Backup the public and secret keyrings and trust database
For minimal backup you only need to save your private key, assuming your public key is posted on keyservers like keyserver.ubuntu.com. But for complete backup of your keys you need to export both keys and ownertrust db.
To export your keys and ownertrust db, run the following commands on your terminal
1gpg --armor --export > pgp-public-keys.asc2gpg --armor --export-secret-keys > pgp-private-keys.asc3gpg --export-ownertrust > pgp-ownertrust.asc
Done! Make sure to keep your private key secured even if its protected with passphrase, revealing your private key reduces the security of your key to just passphrase.
Also while your are at it, you may as generate a revocation certificate:
For that you need you note you key ID in the second column after the slash:
From below output, Key ID is 41650358D9338845.
1$ gpg --list-secret-keys --keyid-format LONG2/home/oreki/.gnupg/pubring.kbx3------------------------------4sec rsa4096/41650358D9338845 2020-08-19 [SC]5 ECE48C71E23CDFDC517165E841650358D93388456uid [ultimate] Ashutosh Varma (Ashutosh Varma's PGP Key) <ashutoshvarma11@live.com>7ssb rsa4096/CA77E77152576307 2020-08-19 [E]
After that, generate the cerificate. You will be prompted several times and most probably you want to choose ”1 = Key has been compromised“.
1$ gpg --armor --gen-revoke 41650358D9338845 > pgp-revocation.asc23sec rsa4096/41650358D9338845 2020-08-19 Ashutosh Varma (Ashutosh Varma's PGP Key) <ashutoshvarma11@live.com>45Create a revocation certificate for this key? (y/N) y6Please select the reason for the revocation:7 0 = No reason specified8 1 = Key has been compromised9 2 = Key is superseded10 3 = Key is no longer used11 Q = Cancel12(Probably you want to select 1 here)13Your decision? 114Enter an optional description; end it with an empty line:15> Key Compromised16>17Reason for revocation: Key has been compromised18Key Compromised19Is this okay? (y/N) y20Revocation certificate created.2122Please move it to a medium which you can hide away; if Mallory gets23access to this certificate he can use it to make your key unusable.24It is smart to print this certificate and store it away, just in case25your media become unreadable. But have some caution: The print system of26your machine might store the data and make it available to others!
Restore your keys
1gpg --import pgp-public-keys.asc2gpg --import pgp-private-keys.asc3gpg --import-ownertrust pgp-ownertrust.asc
Revoke your key with revocation cerificate
If your key is compromised, you can revoke it in the same way
1gpg --import pgp-revocation.asc
Make sure to upload your revocation certificate to keyservers where your public keys are posted.
Where should I backup my PGP key ?
One great method is to print it as a QR code, but printing the plain text files generated above is also reasonable.
Uploading to a cloud service is the most convenient, but you are obviously implicitly trusting that provider with your private keys.
Or the most recommended way, store your keys in OpenGPG comapatible hardware tokens like Yubikey which might be the most secure way to save your secret keys.
