Post

Backup and Restore PGP key with paperkey

Backup and Restore PGP key with paperkey

This guide presumes you have completed the following steps:

This guide will demonstrate how to back up and restore your secret keys using the paperkey utility. Whenever [fingerprint] is mentioned in this guide, substitute it with your complete 40-character fingerprint.

To begin, install the paperkey utility on your Debian-based Linux operating system. It should already be available in the official repositories for installation.

1
sudo apt install paperkey

Backup your certification key

This step extracts and formats the secret information from the secret key to be print-friendly.

1
gpg --export-secret-key [fingerprint] | paperkey -o key-backup.txt

When prompted, enter the password you used during private key generation. This will create a file named key-backup.txt.

Print a paper copy of this file. Since the content is encrypted, it is safe even if someone catches a glimpse while printing. Write the password on the back of the page and store it securely. Any OCR software can easily scan this information to create a digital copy, which can be used to restore the private key. Do not skip this step, as it will serve as a last resort for restoring your private key if all other options are unavailable.

Restore the certification key

This section explains retrieving the public key linked to your email address from PGP keyservers and utilizing it with the previously generated paperkey backup to recover your private key.

First, restore the key in a temporary directory. If successful, it will be overwritten to ~/.gnupg.

1
2
3
mkdir ~/paperkey_restore && chmod 0700 ~/paperkey_restore/
export GNUPGHOME=~/paperkey_restore/
cd ~/paperkey_restore/

To get the public key associated with your e-mail address, run the following:

1
2
3
gpg --keyserver [keyserver] --search [e-mail addr]
# Example: gpg --keyserver keys.openpgp.org --search basha@nayab.dev
gpg --export --output public_key.asc [e-mail addr]

The above step store public key information to the file public_key.asc.

Assuming you already have the key-backup.key file (if not, it can be created from a paper copy backup using any OCR software) and the public key associated with your email, you can run the following command to generate and import the private key.

1
2
paperkey --pubring public_key.asc --secrets key-backup.txt --output private.key
gpg --import private.key

Now that private key is imported, run the following command to make sure you don’t see any errors.

1
gpg --list-secret-keys

If you don’t see any errors, lets overwrite this directory to ~/.gnupg

1
2
3
4
cd ..
rm -rf .gnupg/
mv paperkey_restore/ .gnupg
unset GNUPGHOME

Your Certify key is now restored, allowing you to perform operations like adding or removing subkeys and identities. Remember to send the updated public key to keyservers after making such changes.

This post is licensed under CC BY 4.0 by the author.