Backup .gnupg using git

Damien Goutte-Gattat dgouttegattat at
Sun Apr 22 22:27:17 CEST 2018

On 04/21/2018 05:32 PM, Wink Saville wrote:
> Comments on the security of what I'm doing?

Can't really tell anything without knowing your adversary (is it Mossad 
or not-Mossad? [1]), but here are a few remarks.

You do not say which version of GnuPG you are using. Assuming you are 
using the latest available version on your system (which you should), 
most of the options you put in your gpg.conf and dirmngr.conf are 
useless, as they are already in the default settings (something many 
authors of those "create a perfect keypair" howtos seem to ignore).

Also, your gpg.conf contains the following:

   # Avoid information leaked
   export-options export-minimal

If the goal here is to avoid revealing who signed your key (this option 
tells GnuPG to remove all third-party signatures on your key), then this 
is completely defeated by the fact that you upload your entire public 
keyring to a world-readable Github repository!

Combined with the trust database that you *also* upload, this is a 
pretty serious information leak IMO, as anyone can learn not only who 
signed your key, but also which keys you collected over time, which keys 
you signed (even if you only signed them locally), and how much you 
trust the owners of all those keys. Are you fine with that, or didn't 
you realize the implications of uploading those files?

Finally and as a general rule, if you are not sure of what you are 
doing, I am strongly of favour of following only those two advices:

* Use the latest GnuPG version available on your system. In particular, 
if you invoke `gpg`, make sure this is GnuPG >= 2.1 and *not* GnuPG 1.x.
* Use the default settings.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the Gnupg-users mailing list