Backup of GPG private keys?

Steffen Nurpmeso steffen at sdaoden.eu
Wed Jan 26 21:45:03 CET 2022 

Werner Koch via Gnupg-users wrote in
 <87mtjiil6k.fsf at wheatstone.g10code.de>:
 |On Wed, 26 Jan 2022 08:15, Mogens Jensen said:
 |> As of GnuPG (LTS) version 2.2.33, what is the recommended way to backup
 |> your GPG private keys on a Linux system?
 |
 |For just the private keys you can tar up the private-keys-v1.d
 |directory, encrypt it with gpg (you might want to use a password (-c)
 |then).  But such a backup has no public keys and they can't be
 |re-generated from the backup-ed private keys.  However, the other data
 |below ~/.gnupg is not highly sensitive can can be part of the regular
 |backup.
 |
 |> 1. Backing up the entire ~./gnupg directory?
 |
 |That is of course a working option but recall that the data has the
 |private keys and you should encrypt it.
 |
 |> 2. Exporting only the keys?
 |>
 |>   $ gpg --armor --export-secret-keys >gpg-key-backup.asc
 |
 |That is possible, but, frankly, the OpenPGP format for encrypted private
 |keys is not as strong as it should be - thus you better add an
 |additional encryption layer.  The actual problem here is that you need
 |to provide the passphrase for each key.

And there is this neat trick with the removed private master key,
in a file headlined "subkey howto" somewhere on a Debian server.

This is how i do it --- i even use three different PGP home
directories, ~/sic/.pgp on an always unmounted encfs volume, that
has the private master key, and on a mounted-as-long-as-LID-is-up
~/sec.arena/pgp{,-nosecrets}.git encfs volume (all residing on a
LUKS partition):

  #@ ~/.gnupg/gpg.conf a.k.a ~/sec.arena/pgp.git/gpg.conf
  #@ For GPG v1.
  #@ This contains a secring with a mutilated private key, which can be used
  #@ for creating signatures, but which cannot be exported or whatever.
  #@ It also has a different password than the true and full private key.


  #@ ~/sec.arena/pgp-nosecrets.git/gpg.conf
  #@ For GPG v1.
  #@ No secring at all, only the public key for encryption, e.g.:
  #@      gpg --homedir="${HOME}/sec.arena/pgp-nosecrets.git" < IN > OUT

I always write that verbose because i have no idea of all this and
since it is so far off my "normal life" i tend to forget what this
is all about very soon; "ewig und drei Tage" ("everlasting and
three days") was a common idiom of my Grandma.

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)

More information about the Gnupg-users mailing list