Backing up Private Keys

Henry Hertz Hobbit hhhobbit at
Tue Apr 16 03:21:58 CEST 2013

On 04/15/2013 09:07 PM, Robert J. Hansen wrote:
> On 4/15/2013 1:24 AM, Ashley Holman wrote:
>> I also have a followup question.  Is it acceptable practice to make a
>> paper backup of your private key by exporting it in ascii armored mode
>> and printing it onto some paper?  (with a passphrase applied of course).
> Let me apologize in advance for being pedantic.  I understand the
> question that I think you meant to ask, but that's not quite the same as
> the question you asked.  :)
> Whether it is acceptable practice depends largely on your local security
> policy.  I can imagine some installations would disallow this, on the
> grounds that backups are the sole responsibility of system
> administration staff.

I have been a SysAdmin for years and if there is any way I could
make it so that I could exclude .gnupg folders in the home area
I may do that. OTOH, if hackers knew that and used somebody's
.gnupg folder to stash bad stuff then I want a backup but the
OpenPGP keys are really not my concern.  Whether or not the
system is hacked IS my concern.  I have learned to hate sendmail,
wonder why finger was invented, ...  I could care less about
your OpenPGP keys except for maybe restoring them in case you
get them fouled up and have no backup of your own.  I would
advise against ANYTHING on paper except noted below.  But
since they are YOUR OpenPGP keys even if you use them for
company business backing them up is YOUR responsibility, not
mine past a simple file backup. Restoring all of those Engineering
drawings and source code IS  my concern as a SysAdmin even if
you were stupid enough to type "rm -fr" without a second and
third check before you did it.

But as a sysadmin, I would frown on a paper copy of anything as
being problematical and almost useless for a massive backup
of entire systems.  Paper is also an issue from a security
standpoint as well.  Well I guess Judge Hardcastle found the
paper backups of his court cases handy when his side-kick sat
there ready to destroy all the records on the computer.

I think you people are making this too complicated.  Here is
what I do for the same keys everywhere on four different 32
bit LE operating systems.  If you have mixed 32 / 64 and / or
LE / BE, this will NOT work.  You will be doing exporting and
importing for mixed hardware architectures.  Sorry.

1. I make a backup of the ~./gnupg folder as given below in
step 4 and put them in MY ~/tmp folder.  Alternatively you
can copy them to another folder.  your choice,  But having
a backup of what you have makes blowing away the mess you
have and going back to what worked possible.

2. Do something about ~/.gnupg/random_seed if desired.  There
IS a security issue here.  Maybe you want to back up. create
dummy keys and export / import.  Since I use only two systems
for using the keys to create something ...  now is the time
to backup and go the export / import route.

3. Copy the files recursively from ~/.gnupg to
/win/e/gnupg for the windows side of that machine.  I always
have a FAT32 E: partition for copying files.  Those files and
folders are copied in AS IS.  I have never had proglems.
Mixed 32 / 64 or BE / LE?  Start exporting and importing.  It
is the ONLY way you will get it done.  Remember you need the
trustdb unless you want to import and give trust levels again.

4. zip up a copy using 7zip's AES128 with a sufficent password
for a modicum of protection.  Just remember that they keys
are sitting on your machine with NO extra level of protection
so either physical or network access to them poses a security
risk that actually has one LESS hurdle in the way.

$ cd
$ umask 077  # my other stuff is at 022 - my login umask 077
$ 7za a -p gnupg.7z  ./.gnupg

The only part that may be on paper are the passwords used to
make the zips.  If it is a backup I would store the Flash Drive
it is on in a safe some place.  Your drawer with a "gnupg"
written on the flash drive with a Sharpie pen is NOT a safety
deposit box.  You think I am kidding.  The FBI stole the
encryption code at one place I worked at.  My encryption
source code for my platform was encrypted and stored on
media that had something like "stuff" written on them.  I
would also prefer servers that are named with Disney characters
over names that tell what the machine is used for or where it
is at as well.  Good luck on that one as a SysAdmin.  We
MUST name it sdp2 because it is in the Silicon Deposit Process
group and it is their second machine.  Sigh.  There is nothing
like spelling it all out for a hacker.

Make as many copies necessary for the machines / operating
systems you have.  There after you need only the relevant files
that have been changed.  I do the updates of importing keys, et
al on only one machine that has gpg rather than gpg2.  Some day
in the future that will no longer be possible.  At least my
signfile script still works with gpg2 but none of the other
scripts work with gpg2.  Now you know why I use 7-Zip.  I can
make a backup with encryption.

5. I replace the contents of ~/gnupg with the originals when
done.  Usually I just:

$ cd
$ umask 077
$ mv .gnugp new.gnupg
$ mv tmp/gnupg.7z .
$ 7za x gnupg.7z
$ diff -r --brief .gnupg new.gnupg
# if satisfied
$ rm -fr gnugp.7z new.gnupg

Secure?  Not very, but you're infinitely more likely to have
your entire keys (all contents of ~/.gnupg on 'nix) stolen via
physical means like the theft of Amazon's entire VUDI database
where the thieves stole entire drives. They can also be purloined
when hackers can access your machine via a network.  Once they
have that key folder all they lack is the pass-phrase.  A key
logger is useful for that. I have analyzed well over 1,000
malware in the past eight years.  Any more, most malware has
a key-logger that can be dropped on at will if it isn't already

Your major REAL WORLD security problems are:

1. Theft of the entire contents of the ~/.gnupg folder or
equivalent on Windows / Macintosh.  Don't laugh.  I have some
hackers I have dubbed "PeskySpammer" that even had Windows
machines in the RIPE and ICANN network address space (I mean
THEIR control area IP address space) that have drop-on SMTP
agents that directly sent me spam.  Hacked Sheriff web-site
via the stabs of infected PCs, etc.  Search for "PeskySpammer"
with the quotes and some of it is there. I no longer save
any of the messages or update the IP addresses where the
email comes from.  But I am still getting around 100 messages
per day from their bots up to a maximum of a thousand.  Maybe
it is time to change my hosting service.  I get EVERYTHING
sent to any user what so ever at  It is
useful to help a neighbor without Internet that must supply
an email address but doesn't have one. There are poor people
in the world that don't have computers.  But it is a real
pain with PeskySpammer filling up the email box with garbage.

2. The learning of your pass-phrase or GULP, your keys being
used WITHOUT the pass-phrase being needed.  And on that one I
have white hairs, almost two weeks of sweating it, and one more
thing that needs to be said.  I will say that in a separate
post.  Protecting your pass-phrase is a SERIOUS ISSUE!  Nobody
is mentioning that here.


More information about the Gnupg-users mailing list