Backup GPG Keys

Exporting subkeys will delete the key locally. Backing up $GNUPGHOME before exporting will allow the export of multiple of the same subkey. Make your own determination on if this security practice is acceptable to you.


Ensure machine is air-gapped (no transmission devices on) during this step.

Store on a (hardware) encrypted device.

Confirm Key State

Ensure master and subkeys are created and locally stored before exporting.

gpg --list-keys


  • > indicates a key is exported to card already (ssb>).

  • sec# indicates only stubs created (a private cert on different machine).

  • The master and subkeys should be listed with no modifiers if properly setup to export to a key.

Export GPG Keys

Master and Subkeys will be encrypted with your passphrase when exported.

Export master, subkeys and public key.
gpg --armor --export-secret-keys $KEYID > $GPGBACKUP/private/$KEYID.master.asc
gpg --armor --export-secret-subkeys $KEYID > $GPGBACKUP/private/$KEYID.subkeys.asc
gpg --armor --export $KEYID > $GPGBACKUP/public/$KEYID.asc
cp $GNUPGHOME/openpgp-revocs.d/* $GPGBACKUP/private


The exported public key may be used in, and manually imported into other GPG programs.

GPG Public key export can be used to manually import into other GPG clients if you do not want to use keyservers.

Export SSH RSA public key.
gpg --export-ssh-key $KEYID > $GPGBACKUP/public/$


The SSH RSA Public Key comment will use the authentication short key ID (openpgp:0xXXXXXXXX).

See SSH Configuration for importing keys.

Backup GNUPG state for multiple Yubikey initalizations.

Publish Public Key

Export the public key to public keyservers for GPG encrypt/decrypt/signing. Without publishing you can still use SSH.


Network is required for this step. Disable network immediately afterwards.

Export public key to SKS keyservers.
gpg --keyserver hkp:// --send-key $KEYID


  • This will export to major keyservers. These are all syncronized so only a single server is needed.

  • Also consider exporting public key to

  • The default gpg server is hkps://