Backup GPG Keys
Exporting subkeys will delete the key locally. Backing up $GNUPGHOME before
exporting will allow the export of multiple of the same subkey. Make your own
determination on if this security practice is acceptable to you.
Danger
Ensure machine is air-gapped (no transmission devices on) during this step.
Store on a (hardware) encrypted device.
Confirm Key State
Ensure master and subkeys are created and locally stored before exporting.
gpg --list-keys
Note
>indicates a key is exported to card already (ssb>).sec#indicates only stubs created (a private cert on different machine).The master and subkeys should be listed with no modifiers if properly setup to export to a key.
Export GPG Keys
Master and Subkeys will be encrypted with your passphrase when exported.
gpg --armor --export-secret-keys $KEYID > $GPGBACKUP/private/$KEYID.master.asc
gpg --armor --export-secret-subkeys $KEYID > $GPGBACKUP/private/$KEYID.subkeys.asc
gpg --armor --export $KEYID > $GPGBACKUP/public/$KEYID.asc
cp $GNUPGHOME/openpgp-revocs.d/* $GPGBACKUP/private
Note
The exported public key may be used in keybase.io, and manually imported into other GPG programs.
GPG Public key export can be used to manually import into other GPG clients if you do not want to use keyservers.
gpg --export-ssh-key $KEYID > $GPGBACKUP/public/$KEYID.ssh.pub
Note
The SSH RSA Public Key comment will use the authentication short key ID
(openpgp:0xXXXXXXXX).
See SSH Configuration for importing keys.
sudo cp -avi $GNUPGHOME $GPGBACKUP
Publish Public Key
Export the public key to public keyservers for GPG encrypt/decrypt/signing. Without publishing you can still use SSH.
Danger
Network is required for this step. Disable network immediately afterwards.
gpg --keyserver hkp://pgp.mit.edu --send-key $KEYID
Note
This will export to major keyservers. These are all syncronized so only a single server is needed.
Also consider exporting public key to https://keybase.io.
The default gpg server is
hkps://hkps.pool.sks-keyservers.net