Moving a GPG Key (Privately)

Sometimes I have to move my GnuPG key between computers for some reason, and although GnuPG does have features to export your private key, they are not as well documented, probably out of choice to discourage their use, as they can be a security issue. I have developed the following method to export both the public and private keys together, so that they can be easily imported, and with the minimum of secret data written to disk.

  1. Find out the keyid of the key you wish to export. You can get this from the output of

    gpg -K

    Note that the capital K is important so that it lists secret rather than public keys.

  2. First, export the public key. This is of course public info, so no worries about security here

    gpg --output pubkey.gpg --export {KEYID}

  3. Now, in one fluid step, we will export the secret key, combine it into one file with the public key, and then encrypt it for transfer

    gpg --output - --export-secret-key {KEYID} |\
     cat pubkey.gpg - |\
     gpg --armor --output keys.asc --symmetric --cipher-algo AES256

    You will be prompted for a passphrase during this, this is the passphrase just for this temporary encryption for transfer. So use a good passphrase for security, and remember that passphrase!

  4. Now, transfer the keys.asc file to the new computer or wherever. Because it’s encrypted you could technically do this over the internet and it should still be secure, but I would suggest not using the internet for added security. When I last did this I just used a normal flash drive.
  5. On the new computer, we need to import the keys from the file. So, run this command to unpack and then import the keys (using pipes again)

    gpg --no-use-agent --output - keys.asc | gpg --import

  6. And that, should be, that.
About these ads
This entry was posted in Uncategorized. Bookmark the permalink.

18 Responses to Moving a GPG Key (Privately)

  1. brian says:

    This is Great, thanks!

  2. Works like a charm, thanks!

  3. Johnny says:

    Do you have any experience with IPSwitch? I’m trying to move a private key from GPG for use in IPSwitch.

    Thanks,
    Johnny

  4. Pingback: Moving GPG Key Securely

  5. Chris Carlen says:

    Why is it necessary to do this? The files in my .gnupg dir are already encrypted by the passphrase I entered when I created the key pair. Thus, I should be able to simply transport the entire .gnupg dir around on a flash drive, or even email directly, securely.
    The only reason this would have limitations would be if I wanted to add the keys from this machine to the keyring on another gnupg configuration. Then I’d have to use the import/export pathway. In this case, your method might be very suitable. But if I only have one key pair, then the .gnupg files are it.
    Please correct me if my understanding is wrong. I’m just trying to figure this out.

    • Dark Otter says:

      I think you are correct about that, but the intention was that there should be an extra layer of encryption when sending over email etc., as it is generally easier to intercept an e-mail. Of course, this only offers extra protection if the passphrases you use are completely independent.

  6. RJ says:

    Hi, I am getting an error when I try this on Mac OS X Lion. Any tips for this?

    pg –output – –export-secret-key {my_key_id} |\ cat pubkey.gpg – |\ gpg –armor –output keys.asc –symmetric –cipher-algo AES256
    -bash: cat: command not found
    -bash: gpg: command not found

    • Dark Otter says:

      You don’t seem to have gpg installe, nor bizarrely the cat program. To be honest I know nothing about Mac OS X, so I’m afraid you’re mostly on my own, but my guess is that you need to do something to install GNUPG and the GNU Core Utils.

  7. Markus Koch says:

    Hi,
    in principal it worked great, but I cannot read my secret key afterwards.
    I get a message that my passphrase is wrong :-( Any idea?

    Cheers
    Markus

    • Dark Otter says:

      I’m afraid not, hope you managed to work it out and recover anything you lost. The article is probably a long way out of date now anyway.

  8. Pingback: GPG related links | Joel's PhD Blog

  9. Pingback: Moving GPG Key Securely « azneita projects

  10. Pingback: GPG Anahtarlarının Taşınması / Export - Import | Syslogs

  11. What’s with –no-use-agent? According to the manual: “This is dummy option. gpg2 always requires the agent.”

    • Dark Otter says:

      I think the post may have been written so long ago that it was before that was he case (it was written using GPG 1.X, where that option still had an effect if I recall correctly). You may as well leave that option off now, as you correctly point out.

  12. Thank you very much for this :)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s