Backup GnuPG private key

Sep 18, 2023

gpg-toolkit is inspired by this article.

I’m using GNU Privacy Guard (GnuPG or GPG) in various ways, such as encrypting passwords, decrypting emails, signing git commits, and more. So it’s time to find a way to backup the GPG private key.

I asked GPT-4 for a method to keep the private key safe, and it tells me to convert it to QR code and print it on the paper. That’s a good idea! I’ll start from backup to a printable text, and then the QR code.

Preparation #

Before backup, you need to know your GPG key ID. Run this command:

gpg --list-keys --keyid-format long

It will list all the public keys in your system. Search your own key according to this format pub rsa2048/{YOUR KEY ID}, the {YOUR KEY ID} part is your GPG key ID.

Then export both the public and private key:

gpg --export-secret-keys {YOUR KEY ID} > private-key.gpg
gpg --export {YOUR KEY ID} > public-key.gpg

Backup to printable text #

One of the program to be used is paperkey, it transforms the GPG private key to a printable format. The usage is straightforward:

# backup
paperkey --secret-key private-key.gpg --output printable.txt

Keep in mind that you need both the public key and the printable text to restore the private key:

# restore
paperkey --pubring public-key.gpg --secrets printable.txt --output restored-private-key.gpg

Backup to QR code #

The process is similar to the previous method, but it requires two more programs: qrencode to create QR code and zbar to read QR code. Generally speaking, the more programs you rely on, the more friction you run into. But I just tried it for fun:

# backup
paperkey --output-type raw --secret-key private-key.gpg | base64 | qrencode -o qrcode.png

With the public key and QR code in hand, you can restore the private key:

# restore
zbarimg qrcode.png | cut -d':' -f2 | base64 --decode | paperkey --pubring public-key.gpg --output restored-private-key.gpg