Backing up Private Keys

Pete Stephenson pete at
Mon Apr 15 18:08:53 CEST 2013

On 4/15/2013 7:24 AM, Ashley Holman wrote:
> I also have a followup question.  Is it acceptable practice to make a
> paper backup of your private key by exporting it in ascii armored mode
> and printing it onto some paper?  (with a passphrase applied of course).

You're the one who defines "acceptable practice" for you. :)

Although I use a smartcard for my day-to-day signing I have backups of
the secret key and subkeys on CD-R and paper in separate
physically-secured locations.

I have copies of both the Paperkey version of my private key and the
ASCII-armored private key block itself.

>  This would be to prevent against loss in the event of other media
> failing.  Has anyone ever had to recover from a paper backup - and if so
> do you painstakingly type it to your computer, or use some kind of OCR
> or perhaps QR codes to encode it?

I realize that typing errors are inevitable, particularly when manually
entering in long strings of seemingly-random text (the Paperkey output
for my 4096-bit private key is 124 lines long while the ASCII-armored
version is 108 lines long). I ran into a few errors using OCR and it was
a hassle to find out which characters it mis-read, so I just ended up
generating a QR code for each line of the Paperkey output and,
separately, a QR code for each line of the ASCII-armored key block.

As a test, I then imported the keyblock using my computer's webcam to
read the QR codes. While somewhat tedious, it was far easier than typing
everything in. Both the Paperkey and ASCII keyblock were reconstructed
without errors.

I'm sure there's a more efficient way of doing things, like creating a
series of linear barcodes that can be read line-by-line with a laser
barcode scanner or by simply scanning it using a flatbed scanner, but
the QR codes work reasonably well for me.


More information about the Gnupg-users mailing list