Batmen.cc

Backup and Restore GPG Key

Date: []

GPG, or GNU Privacy Guard, is a free and open-source implementation of the OpenPGP standard, which is used for encrypting and decrypting data, as well as for creating and verifying digital signatures. For most developer users, GPG will be the best choice for signing commits.

Backing up these keys ensures you don't lose access to encrypted data or the ability to verify your identity. Restoring keys allows you to continue these operations on new devices or after data loss

Below, I have written a simple guide on the process of backing up GPG keys and then restoring them.

Backup GPG Keys

1. List your GPG keys

First, you need to identify the keys you want to backup. Use the following command to list your secret keys:

batmen@gotham ~$ gpg --list-secret-keys --keyid-format LONG
/Users/batmen/.gnupg/pubring.kbx
--------------------------------
sec   ed25519/1162B329A1A0CCCB 2023-07-31 [SC] [expires: 2026-12-19]
      E7CD2703FD94D1CE1974EF181996B329A1A0CCCP
uid                 [ultimate] batmen237 <batmen@batmen.cc>
ssb   cv25519/E63B21FU2703961F 2023-07-31 [E] [expires: 2026-07-30]

2. Export the secret key

To export a secret key, use the following command. Replace <uid_or_email> with the uid or email of the key you want to export:

batmen@gotham ~$ gpg --export-options backup --export-secret-keys -o secret.gpg batmen@batmen.cc

This will backup your secret key into a file called secret.gpg.
Note: You may be prompted to enter the key passphrase. Make sure to store the exported keys in a secure location, such as an encrypted USB drive, and never on a cloud storage service.

Restore GPG Keys

1. Import the secret key

To import a secret key, use the following command:

batmen@gotham ~$ gpg --import-options restore --import secret.gpg
gpg: key 1996B329A1A0CCCP: "batmen237 <batmen@batmen.cc>" not changed
gpg: key 1996B329A1A0CCCP: secret key imported
gpg: Total number processed: 1
gpg:                         imported: 1
gpg:             secret keys read: 1
gpg:      secret keys imported: 1

Note: You may be prompted to enter the key's passphrase.

This imports the key from the file secret.gpg in the current directory. The --import-option restore option tells GnuPG to fully restore the key with all necessary data. This saves you from having to manually set the trust value for the key later.

2. Edit the freshly imported key

batmen@gotham ~$ gpg --edit-key batmen@batmen.cc
gpg (GnuPG) 2.4.5; Copyright (C) 2024 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  ed25519/1996B329A1A0CCCP
     created: 2023-07-31  expires: 2026-12-19  usage: SC  
     trust: ultimate      validity: ultimate
ssb  cv25519/E63B21FU2703961F
     created: 2023-07-31  expires: 2026-07-30  usage: E   
[ultimate] (1). batmen237 <batmen@batmen.cc>

gpg>

3. Enter trust to modify the trust value of the key

gpg> trust
sec  ed25519/1996B329A1A0CCCP
     created: 2020-11-13  expires: never       usage: SC
     trust: unknown       validity: unknown
ssb  cv25519/E63B21FU2703961F
     created: 2023-07-31  expires: 2026-07-30  usage: E   
[ultimate] (1). batmen237 <batmen@batmen.cc>

4. Type 5 to trust your keys completely

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5

5. Confirm your choice by entering Y

Do you really want to set this key to ultimate trust? (y/N) y

6. Use the command quit to exit

gpg> quit

You should now be able to backup and restore your private GPG keys.

Thanks to https://www.jwillikers.com/backup-and-restore-a-gpg-key for the inspiration.

Changes made: