Skip to content

Instantly share code, notes, and snippets.

@chrisroos
Created September 9, 2011 10:49
Show Gist options
  • Save chrisroos/1205934 to your computer and use it in GitHub Desktop.
Save chrisroos/1205934 to your computer and use it in GitHub Desktop.
Instructions for exporting/importing (backup/restore) GPG keys

Every so often I have to restore my gpg keys and I'm never sure how best to do it. So, I've spent some time playing around with the various ways to export/import (backup/restore) keys.

Method 1

Backup the public and secret keyrings and trust database

cp ~/.gnupg/pubring.gpg /path/to/backups/
cp ~/.gnupg/secring.gpg /path/to/backups/
cp ~/.gnupg/trustdb.gpg /path/to/backups/
# or, instead of backing up trustdb...
gpg --export-ownertrust > chrisroos-ownertrust-gpg.txt

NOTE The GPG manual suggests exporting the ownertrust instead of backing up the trustdb, although it doesn't explain why.

Restore the public and secret keyrings and trust database

cp /path/to/backups/*.gpg ~/.gnupg/
# or, if you exported the ownertrust
gpg --import-ownertrust chrisroos-ownertrust-gpg.txt

Method 2

This only really works if you don't mind losing any other keys (than your own).

Export public and secret key and ownertrust

gpg -a --export chris@seagul.co.uk > chrisroos-public-gpg.key
gpg -a --export-secret-keys chris@seagul.co.uk > chrisroos-secret-gpg.key
gpg --export-ownertrust > chrisroos-ownertrust-gpg.txt

Import secret key (which contains the public key) and ownertrust

gpg --import chrisroos-secret-gpg.key
gpg --import-ownertrust chrisroos-ownertrust-gpg.txt

Method 3

This is mainly about trusting my key once I've imported it (by either restoring the pubring.gpg and secring.gpg, or by using --import). This seems to be what I do the most as I either forget to import the trustdb or ownertrust.

Ultimately trust the imported key

This is so that I can encrypt data using my public key

gpg --edit-key chris@seagul.co.uk
gpg> trust
Your decision? 5 (Ultimate trust)

NOTE If I don't trust the public key then I see the following message when trying to encrypt something with it:

gpg: <key-id>: There is no assurance this key belongs to the named user
@jakob11git
Copy link

I still don't understand why this would be better over backing up the trustdb. The trustdb should only be corrupted if the backup is corrupted, I would assume. And if the backup is corrupted, the ownertrust.txt export would also be corrupted.

@sagikazarmark
Copy link

The trustdb should only be corrupted if the backup is corrupted, I would assume.

Not necessarily. The ownertrust export stores the values in plain text form (fingerprint:level), while trustdb don't. It could be corrupted because of GPG version incompatibilities and a number of other reasons.

@r5d
Copy link

r5d commented May 31, 2016

Wrote a script to automate the backup. It is at https://git.ricketyspace.net/dip/plain/usr/local/bin/gnupg-backup

@tzeejay
Copy link

tzeejay commented Sep 13, 2016

Thanks for collecting this, and to everyone else for the thoughtful conversation.

@xuhdev
Copy link

xuhdev commented Feb 11, 2017

Is method 2 a superset of method 1? Seems method 1 is only one step in method 2.

@atepavicharov
Copy link

Any ideas why importing ownertrust from file gives me gpg: error in 'myownertrustfile.txt' line too long ?

@wouerner
Copy link

Very good! Thanks!

@cmcginty
Copy link

cmcginty commented Sep 15, 2017

You can simplify Method 3 a little by extending the command to:

gpg --edit-key chris@seagul.co.uk trust quit

There is also a way to run the command in a non-interactive mode:

expect -c "spawn gpg --edit-key chris@seagul.co.uk trust quit; send \"5\ry\r\"; expect eof"

@briceburg
Copy link

@cmcginty nice usage of expect to automate this!

@benjarrell
Copy link

@atepavicharov Try converting the line endings from CRLF to LF (or vice-versa).

@jkostolansky
Copy link

Another way:

echo -e "5\ny\n" | gpg --command-fd 0 --edit-key chris@seagul.co.uk trust quit

@dandv
Copy link

dandv commented Dec 27, 2018

Method 1 failed because I had previous run gpg2 --list-keys --keyid-format LONG, which created some files and directories in ~/.gnupg/. Make sure to delete those first, before restoring the .gpg files from the backup.

@aioobe
Copy link

aioobe commented Mar 11, 2019

Regarding Method 1, see What’s new in GnuPG 2.1: Removal of the secret keyring

@michaelw85
Copy link

michaelw85 commented Mar 15, 2019

Thanks for this gist!

Method 2:

A little note for Windows users.

Export
When you exporting (via powershell) the output file will be encoded with BOM. If you try to import this will make the import fail with an error.

gpg: [don't know]: partial length invalid for packet type 63
gpg: read_block: read error: Invalid packet
gpg: import from '.\****.key' failed: Invalid keyring
gpg: Total number processed: 0

To resolve this issue change the encoding of the file to UTF8 without BOM.

Import

Import using git bash.
Git bash and powershell are using different homedirs at my work setup due to roaming profiles.

If you get the following error:

gpg: key abc: public key "xxxx <yourmail@mail.com>" imported
gpg: can't connect to the agent: IPC connect call failed
gpg: error getting the KEK: No agent running
gpg: Total number processed: 1
gpg:               imported: 1
gpg:       secret keys read: 1

Try starting the agent using the following command and retry:
gpgconf --launch gpg-agent

@e18r
Copy link

e18r commented Mar 29, 2019

Is the exported private key (symmetrically) encrypted? If not, don't you think it's kind of important as a backup practice?

@snowman
Copy link

snowman commented Dec 30, 2019

Is there any difference between gpg and gpg2?

@snowman
Copy link

snowman commented Dec 30, 2019

why not just backup entire $HOME/.gnupg directory?

@jeffryang24
Copy link

There is no pubring.gpg and secring.gpg in gpg2, probably just backup the whole .gnupg directory. Maybe just ensure that the .gnupg directory's permission and the files inside it are safe, for example permission 600 for private key, etc. cmiiw.

Ref: https://www.gnupg.org/faq/whats-new-in-2.1.html#nosecring

@russellballestrini
Copy link

russellballestrini commented Nov 7, 2020

Thanks @dandv!

I use method 1 to restore my ~/.gnupg directory from a backup.

It didn't work at first, I needed to delete the whole directory first prior to the restore!

@hobti01
Copy link

hobti01 commented Sep 25, 2022

If you've copied or re-created the ownertrust file you may see error

$ gpg --import-ownertrust chrisroos-ownertrust-gpg.txt
gpg: error in 'chrisroos-ownertrust-gpg.txt': line too long

In which case, confirm that there is a newline at the end of the file.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment