Privacy is an increasingly hot topic. In Linux it is
gpg allows users to encrypt files using public key cryptography, in which case the loss of the encryption keys would be catastrophic. Here’s how to back them up.
OpenPGP and GNU Privacy Guard
One of the advantages of electronic files over paper hard copies is that you can encrypt electronic files so that only authorized people can access them. It doesn’t matter if they fall into the wrong hands. Only you and the intended recipient have access content from files.
The OpenPGP standard describes an encryption system called public key encryption. The result of the GNU Privacy Guard implementation of this standard was
gpga command-line tool for standard-compliant encryption and decryption.
The standard describes a public key encryption scheme. Even though it’s called a “public key,” it’s actually two keys. Each person has a public key and a private key. Private keys, as the name suggests, are never revealed or given to anyone else. Public keys can be shared securely. in fact, public keys must be shared for the scheme to work.
When a file is encrypted, the sender’s private key and the recipient’s public key are used in the encryption process. The file can then be delivered to the recipient. They use their private key and the sender’s public key to decrypt the file.
Public and private keys are generated as a matched pair and are associated with a specific identity. Even if you don’t transmit sensitive materials to other people, you can use them on your computer to add another layer of protection to private documents.
Encryption uses first-class algorithms and cryptographic functions. Without the appropriate public and private keys, you simply cannot get into the encrypted files. And if you lose your keys, that applies to you too. Generating new keys will not help. To decrypt the files, you need the keys that were used in the encryption process.
Needless to say, backing up your keys is paramount, as is knowing how to restore them. Here’s how to complete these tasks.
The .gnupg directory
Your keys are stored in a directory called “.gnupg” in your home directory. This directory will also store the public keys of everyone who sent you encrypted files. When you import their public keys, they are added to the indexed database file in this directory.
Of course, nothing in this directory is stored as plain text. When you generate your GPG keys, you will be prompted for a passphrase. Hopefully you have remembered what the access password is. You will need it. Without it, entries in the “.gnugp” directory cannot be decrypted.
If we use
tree utility to look at the directory, we will see this structure of subdirectories and files. You will find
tree in your distribution’s repositories if you don’t already have it on your computer.
The contents of the directory tree are:
- openpgp-revocs.d: This subdirectory contains your revocation certificate. You will need this if your private key becomes public or otherwise compromised. Your revocation certificate is used in the process of discarding your old keys and accepting new keys.
- private-keys-v1.d: This subdirectory stores your private keys.
- pubring.kbx: Encrypted file. It contains public keys, including yours, and some metadata about them.
- pubring.kbx~: This is a backup copy of “pubring.kbx”. It updates just before making changes to “pubring.kbx”.
- trustdb.gpg: This contains the trust relationships you’ve established for your own keys and for any received public keys belonging to other people.
You should also regularly and frequently back up your home directory, including hidden files and folders. This of course backs up the “.gnupg” directory.
However, you may think that your GPG keys are important enough to warrant a regular backup of your own, or you may want to copy the keys from your computer to your laptop so that you have them on both computers. After all, you are on both machines.
Determine which keys to back up
We can ask
gpg to tell us which keys are in your GPG system. We will use
--list-secret-keys options a
--keyid-format LONG options.
gpg --list-secret-keys --keyid-format LONG
We were told that GPG was looking at the file “/home/dave/.gnupg/pubring.kbx”.
Nothing that appears on the screen is your actual secret key.
- The “sec” (secret) line shows the number of bits in the encryption (4096 in this example), the key ID, the date the key was created, and the “[SC].” “S” means the key can be used for digital signatures and “C” means it can be used for certification.
- The next line is the key print.
- The “uid” line contains the ID of the owner of the key.
- The “ssb” line shows the secret subkey when it was created and “E”. The letter “E” means that it can be used for encryption.
If you have created multiple key pairs for use with different identities, they will also be listed. There is only one backup key pair for this user. The backup will include all public keys belonging to other people that the owner of that key has collected and decided to trust.
We can either ask
gpg to back up all keys for all identities or to back up keys associated with a single identity. We back up the private key, secret key, and trust database file.
To back up public keys, use
--export choice. We will also use
--export-options backup options. This will ensure that all GPG-specific metadata is included so that the files can be imported correctly to another computer.
Enter the output file with the extension
--output choice. If we didn’t, the output would be sent to a terminal window.
gpg --export --export-options backup --output public.gpg
If you only wanted to back up keys for one identity, add the email address associated with the keys to the command line. If you don’t remember which email address it is, use it
--list-secret-keys option as described above.
gpg --export --export-options backup --output public.gpg [email protected]
To back up our private keys we need to use
--export-secret-keys option instead
--export choice. Make sure you save it to a different file.
gpg --export-secret-keys --export-options backup --output private.gpg
Since this is your private key, you will need to authenticate with GPG before proceeding.
Notice that you are your password is not required. What you need to enter is passphrase that you provided when you first created the GPG keys. Good password managers allow you to keep such information as secure notes. It’s a good place to store them.
If the passphrase is accepted, the export will occur.
In order to back up your trusts, we need to export the settings from your “trustdb.gpg” file. We send the output to a file named “trust.gpg”. This is a text file. It can be displayed using
gpg --export-ownertrust > trust.gpg
Here are the three files we created.
ls -hl *.gpg
We move them to another computer and restore them. This will create our identity on this machine and allow us to use our existing GPG keys.
If you’re not moving your keys to another computer and just backing them up because you want to be doubly sure they’re safe, copy them to some other medium and store them safely. Even if they fall into the wrong hands, your public key is still public, so no harm there. And without your passphrase, your private key cannot be recovered. Still, keep your backups safe and private.
We copied the files to the Manjaro 21 machine.
It uses Manjaro 21 Z shell by default,
zsh, that’s why it looks different. But it doesn’t matter, it won’t affect anything. What we do is governed by
gpg program, not a shell.
To import our keys we need to use
gpg --import public.gpg
Details of the key will be displayed when it is imported. A “trustdb.gpg” file is also created for us. Importing your private key is just as easy. We use
--import option again.
gpg --import private.gpg
We are prompted to enter a passphrase.
Enter it in the “Password” field, press the “Tab” key and press “Enter”.
The details of the imported keys will be displayed. In our case, we only have one key.
To import our trust database, enter:
gpg --import-ownertrust trust.gpg
We can check that everything was imported correctly using
--list-secret-keys one more chance.
gpg --list-secret-keys --keyid-format LONG
This gives us exactly the same output we saw earlier on our Ubuntu machine.
Protect your privacy
Make sure your GPG keys are safe by backing them up. If you have a computer disaster or are just upgrading to a newer model, make sure you know how to transfer your keys to your new computer.
RELATED: How to backup a Linux system using rsync