Tianhe Gao

GPG keys backup

https://www.howtogeek.com/816878/how-to-back-up-and-restore-gpg-keys-on-linux/ https://gock.net/blog/2020/gpg-cheat-sheet

GPG: GNU Privacy Guard

 1$ tree ~/.gnupg
 2/home/archie/.gnupg
 3├── common.conf
 4├── gpg-agent.conf
 5├── gpg.conf
 6├── openpgp-revocs.d
 7│   └── 5D58F91F8C34E8E26A8F96C6D56175D4B81A264C.rev
 8├── private-keys-v1.d
 9│   ├── D9E02B82115D70EFC105E43A6DA87FBAA70289FB.key
10│   └── E97714F4E8DD2BE5917628DE053831FB1B116A55.key
11├── public-keys.d
12│   ├── pubring.db
13│   └── pubring.db.lock
14├── pubring.kbx
15└── trustdb.gpg
16
174 directories, 10 files
  • openpgp-revocs.d: This subdirectory contains your revocation certificate. You'll need this if your private key ever becomes common knowledge or otherwise compromised. Your revocation certificate is used in the process of retiring your old keys and adopting new keys.
  • private-keys-v1.d: This subdirectory stores your private keys.
  • pubring.kbx: An encrypted file. It contains public keys, including yours, and some metadata about them.
  • pubring.kbx~: This is a backup copy of "pubring.kbx." It is updated just before changes are made to "pubring.kbx."
  • trustdb.gpg: This holds the trust relationships you have established for your own keys and for any accepted public keys belonging to other people.

Files should be backup

https://www.gnupg.org/documentation/manuals/gnupg/GPG-Configuration.html

1gpg.conf
2pubring.kbx
3not backup up trustdb.gpg, but should export owertrust use 'gpg --export-ownertrust > otrust.txt'
4openpgp-revocs.d/

Determining Which Keys to Back Up

1$ gpg --list-secret-keys --keyid-format LONG
2[keyboxd]
3---------
4sec   ed25519/D56175D4B81A264C 2024-06-21 [SC] [expires: 2025-06-21]
5      5D58F91F8C34E8E26A8F96C6D56175D4B81A264C
6uid                 [ultimate] tianheg <i@tianheg.co>
7ssb   cv25519/D8D0FDE0A5C69978 2024-06-21 [E] [expires: 2025-06-21]
  • The "sec" (secret) line shows the number of bits in the encryption (4096 in this example), the key ID, the date the key was created, and "[SC]." The "S" means the key can be used for digital signatures and the "C" means it can be used for certification.
  • The next line is the key fingerprint.
  • The "uid" line holds the ID of the key's owner.
  • The "ssb" line shows the secret subkey, when it was created, and "E." The "E" indicates it can be used for encryption.

Backing Up

public keys

1$ gpg --export --export-options backup --output public.gpg
2$ gpg --export --export-options backup --output public.gpg email # backup someone

private keys

1$ gpg --export-secret-keys --export-options backup --output private.gpg

Owertrust

1$ gpg --export-ownertrust > otrust.txt

Then setup gpgp key on a new PC

1$ gpg --import public.gpg
2$ gpg --import private.gpg
3$ gpg --import-ownertrust otrust.txt

Encrypt these files and upload to cloud

https://linuxconfig.org/how-to-create-compressed-encrypted-archives-with-tar-and-gpg

1# gnupg/otrust.txt
2# gnupg/private.gpg
3# gnupg/public.gpg
4$ tar -cvzf - gnupg | gpg -c --batch --passphrase-fd 0 --passphrase-file passwd.txt > gnupg.tar.gz.gpg

upload the gnupg.tar.gz.gpg file to cloud

No notes link to this note