Backup GPG Keys
Exporting subkeys will delete the key locally. Backing up
exporting will allow the export of multiple of the same subkey. Make your own
determination on if this security practice is acceptable to you.
Ensure machine is air-gapped (no transmission devices on) during this step.
Store on a (hardware) encrypted device.
Confirm Key State
Ensure master and subkeys are created and locally stored before exporting.
>indicates a key is exported to card already (
sec#indicates only stubs created (a private cert on different machine).
The master and subkeys should be listed with no modifiers if properly setup to export to a key.
Export GPG Keys
Master and Subkeys will be encrypted with your passphrase when exported.
gpg --armor --export-secret-keys $KEYID > $GPGBACKUP/private/$KEYID.master.asc gpg --armor --export-secret-subkeys $KEYID > $GPGBACKUP/private/$KEYID.subkeys.asc gpg --armor --export $KEYID > $GPGBACKUP/public/$KEYID.asc cp $GNUPGHOME/openpgp-revocs.d/* $GPGBACKUP/private
The exported public key may be used in keybase.io, and manually imported into other GPG programs.
GPG Public key export can be used to manually import into other GPG clients if you do not want to use keyservers.
gpg --export-ssh-key $KEYID > $GPGBACKUP/public/$KEYID.ssh.pub
The SSH RSA Public Key comment will use the authentication short key ID
See SSH Configuration for importing keys.
sudo cp -avi $GNUPGHOME $GPGBACKUP
Publish Public Key
Export the public key to public keyservers for GPG encrypt/decrypt/signing. Without publishing you can still use SSH.
Network is required for this step. Disable network immediately afterwards.
gpg --keyserver hkp://pgp.mit.edu --send-key $KEYID
This will export to major keyservers. These are all syncronized so only a single server is needed.
Also consider exporting public key to https://keybase.io.
The default gpg server is