Discussion:
GPG Backup and storage of secret key
(too old to reply)
Borax Man
2009-03-21 18:34:35 UTC
Permalink
Hello all,

I have created a public/private set of keys and would like to backup my
secret key. I assume that what this is for, is if my hard drive goes
kaput, I can import the backup which is on a USB stick/CD/Floppy, etc.

So I issue the command.

gpg -ao secret.key --export-secret-keys A1B2C3D4
and get a file.

My question is this, why did it NOT ask for the passphrase? Is it that
the file I've just created is still encrypted with the passphrase? Or
is this a bug? Everytime I GPG needs to use the private key, it
requires the passphrase, but in this instance it didn't need it.

I can only assume that's because its a backup of the encrypted key which
still needs the passphrase. Can someone confirm?

Secondly, it would be a good idea NOT to have the private key on the
Hard Drive, and just have it on a USB stick, but how do I operate GPG
with the secret key on a disk?

Thanks,
Dennis
Neil W Rickert
2009-03-21 18:42:24 UTC
Permalink
Post by Borax Man
I have created a public/private set of keys and would like to backup my
secret key. I assume that what this is for, is if my hard drive goes
kaput, I can import the backup which is on a USB stick/CD/Floppy, etc.
I just backup my keyrings for that.
Post by Borax Man
gpg -ao secret.key --export-secret-keys A1B2C3D4
and get a file.
My question is this, why did it NOT ask for the passphrase? Is it that
the file I've just created is still encrypted with the passphrase?
Yes. It is still encrypted.
Post by Borax Man
Secondly, it would be a good idea NOT to have the private key on the
Hard Drive, and just have it on a USB stick, but how do I operate GPG
with the secret key on a disk?
If this is unix/linux, you can make "secring.gpg" a symlink to the
USB file. If you are only verifying signatures, you won't need
your secret key. If you are encrypting or signing, you will need it.
JTF
2009-03-22 22:31:45 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Borax Man
I have created a public/private set of keys and would like to backup my
secret key.  I assume that what this is for, is if my hard drive goes
kaput, I can import the backup which is on a USB stick/CD/Floppy, etc.
I just backup my keyrings for that.
Post by Borax Man
gpg -ao secret.key --export-secret-keys A1B2C3D4
and get a file.
My question is this, why did it NOT ask for the passphrase? Is it that
the file I've just created is still encrypted with the passphrase?
Yes.  It is still encrypted.
Post by Borax Man
Secondly, it would be a good idea NOT to have the private key on the
Hard Drive, and just have it on a USB stick, but how do I operate GPG
with the secret key on a disk?
If this is unix/linux, you can make "secring.gpg" a symlink to the
USB file.  If you are only verifying signatures, you won't need
your secret key.  If you are encrypting or signing, you will need it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
iEYEARECAAYFAknFNRQACgkQvmGe70vHPUMusQCgsSvnQay23VAhDWrKYOQfkJZ5
Fl8AoO5f6hx+WP1SH14380+mgv3gXdap
=+pox
-----END PGP SIGNATURE-----
Another option is to create an encrypted drive volume with TrueCrypt
and then save it off that way....the volume being encrypted should
keep your stuff save for the foreseen future.
Borax Man
2009-03-24 19:45:28 UTC
Permalink
Post by JTF
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Post by Borax Man
I have created a public/private set of keys and would like to backup my
secret key. I assume that what this is for, is if my hard drive goes
kaput, I can import the backup which is on a USB stick/CD/Floppy, etc.
I just backup my keyrings for that.
Post by Borax Man
gpg -ao secret.key --export-secret-keys A1B2C3D4
and get a file.
My question is this, why did it NOT ask for the passphrase? Is it that
the file I've just created is still encrypted with the passphrase?
Yes. It is still encrypted.
Post by Borax Man
Secondly, it would be a good idea NOT to have the private key on the
Hard Drive, and just have it on a USB stick, but how do I operate GPG
with the secret key on a disk?
If this is unix/linux, you can make "secring.gpg" a symlink to the
USB file. If you are only verifying signatures, you won't need
your secret key. If you are encrypting or signing, you will need it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (GNU/Linux)
iEYEARECAAYFAknFNRQACgkQvmGe70vHPUMusQCgsSvnQay23VAhDWrKYOQfkJZ5
Fl8AoO5f6hx+WP1SH14380+mgv3gXdap
=+pox
-----END PGP SIGNATURE-----
Another option is to create an encrypted drive volume with TrueCrypt
and then save it off that way....the volume being encrypted should
keep your stuff save for the foreseen future.
I just wanted to be sure, as I plan to have a backup (of course!). I
just wanted purely to confirm whether these two steps would be enough to
back up my keys, and whether my suspicions regarding the lack of a
passphrase in exporting the private key were correct.

I also figured the symbolic links were the way to go, just thought they
might have been another method, like specifying a location in a config
file or something.

Thank you both for your help.
Maarten Bodewes
2009-03-28 19:52:15 UTC
Permalink
Post by Neil W Rickert
Post by Borax Man
I have created a public/private set of keys and would like to backup my
secret key. I assume that what this is for, is if my hard drive goes
kaput, I can import the backup which is on a USB stick/CD/Floppy, etc.
I just backup my keyrings for that.
Post by Borax Man
gpg -ao secret.key --export-secret-keys A1B2C3D4
and get a file.
My question is this, why did it NOT ask for the passphrase? Is it that
the file I've just created is still encrypted with the passphrase?
Yes. It is still encrypted.
Post by Borax Man
Secondly, it would be a good idea NOT to have the private key on the
Hard Drive, and just have it on a USB stick, but how do I operate GPG
with the secret key on a disk?
If this is unix/linux, you can make "secring.gpg" a symlink to the
USB file. If you are only verifying signatures, you won't need
your secret key. If you are encrypting or signing, you will need it.
Uh, no, you use your public key - without passphrase - for encryption
and verification of signatures and the private key for decrypting and
creating signatures.

I think Neil knows this but just wrote it up badly :)

Maarten
Neil W Rickert
2009-03-29 02:06:10 UTC
Permalink
Post by Maarten Bodewes
Uh, no, you use your public key - without passphrase - for encryption
and verification of signatures and the private key for decrypting and
creating signatures.
I think Neil knows this but just wrote it up badly :)
Oops, yes. Thanks for the correction.

Loading...