Backup GPG Keys

Exporting subkeys will delete the key locally. Backing up $GNUPGHOME before exporting will allow the export of multiple of the same subkey. Make your own determination on if this security practice is acceptable to you.

Danger

Ensure machine is air-gapped (no transmission devices on) during this step.

Store on a (hardware) encrypted device.

Confirm Key State

Ensure master and subkeys are created and locally stored before exporting.

gpg --list-keys

Note

  • > indicates a key is exported to card already (ssb>).

  • sec# indicates only stubs created (a private cert on different machine).

  • The master and subkeys should be listed with no modifiers if properly setup to export to a key.

Export GPG Keys

Master and Subkeys will be encrypted with your passphrase when exported.

Export master, subkeys and public key.
gpg --armor --export-secret-keys $KEYID > $GPGBACKUP/private/$KEYID.master.asc
gpg --armor --export-secret-subkeys $KEYID > $GPGBACKUP/private/$KEYID.subkeys.asc
gpg --armor --export $KEYID > $GPGBACKUP/public/$KEYID.asc
cp $GNUPGHOME/openpgp-revocs.d/* $GPGBACKUP/private

Note

The exported public key may be used in keybase.io, and manually imported into other GPG programs.

GPG Public key export can be used to manually import into other GPG clients if you do not want to use keyservers.

Export SSH RSA public key.
gpg --export-ssh-key $KEYID > $GPGBACKUP/public/$KEYID.ssh.pub

Note

The SSH RSA Public Key comment will use the authentication short key ID (openpgp:0xXXXXXXXX).

See SSH Configuration for importing keys.

Backup GNUPG state for multiple Yubikey initalizations.
sudo cp -avi $GNUPGHOME $GPGBACKUP

Publish Public Key

Export the public key to public keyservers for GPG encrypt/decrypt/signing. Without publishing you can still use SSH.

Danger

Network is required for this step. Disable network immediately afterwards.

Export public key to SKS keyservers.
gpg --keyserver hkp://pgp.mit.edu --send-key $KEYID

Note

  • This will export to major keyservers. These are all syncronized so only a single server is needed.

  • Also consider exporting public key to https://keybase.io.

  • The default gpg server is hkps://hkps.pool.sks-keyservers.net