.pub.asc
gpg --import your@id.here.priv.asc
gpg --import your@id.here.sub_priv.asc
gpg --import-ownertrust ownertrust.txt

Ultimately trust the imported key:

gpg --edit-key your@id.here
gpg> trust
Your decision? 5 (Ultimate trust)

user1686 · Answer 3 · 2017-07-02T10:55:00.907

13

The easiest way would be to grab the entire GnuPG directory - usually ~/.gnupg/, it contains all private keys you have, as well as the public keyring and other useful data (trustdb, etc.)

edited Jul 02 '17 at 10:55

answered Nov 18 '09 at 21:42

user1686

8,717
25
38

1

Isn't it also the safest way? Because the private keys are still encrypted. – tuxayo May 25 '20 at 19:06
I have some weird files in my directory that does not want to be copied over scp – vidstige May 06 '21 at 09:33
Don't copy them. They're sockets, not files. – user1686 May 06 '21 at 09:35

Firmin Martin · Answer 4 · 2021-01-05T20:34:35.747

7

In addition to @serghei's answer, check the documentation of gnupg. It says that you should backup:

~/.gnupg/gpg.conf (standard configuration file)
~/.gnupg/pubring.gpg (legacy public keyring)
~/.gnupg/pubring.kbx (new public keyring using keybox format)
~/.gnupg/openpgp-revocs.d/ (revocation certificates)

It suggests also to backup the ownertrust

gpg --export-ownertrust > otrust.txt

Of course, you should backup your secret keys as well. If I understand correctly, the quickest way would be using tar to backup the whole ~/.gnupg except revocation certificates ~/.gnupg/openpgp-revocs.d/. You may consider to print revocation certificates as a QR code (qrencode) or instead, print out secret keys with the utility paperkey (see reference). Remember that if you keep your private keys and revocation certificates in one device, an attacker can revoke your public key and issue a new one claiming to be you.

Reference: An Advanced Introduction to GnuPG, Neal H. Walfiel section 6.3.8 (creating a backup).

edited Jan 05 '21 at 20:34

answered Jan 05 '21 at 20:13

Firmin Martin

171
1
4

Why do we have to backup the public keyring? Aren't the public keys part of the secret keys? So exporting the secret keys + owner trust should be enough – JellyFilledNuts Oct 13 '21 at 19:22
1

@JellyFilledNuts It may contain other people's public key, thus not part of the secret ones you own. See [the documentation](https://www.gnupg.org/gph/en/manual/x56.html). In that perspective, it's not dramatic to lose them, just not very handy. – Firmin Martin Oct 13 '21 at 20:02
1

I see, that makes sense. Thanks. I did not think about that aspect because so far I'm using GPG only for signing commits and encrypting stuff – JellyFilledNuts Oct 13 '21 at 21:33

score 2 · Answer 5 · answered Nov 18 '09 at 21:13

2

You definitely want to backup your private key and the revocation file you created.

answered Nov 18 '09 at 21:13

PEra

2,825
17
14

where is the "revocation certificate" ? – jldupont Nov 18 '09 at 22:07
You need to create it (if you didn't already). It is used to revoke your key if you loose your private key. – PEra Nov 24 '09 at 18:17

score 0 · Answer 6 · answered Nov 18 '09 at 20:56

0

You may also want to back up any keys you've signed or ones you don't feel like re-downloading off the key servers.

At a minimum, all you need is your complete key.

answered Nov 18 '09 at 20:56

Broam

130
6

...and any revocation certificates you created. – Broam Nov 18 '09 at 22:02

How to backup GPG?

6 Answers6

Linked