Backing up your GPG credentials on Linux

Tingfeng 3 min read August 29, 2024 [General] #linux #gpg

GPG is useful especially for signing commits on GitHub. It is a good idea to pre-emptively make backups of your GPG credentials, as extracting them from an unbootable system drive is not a straightforward process.

Backing up GPG

These steps should work on most, if not all, Linux distributions.

  1. First, export your credentials

    gpg --export --export-options backup --output public.gpg
gpg --export-secret-keys --export-options backup --output private.gpg
gpg --export-ownertrust >> trust.gpg

  2. Afterwards, copy these 3 files public.gpg private.gpg trust.gpg to somewhere safe (like an external drive or NAS).

  3. You can import them on a new machine by running the following

    gpg --import public.gpg
gpg --import private.gpg # Prompts you to type the passphrase that you used when you first created the GPG key.
gpg --import-ownertrust trust.gpg

Tip: For GitHub users, if you need to sign commits using your existing GPG key on your new machine, here is the official guide.

Retrieving GPG credentials from old Manjaro installation

So it was time for a clean install of Manjaro on a new drive as my old system's drive went bad and became completely unbootable (persistent initramfs uncompression error 😧).

However, I did not back up my GPG credentials 🤦.

I learned that retrieving them from the old system drive via chroot was technically possible but not a straightforward process.

The following steps were tested on a Manjaro Linux system.

It is assumed that you still remember your GPG passphrase, and your old system drive contents are still readable via USB enclosure.

  1. Chroot as a regular user

    • Login to new Manjaro OS, install manjaro-tools-base with the command sudo pacman -S manjaro-tools-base.

    • Put old Manjaro OS drive in an external USB enclosure, and plug it into your new system.

    • Chroot into old Manjaro OS drive and within it, login as regular user.

      sudo manjaro-chroot -a
su - username42 # where `username42` is your regular username

    • You should now be in /home/username42/ on the old drive.

  2. Export the public key and encrypted private keys

    The following steps are based on https://www.howtogeek.com/816878/how-to-back-up-and-restore-gpg-keys-on-linux.

    • Run gpg --list-secret-keys --keyid-format LONG, you should see your GPG key pair.

    • Run gpg --export --export-options backup --output public.gpg, then exit the chroot environment.

  3. Import the public key and encrypted private keys

    • On your main machine, copy public.gpg from the old drive to your new drive.

    • Also copy the encrypted private key files (*.key) from private-keys-v1.d from old drive's ~/.gnupg to new drive's ~/.gnupg folder.

    • On the new machine, run gpg --import public.gpg

    • Your GPG credentials should now be ready to use on your new machine.

Always backup your GPG credentials

To avoid this messy situation in the first place, always back up your GPG credentials on your existing system when it is still healthy and accessible.

Index
Backing up GPG
Retrieving GPG credentials from old Manjaro installation
- Always backup your GPG credentials