Edit Rename Changes History Upload Download Back to Top

OpenPGP Key Backup

Backing up your key is really, really important.

Here is an example of why:

If a file is encrypted with your public key, the only way that the file can be decrypted is with your private key. If a file is encrypted with your private key, only your public key can decrypt it.

If you lose your key, or forget the passphrase your data will be irrevocably lost. There is no way to recover encrypted data if you can not use the appropriate key to decrypt it. None.

One way to backup your public and private keys is to make an ASCII version of them and burn these to a CD, or print them out, and then store the CD or paper in a safe deposit box. Really, you don't want to lose those keys, or have the private key fall into the wrong hands.

Backing up your public key

To make an ASCII version of your public key in a file, first get hold of the unique id of the key. Call gpg --list-keys to list out the keys on your keyring. The output should look something like:

fbloggs@wally:~$ gpg --list-keys
/home/fbloggs/.gnupg/pubring.gpg
--------------------------------
pub  1024D/0637B724 2003-06-13 Fred Bloggs (OpenSkills member) {fblogs@openskills.org}
sub  1024g/9D588AEC 2003-06-13
...
{all the non-secret keys on your keyring are listed}

Freds public key is on the line which starts "pub 1024D ...". The ID of this public key is 0637B724. The 1024D before the key gives the size and nature of the key.

Now we have the ID of the key, we can print it to a file using gpg -ao fred-public.key --export 0637B724. This will produce a file that looks something like this:

fbloggs@wally:~$ cat fred-public.key 
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

mQGiBD7psF8RBACRmWOAs1lQrghzkp08iLOSNZw6wUMMTrNCsXo4mR57fNzE11dN
bn0BuWhTYmE594zg8rg/GnBXGy9Zw/z2Xfmh+xDa+PXN8Khv44b2TmsXdZgJ8HMN
...{lines deleted from here} ...
JAwVAKCF7n8L3vIEF4VDrg/HK5sP7ZxN6QCeJ65NVi1A2hvB8J0KQ5CUtTIBWmY=
=Vojk
-----END PGP PUBLIC KEY BLOCK-----

Now, put this file somewhere safe.

Backing up your private key

The process for backing up the private key is similar to backing up the public key. Be aware that what we are about to do is a significant potential security risk - make sure that you very carefully protect the file we are about to create. Once you have made the file secure (e.g. by burning to a CD) you should delete the file (not the key) from your local file system.

List the private key with gpg --list-secret-keys. The output is similar to listing the public keys. For example:

fbloggs@wally:~$ gpg --list-secret-keys
/home/fbloggs/.gnupg/secring.gpg
--------------------------------
sec  1024D/0637B724 2003-06-13 Fred Bloggs (OpenSkills member) {fblogs@openskills.org}
ssb  1024g/9D588AEC 2003-06-13

Freds private key has the id 0637B724. To write this to a file, use gpg -ao fred-private.key --export-secret-keys 0637B724. This will produce a file that looks something like this:

fbloggs@wally:~$ cat fred-private.key
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

lQHPBD7psF8RBACRmWOAs1lQrghzkp08iLOSNZw6wUMMTrNCsXo4mR57fNzE11dN
bn0BuWhTYmE594zg8rg/GnBXGy9Zw/z2Xfmh+xDa+PXN8Khv44b2TmsXdZgJ8HMN
...{lines deleted from here} ...
OBVaEXN2c3kj79EAHYhGBBgRAgAGBQI+6bBiAAoJED6KHvQGN7ckDBUAnihNt+3Y
iCsh1W8tN6GXMQzw8RokAKDG+zAxr+HXsfYMcwoW54RvpGoG2g==
=Ty+2
-----END PGP PRIVATE KEY BLOCK-----

You may protect the private key with a passphrase. Use gpg -a --export-secret-keys 0637B724 |gpg -aco fred-private.key.gpg instead of the above.

Now, put this file somewhere very safe, and once you have done that, delete the local copy of the fred-private.key file.

Restoring your key

To restore your key, simply import it using gpg --import {key file}. For example gpg --import fred-private.key.

To restore an encrypted key use gpg --decrypt fred-private.key.gpg |gpg --import.

If you somehow corrupt your keyring, or move to another machine, you may wish to delete your whole local gpg directory before restoring your keys. On linux, this directory is ~/.gnupg/. Make sure you have exported any valuable keys (those of others, for example) before doing this. Especially, make sure that you have a safe copy of your private key!

Annotations

Annotations on 2004-09-25 by 0xE734B455 ;) -udo


Edit Rename Changes History Upload Download Back to Top