Back up your PGP keys with GPG

Mike Solomon

Back up your keys

To generate base64-encoded ASCII-armored backups, issue these commands:

gpg --armor --export > pgp-public-keys.asc
gpg --armor --export-secret-keys > pgp-private-keys.asc
gpg --export-ownertrust > pgp-ownertrust.asc

Done! Remember that your private key should be kept, well, private. Even with a passphrase, revealing your secret key reduces the security of your PGP key to just that passphrase.

Speaking of that, while you’re backing up your keys, you may also want to generate a revocation certificate:

First, note your key ID in the second column after the slash:

gpg --list-keys

Then, generate the certificate. You will prompted several times, but you probably want to choose “1 = Key has been compromised” as your reason:

gpg --armor --gen-revoke [your key ID] > pgp-revocation.asc

Restore your keys

gpg --import pgp-public-keys.asc
gpg --import pgp-private-keys.asc
gpg --import-ownertrust pgp-ownertrust.asc

Revoke your certificate

If your key is compromised, you can revoke your certificate in the same way:

gpg --import pgp-revocation.asc

Be sure to upload your revocation certificate to any keyservers you have uploaded your public certificate to!

Where should I back up my PGP key?

One great method is to print it as a QR code, but printing the plain text files generated above is also reasonable.

Storing it with your backups is not the best choice if encrypt your backups with the same PGP key you are trying to back up.

Uploading to a cloud service is the most convenient, but you are obviously implicitly trusting that provider with your private keys.