Essential GPG Backup Guide: Critical Files and Best Practices for Developers


2 views

When backing up GPG, you need to consider these critical components:

  • Private keys (secring.gpg or private-keys-v1.d/)
  • Public keys (pubring.gpg)
  • Trust database (trustdb.gpg)
  • Configuration files (gpg.conf)
  • Revocation certificates

The default locations vary by OS:


# Linux/MacOS
~/.gnupg/

# Windows
%APPDATA%\gnupg\

Here's a comprehensive backup script example:


#!/bin/bash
BACKUP_DIR="~/gpg_backup_$(date +%Y%m%d)"
mkdir -p $BACKUP_DIR

# Backup private keys
gpg --export-secret-keys --armor > "$BACKUP_DIR/private_keys.asc"

# Backup public keys
gpg --export --armor > "$BACKUP_DIR/public_keys.asc"

# Backup trust database
cp ~/.gnupg/trustdb.gpg "$BACKUP_DIR/"

# Backup configuration
cp ~/.gnupg/gpg.conf "$BACKUP_DIR/"

# Generate and backup revocation certificate
KEY_ID=$(gpg --list-secret-keys --keyid-format LONG | awk '/sec/ {print $2}' | cut -d'/' -f2)
gpg --gen-revoke $KEY_ID --output "$BACKUP_DIR/revoke.asc"

For regular backups, consider these approaches:


# Cron job for weekly backups
0 3 * * 0 /path/to/backup_script.sh

# Version control integration
git init ~/.gnupg
echo "*~" > ~/.gnupg/.gitignore
git -C ~/.gnupg add .
git -C ~/.gnupg commit -m "Initial GPG backup"

Always test your backups by importing them to a test environment:


gpg --import private_keys.asc
gpg --import-ownertrust < trustdb.gpg
  • Encrypt your backup files: gpg --encrypt --recipient your@email.com backup.tar
  • Store backups in multiple secure locations
  • Use strong passphrases for your private keys
  • Consider hardware security modules for enterprise environments

When backing up GPG (GNU Privacy Guard), you need to preserve several critical components that form your cryptographic identity:

  • Private Keys (~/.gnupg/private-keys-v1.d/*): Your most sensitive data, encrypted with passphrases
  • Public Keys (~/.gnupg/pubring.kbx): Contains your public key and trusted keys
  • Trust Database (~/.gnupg/trustdb.gpg): Stores owner trust and validity information
  • Revocation Certificates: Critical for key revocation scenarios
  • Configuration Files (~/.gnupg/gpg.conf): Custom settings and preferences

Use these commands to create secure backups:


# Export private key (ASCII armored)
gpg --export-secret-keys --armor YOUR_KEY_ID > private_key.asc

# Export public key
gpg --export --armor YOUR_KEY_ID > public_key.asc

# Export revocation certificate
gpg --gen-revoke YOUR_KEY_ID > revocation_cert.asc

# Backup the entire GPG directory (Linux/macOS)
tar -czvf gpg_backup.tar.gz ~/.gnupg

Consider these security measures for your backups:

  • Encrypt backup files with strong symmetric encryption (AES-256)
  • Store on multiple media types (USB drives, encrypted cloud storage)
  • Use physical security measures for offline backups
  • Implement a regular backup rotation schedule

Here's a bash script to automate GPG backups:


#!/bin/bash

BACKUP_DIR="/path/to/secure/backup"
GPG_HOME="$HOME/.gnupg"
KEY_ID=$(gpg --list-secret-keys --keyid-format LONG | awk '/sec/ {print $2}' | cut -d'/' -f2)

# Create backup directory
mkdir -p "$BACKUP_DIR"

# Export keys
gpg --export-secret-keys --armor "$KEY_ID" > "$BACKUP_DIR/private_key.asc"
gpg --export --armor "$KEY_ID" > "$BACKUP_DIR/public_key.asc"

# Backup config files
cp "$GPG_HOME"/*.conf "$BACKUP_DIR/"

# Create encrypted archive
tar -czvf - "$GPG_HOME" | openssl enc -aes-256-cbc -salt -out "$BACKUP_DIR/gpg_home_backup_$(date +%Y%m%d).tar.gz.enc"

echo "GPG backup completed and encrypted. Store $BACKUP_DIR securely."

Always test your backups by:

  1. Importing to a test environment
  2. Verifying signature capabilities
  3. Checking decryption functionality
  4. Confirming trust settings are preserved