box.matto.nl

home/

Some GPG tips

Last edited

Backup your secret keys

You have distributed your public key and people are using it for messages to you. Perhaps you have files on your computer that are protected with encryption. You start to realise your secret key is important and you don't want to loose it. Not even when your house burns down to the ground. Here is a tip to keep a backup of your key outside your house.

Create a encrypted version of your secret keys and encrypt that with a strong password.

 gpg --armor --export-secret-keys | gpg --armor --sign --symmetric --force-mdc > secretkey-backupfile

(Credits: this solution was posted to the GnuPG mailing list by Ciprian Dorin)

When you issue this command, you prompted to type a password a few times:

  • First you are promted to type your GnuPG password (passphrase). This is to sign the exported keys. This will give you a verification that these are actually your keys in the future and your armoured keys are still intact.
  • Next you are prompted to type a new password with which your secret keys will be protected. Make sure you choose a strong password. This means with sufficient length (like 20 characters or more) and which is sufficient random (no dictionary words, mixture of upper- and lowercase characters, etc.).
  • You are promted to repeat the last password to prevent you from problems due to typing errors.

Now send the secretkey-backupfile to a gmail-account or a yahoo-account or whatever.

When you need to restore your secret keys, you need a computer with GnuPG installed. You download your secretkey-backupfile and type

gpg secretkey-backupfile

You are prompted for the password you used to protect your secret key with (you have entered it twice when creating it). Next you are prompted to give a new filename to which the unencrypted version will be written.

Next you can import this unencrypted version into a fresh gpg keyring and your secret keys are up and running again.

Test your backup

When you have set up a backup this way, the first thing you should do is to test it. Create a new account on your computer and restore the backup in it.