How to backup gpg keys on paper
How to backup gpg keys on paper- Our GPG (Gnu Privacy Guard) private key must be reliably backed up because it contains our identify and losing it might be disastrous. With gpg, backing up our keys and sub-keys is really easy, and the generated files may be conveniently stored on one or many devices. As a last option, we might wish to print our keys on paper because electronic devices like USB drives and hard drives sometimes malfunction at the worst possible circumstances.
This article shows how to backup gpg keys on paper-printable format with the option of creating a QR code from its contents.
| Category of gpg | Requirements, Conventions or Software Version Used |
|---|---|
| System | Distribution independent system |
| Software | split, zbarimg, gpg, paperkey, qrencode |
| Conventions | Commands must be run with root access either directly as the root user or through the sudo command. $ – demands that the specified Linux commands be run as an ordinary, non-privileged user. |
Introduction about How to backup gpg keys on paper
Exporting public and, more importantly, secret GPG keys makes it easy to backup and keep them in a secure location. If, however, we want to be extra-sure that we have a reliable means to retrieve our keys in case of emergency, we might want to export them in a human-readable and printable fashion. In this article, we will learn how to achieve this.
Use the “-armor” option to export a key
A binary output is generated by default when we export a gpg key. This is OK if we wish to save the key to a file, but it cannot be printed or read by us. We may run gpg with the —armor option to fix this issue. When this option is selected, an output that is simpler to read and print—ASCII armored—is produced. The following commands would be executed if we wanted to export our private key in this format:
$ gpg --armor --export-secret-key --output secret.asc <keyid>
With the use of a standard text editor, the aforementioned command creates a file that can be opened and contains the exported data in the following lines:
-----BEGIN PGP PRIVATE KEY BLOCK----- -----END PGP PRIVATE KEY BLOCK-----
As an added precaution, the material may be readily printed and kept in a secure location. However, should the need arise, recovering the key from the printed paper could be a time-consuming operation. An alternative could be to create a QR Code using the information in the file. Let’s examine the procedure.
Making a QR Code from the content exported
We may use the qrencode tool, which is accessible in the repository of all popular Linux distributions, to create a QR Code based on the information in the file containing the armoured output generated by gpg. The tool converts data supplied as input into a QR Code and by default stores the outcome as a PNG picture. Let’s give it a shot. We run:
$ qrencode -o secret.png < secret.asc
In the aforementioned example, we used shell redirection to feed the contents of the file we exported using gpg as input to the program and called qrencode with the -o option (short for —output) to select the file in which to store the produced picture. But as soon as we run the aforementioned command, we get the following error message:
Failed to encode the input data: Input data too large
Qrencode is unable to produce the code because the file’s data is too huge. How can we fix this issue? The answer is to construct individual QR Codes from each of the many files that result from the armoured output exported using gpg. We may use the split program to split the file, for instance:
$ split -C 1000 secret.asc secret.asc-
Using the aforementioned command, the secret.asc file was divided into files with a maximum size of 1000 bytes each. Each file is given a name by default by prefixing it with the second option we gave, secret-asc-, and adding a two-letter suffix. In this instance, we get the following outcome:
secret.asc-aa secret.asc-ab secret.asc-ac secret.asc-ad secret.asc-ae secret.asc-af secret.asc-ag secret.asc-ah secret.asc-ai secret.asc-aj secret.asc-ak secret.asc-al
The encrypted exported file’s content is now broken up into smaller pieces, making it simple to loop over them and generate distinct QR Codes.
$ for i in secret.asc-*; do qrencode -o “${i}.png” < “${i}”; done
With any barcode scanning app on our smartphone or via the command line interface using zbarimg program, the created QR Codes are simple to read. The strings obtained by scanning the QR Codes must be concatenated in order to reassemble the original content. For instance, by using zbarimg, we may execute:
$ for i in secret.asc-*.png; do zbarimg –quiet –raw “${i}”| head -c -1 >> reconstructed-key.asc; done
The QR Codes in the “.png” pictures are looped over in the previous example, and zbarimg is used to read each one of them. The —quiet and —raw options are used to suppress statistic lines and extra symbology type information, respectively, when the tool is used.
Following that, we piped the output of the command to the head -c -1 command, which prints everything that was supplied to it except for the final byte, that in this case is a newline character (in ASCII each character is stored in one byte). Finally, we add the data to the reconstructed-key.asc file via shell redirection so that we may import back our secret key:
$ gpg –import reconstructed-key.asc
Use paperkey to only extract sensitive data
Normally, the output generated when exporting a GPG secret key also includes information on the related public key, which we don’t require. The most popular Linux distributions have the paperkey utility in their repository, which is made to only extract the private information from the data. Here is an illustration of how to use it:
$ gpg --export-secret-key <key-id> | paperkey --output secret.txt
You’ll notice that we didn’t use gpg to armour the data exported in the aforementioned example. We need to have our public key on hand in order to recover the secret key from paperkey output, but this shouldn’t be an issue since we often share our public key on key servers such as https://keyserver.ubuntu.com, for instance. In the event that the public-key.gpg file contains our public key, we would execute:
$ paperkey –pubring mypublickey.gpg –secrets secret.txt | gpg –import
The above program will recreate the whole, original secret key from the secret.txt file’s secret key data part and the public key, which is then imported into gpg on the fly.
- How to backup your Android phone to cloud
- AOMEI Backupper | Best System backup Solutions
- How to Restore Deleted WhatsApp Messages Without Backup
Conclusion
This lesson demonstrated how to export our GPG secret key in a printable format for use as a second backup. Using the gpg software and paperkey, a tool made to solely extract the secret information section of the exported material, we demonstrated how to carry out the procedure. Finally, we learned how to create several QR Codes using the key content export.
Where are GnuPG keys stored?
Public GPG keys are kept alongside certificates certifying their reliability in the public keyring, whereas private GPG keys are encrypted and kept in the secret keyring. The private key will be used to decode the data after it has been encrypted using the public key.
How can I keep my GPG private key secure?
GnuPG does not save a copy of your raw private key on disc in order to help protect it. Instead, a symmetric encryption technique is used to encrypt it. Because of this, a password is required to access the key.
