Privacy is an increasingly hot topic. On Linux, the
gpg command lets users encrypt files using public-key cryptography, in which case losing your encryption keys would be catastrophic. Here’s how to back them up.
OpenPGP and GNU Privacy Guard
One of the advantages of electronic files over paper hard copies is you can encrypt electronic files so that they are only accessible by authorized people. If they fall into the wrong hands, it doesn’t matter. Only you and the intended recipient can access the contents of the files.
The OpenPGP standard describes a system of encryption called public-key encryption. The GNU Privacy Guard implementation of that standard resulted in
gpg, a command-line tool for encrypting and decrypting in accordance with the standard.
The standard outlines a public-key encryption scheme. Although it is called “public-key”, there are two keys involved. Each person has a public key and a private key. Private keys, as the name suggests are never revealed nor transmitted to anyone else. Public keys can be safely shared. in fact, public keys must be shared for the scheme to work.
When a file is encrypted, the sender’s private key and the recipient’s public key are used in the encoding process. The file can then be delivered to the recipient. They use their private key and the sender’s public key to decrypt the file.
Public and private keys are generated as a matched pair and tied to a particular identity. Even if you don’t transmit sensitive material to other people, you may use them on your own computer to add an extra layer of protection to private documents.
The encryption uses world-class algorithms and cryptographic functions. Without the appropriate public and private keys, you simply can’t get into encrypted files. And, should you lose your keys, that goes for you too. Generating new keys won’t help. To decrypt your files you need the keys that were used in the encryption process.
Needless to say, backing up your keys is of paramount importance, as is knowing how to restore them. Here’s how to accomplish these tasks.
The .gnupg Directory
Your keys are stored in a directory called “.gnupg” in your home directory. This directory will also store the public keys of anyone that has sent encrypted files to you. When you import their public keys, they are added to an indexed database file in that directory.
Nothing in this directory is stored in plain text, of course. When you generate your GPG keys you’re prompted for a passphrase. Hopefully, you’ve remembered what that passphrase is. You’re going to need it. The entries in the “.gnugp” directory cannot be decrypted without it.
If we use the
tree utility to look at the directory, we’ll see this structure of subdirectories and files. You’ll find
tree in your distribution’s repositories if you don’t already have it on your computer.
The contents of the directory tree are:
- openpgp-revocs.d: This subdirectory contains your revocation certificate. You’ll need this if your private key ever becomes common knowledge or otherwise compromised. Your revocation certificate is used in the process of retiring your old keys and adopting new keys.
- private-keys-v1.d: This subdirectory stores your private keys.
- pubring.kbx: An encrypted file. It contains public keys, including yours, and some metadata about them.
- pubring.kbx~: This is a backup copy of “pubring.kbx.” It is updated just before changes are made to “pubring.kbx.”
- trustdb.gpg: This holds the trust relationships you have established for your own keys and for any accepted public keys belonging to other people.
You should be making regular, frequent backups of your home directory anyway, including the hidden files and folders. That will back up the “.gnupg” directory as a matter of course.
But you may think that your GPG keys are important enough to warrant a periodic backup of their own, or perhaps you want to copy your keys from your desktop to your laptop so that you have them on both machines. You’re you on both machines, after all.
Determining Which Keys to Back Up
We can ask
gpg to tell us which keys are in your GPG system. We’ll use the
--list-secret-keys options and the
--keyid-format LONG options.
gpg --list-secret-keys --keyid-format LONG
We’re told that GPG is looking inside the “/home/dave/.gnupg/pubring.kbx” file.
None of what appears on screen is your actual secret key.
- The “sec” (secret) line shows the number of bits in the encryption (4096 in this example), the key ID, the date the key was created, and “[SC].” The “S” means the key can be used for digital signatures and the “C” means it can be used for certification.
- The next line is the key fingerprint.
- The “uid” line holds the ID of the key’s owner.
- The “ssb” line shows the secret subkey, when it was created, and “E.” The “E” indicates it can be used for encryption.
If you have created multiple key pairs for use with different identities, they’ll be listed too. There’s only one key pair to back up for this user. The backup will include any public keys belonging to other people that the owner of this key has collected and decided to trust.
We can either ask
gpg to back up all keys for all identities, or to back up the keys associated with a single identity. We’ll back up the private key, the secret key, and the trust database file.
To back up the public keys, use the
--export option. We’re also going to use the
--export-options backup options. This ensures all GPG-specific metadata is included to allow the files to be imported correctly on another computer.
We’ll specify an output file with the
--output option. If we didn’t do that, the output would be sent to the terminal window.
gpg --export --export-options backup --output public.gpg
If you only wanted to back up the keys for a single identity, add the email address associated with the keys to the command line. If you can’t remember which email address it is, use the
--list-secret-keys option, as described above.
gpg --export --export-options backup --output public.gpg firstname.lastname@example.org
To back up our private keys, we need to use the
--export-secret-keys option instead of the
--export option. Make sure you save this to a different file.
gpg --export-secret-keys --export-options backup --output private.gpg
Because this is your private key, you’ll need to authenticate with GPG before you can proceed.
Note that you’re not being asked for your password. What you need to enter is the passphrase you supplied when your first created your GPG keys. Good password managers let you hold information like that as secure notes. It’s a good place to store them.
If the passphrase is accepted, the export takes place.
To back up your trust relationships, we need to export the settings from your “trustdb.gpg” file. We’re sending the output to a file called “trust.gpg.” This is a text file. It can be viewed using
gpg --export-ownertrust > trust.gpg
Here are the three files we’ve created.
ls -hl *.gpg
We’ll move these over to another computer, and restore them. This will establish our identity on that machine, and allow us to use our existing GPG keys.
If you’re not moving the keys to another computer and you’re just backing them up because you want to be doubly sure they’re safe, copy them to some other media and store them safely. Even if they fall into the wrong hands, your public key is public anyway, so there’s no harm there. And without your passphrase, your private key cannot be restored. But still, keep your backups safe and private.
We’ve copied the files to a Manjaro 21 computer.
By default, Manjaro 21 uses the Z shell,
zsh, which is why it looks different. But this doesn’t matter, it won’t affect anything. What we’re doing is governed by the
gpg program, not the shell.
To import our keys, we need to use the
gpg --import public.gpg
The details of the key are displayed as it is imported. The “trustdb.gpg” file is also created for us. To import the private key is just as easy. We use the
--import option again.
gpg --import private.gpg
We’re prompted to enter the passphrase.
Type it into the “Passphrase” field, hit the “Tab” key, and hit “Enter.”
The details of the imported keys are displayed. In our case, we only have one key.
To import our trust database, type:
gpg --import-ownertrust trust.gpg
We can check everything has been imported properly by using the
--list-secret-keys option once more.
gpg --list-secret-keys --keyid-format LONG
This gives us exactly the same output we saw on our Ubuntu computer earlier.
Protect Your Privacy
Make sure your GPG keys are safe by backing them up. If you have a computer disaster or just upgrade to a newer model, make sure you know how to transfer your keys to the new machine.