7.17. Backing Up a Private Key

Problem

You want to protect against losing your private key or forgetting your passphrase. (And thereby losing the ability to decrypt your files.)

Solution

Store your key pair in an offline, physically secure location, together with a throwaway passphrase. First change the passphrase temporarily to something you do not use for any other purpose. This will be your “throwaway” passphrase.

$ gpg --edit mykey_id ...
Command> passwd
               ...follow the prompts...

Then make a copy of your key pair that uses this throwaway passphrase, storing it in the file mykey.asc:

$ gpg -a -o mykey.asc --export mykey_id
$ gpg -a --export-secret-keys mykey_id >> mykey.asc

Finally, restore the original passphrase to your key on your keyring:

$ gpg --edit mykey_id ...
Command> passwd
               ...follow the prompts...

You now have a file called mykey.asc that contains your key pair, in which the private key is protected by the throwaway passphrase, not your real passphrase. Now, store this file in a safe place, such as a safety deposit box in a bank. Together with the key, store the passphrase, either on disk or on paper.

To guard against media deterioration or obsolescence, you can even print mykey.asc on acid-free paper and store the printout with the media. Or maybe have the key laser-engraved on a gold plate? Whatever makes you feel comfortable.

Discussion

Imagine what would happen if you forgot your passphrase or lost your secret key. All your important encrypted files would become useless ...

Get Linux Security Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.