How to backup GPG?

Question

What are the critical files I need to backup from GPG? I guess my private key would qualify of course, but what else?

score 52 · Accepted Answer · answered Nov 18 '09 at 22:17

52

The most critical are your secret/private keys:

gpg --export-secret-keys > secret-backup.gpg

secret-backup.gpg is then the file to keep safe.

Otherwise the ~/.gnupg/ directory contain all private and public keys(secring.gpg and pubring.gpg respectively) as well as configuration and trustdb which could be convenient to have stored.

answered Nov 18 '09 at 22:17

hultqvist

761
5
13

3

If a public key was lost, would the private key be useless? – Buttons840 May 04 '19 at 15:49
2

@Buttons840 The public key is a subset of the private key so you should be able to extract the public key from the private. – hultqvist May 04 '19 at 18:21
2

Recent versions of GnuPG do not have pubring.gpg, but pubring.kbx and private keys are in a separate directory. – jarno May 03 '20 at 06:11
1

Use `gpg --import ~/secret-backup.gpg` to restore the exported private keys. – 030 Jul 30 '21 at 14:27

serghei · Answer 2 · 2023-07-20T23:31:03.483

First of all, before we begin, your@id.here represents your GPG key ID. This could be your email address or the key ID.

Indeed, your private key is critical, but other files are also important.

1. Export keys and ownertrust:

These commands are intended to export your keys and trust level. Public and private keys are used for encryption/decryption, and the trust level determines how much you trust other keys in your keyring.

Run the following commands in your command line (Command Prompt for Windows, Terminal for macOS and Linux). Replace "your@id.here" with your GPG key ID:

gpg --export --armor your@id.here > your@id.here.pub.asc
gpg --export-secret-keys --armor your@id.here > your@id.here.priv.asc
gpg --export-secret-subkeys --armor your@id.here > your@id.here.sub_priv.asc
gpg --export-ownertrust > ownertrust.txt

2. Import keys and ownertrust:

If you need to restore your keys and trust level (e.g., after reinstalling the system or on a new computer), use the following commands:

gpg --import your@id.here.pub.asc
gpg --import your@id.here.priv.asc
gpg --import your@id.here.sub_priv.asc
gpg --import-ownertrust ownertrust.txt

3. Ultimately trust the imported key:

This step is needed to set the ultimate trust level for your keys. Run the following command, then type trust, then 5 (which means "ultimate trust") and hit Enter:

gpg --edit-key your@id.here
gpg> trust
Your decision? 5

Note: If you're operating on Windows, you might need to install GPG4Win first. If you're on macOS, you may need to install GPG Suite.

Update 2023.07.21

An essential point I'd like to address is related to suggestions about backing up the entire ~/.gnupg/ directory. This practice might seem straightforward and quick, but it comes with its pitfalls.

Yes, the ~/.gnupg/ directory does contain all your private and public keys, as well as the trust database and other useful data. However, it also includes your key revocation certificates (~/.gnupg/openpgp-revocs.d/), which are not advisable to include in your backup. This is because if your backup gets stolen or lost, a malicious actor could revoke your keys, rendering them unusable.

Moreover, the ~/.gnupg/ directory may contain temporary files and other less critical data that you might not need during restoration, and it might unnecessarily increase the size of your backup.

On the other hand, exporting keys and trust level, as I explained above, allows for more controlled and secure data management. This approach minimizes risks and makes the process more reliable and predictable.

So, while copying the entire ~/.gnupg/ directory might seem like a quick solution, it may not be the best option in terms of data security and management.

user1686 · Answer 3 · 2017-07-02T10:55:00.907

14

The easiest way would be to grab the entire GnuPG directory - usually ~/.gnupg/, it contains all private keys you have, as well as the public keyring and other useful data (trustdb, etc.)

edited Jul 02 '17 at 10:55

answered Nov 18 '09 at 21:42

user1686

10,162
1
26
42

1

Isn't it also the safest way? Because the private keys are still encrypted. – tuxayo May 25 '20 at 19:06
I have some weird files in my directory that does not want to be copied over scp – vidstige May 06 '21 at 09:33
Don't copy them. They're sockets, not files. – user1686 May 06 '21 at 09:35
(Just dropping this here: [why does gpg-agent create several sockets?](https://unix.stackexchange.com/questions/605445/why-does-gpg-agent-create-several-sockets)) – toraritte Jan 26 '23 at 03:43

Firmin Martin · Answer 4 · 2021-01-05T20:34:35.747

10

In addition to @serghei's answer, check the documentation of gnupg. It says that you should backup:

~/.gnupg/gpg.conf (standard configuration file)
~/.gnupg/pubring.gpg (legacy public keyring)
~/.gnupg/pubring.kbx (new public keyring using keybox format)
~/.gnupg/openpgp-revocs.d/ (revocation certificates)

It suggests also to backup the ownertrust

gpg --export-ownertrust > otrust.txt

Of course, you should backup your secret keys as well. If I understand correctly, the quickest way would be using tar to backup the whole ~/.gnupg except revocation certificates ~/.gnupg/openpgp-revocs.d/. You may consider to print revocation certificates as a QR code (qrencode) or instead, print out secret keys with the utility paperkey (see reference). Remember that if you keep your private keys and revocation certificates in one device, an attacker can revoke your public key and issue a new one claiming to be you.

Reference: An Advanced Introduction to GnuPG, Neal H. Walfiel section 6.3.8 (creating a backup).

edited Jan 05 '21 at 20:34

answered Jan 05 '21 at 20:13

Firmin Martin

201
2
5

Why do we have to backup the public keyring? Aren't the public keys part of the secret keys? So exporting the secret keys + owner trust should be enough – JellyFilledNuts Oct 13 '21 at 19:22
1

@JellyFilledNuts It may contain other people's public key, thus not part of the secret ones you own. See [the documentation](https://www.gnupg.org/gph/en/manual/x56.html). In that perspective, it's not dramatic to lose them, just not very handy. – Firmin Martin Oct 13 '21 at 20:02
1

I see, that makes sense. Thanks. I did not think about that aspect because so far I'm using GPG only for signing commits and encrypting stuff – JellyFilledNuts Oct 13 '21 at 21:33

score 2 · Answer 5 · answered Nov 18 '09 at 21:13

2

You definitely want to backup your private key and the revocation file you created.

answered Nov 18 '09 at 21:13

PEra

2,875
18
14

where is the "revocation certificate" ? – jldupont Nov 18 '09 at 22:07
You need to create it (if you didn't already). It is used to revoke your key if you loose your private key. – PEra Nov 24 '09 at 18:17

score 0 · Answer 6 · answered Nov 18 '09 at 20:56

0

You may also want to back up any keys you've signed or ones you don't feel like re-downloading off the key servers.

At a minimum, all you need is your complete key.

answered Nov 18 '09 at 20:56

Broam

130
6

...and any revocation certificates you created. – Broam Nov 18 '09 at 22:02

How to backup GPG?

6 Answers6

Update 2023.07.21

Linked