Every so often I have to restore my gpg keys and I'm never sure how best to do it. So, I've spent some time playing around with the various ways to export/import (backup/restore) keys.
Backup the public and secret keyrings and trust database
cp ~/.gnupg/pubring.gpg /path/to/backups/ cp ~/.gnupg/secring.gpg /path/to/backups/ cp ~/.gnupg/trustdb.gpg /path/to/backups/ # or, instead of backing up trustdb... gpg --export-ownertrust > chrisroos-ownertrust-gpg.txt
NOTE The GPG manual suggests exporting the ownertrust instead of backing up the trustdb, although it doesn't explain why.
Restore the public and secret keyrings and trust database
cp /path/to/backups/*.gpg ~/.gnupg/ # or, if you exported the ownertrust gpg --import-ownertrust chrisroos-ownertrust-gpg.txt
This only really works if you don't mind losing any other keys (than your own).
Export public and secret key and ownertrust
gpg -a --export firstname.lastname@example.org > chrisroos-public-gpg.key gpg -a --export-secret-keys email@example.com > chrisroos-secret-gpg.key gpg --export-ownertrust > chrisroos-ownertrust-gpg.txt
Import secret key (which contains the public key) and ownertrust
gpg --import chrisroos-secret-gpg.key gpg --import-ownertrust chrisroos-ownertrust-gpg.txt
This is mainly about trusting my key once I've imported it (by either restoring the pubring.gpg and secring.gpg, or by using --import). This seems to be what I do the most as I either forget to import the trustdb or ownertrust.
Ultimately trust the imported key
This is so that I can encrypt data using my public key
gpg --edit-key firstname.lastname@example.org gpg> trust Your decision? 5 (Ultimate trust)
NOTE If I don't trust the public key then I see the following message when trying to encrypt something with it:
gpg: <key-id>: There is no assurance this key belongs to the named user
Regarding the trustdb vs ownertrust export thing: the GPG manual actually does explain why
--export-ownertrustis preferred, albeit on a different page: