Backing up and restoring OpenPGP keys in Ubuntu

I have recently set up Amazon S3 backups for my server using Duplicity; something I will write about later. A key feature of Duplicity is that it can encrypt your backups so that no one can really access your files. The upside to this is that your data will be not compromised, the downside is a more difficult backup restore process.

Encryption is implemented in Duplicity using OpenPGP. OpenPGP is basically an open public key cryptography tool similar to what is used to verify SSL certificates. You can see all your OpenPGP keys by executing the following command:

gpg --list-keys
The command should return results similar to:

pub 1024D/484808AA 2009-02-14
uid Paul Chiu
sub 2048g/780E7E92 2009-02-14

What you are looking for is the 484808AA string. This is the key id for a particular key. My output shows that I have only one key so there are no other lines beginning with pub 1024D. Using this id you can export your key with the following command:

gpg -ao public.mypgp.key --export 484808AA
The command will output public key id 484808AA and store it in public.mypgp.key file. It is important for you to keep this file somewhere safe as you will need to use it during restore. For those interested the contents of your key file should look like:

Version: GnuPG v1.4.6 (GNU/Linux)


My actual key has 30 lines with the encoded block consisting of about 25 lines.

The next step is basically the same, however you are using slightly different commands to get your private key. The commands are:

gpg --list-secret-keys
gpg -ao private.mypgp.key --export-secret-keys [key id]
Another difference that should be noted is that secret key lists start with sec instead of pub. Otherwise using the secret key commands works basically the same way as the public key commands.

Restoring the keys is a very easy process. You may wish to restore when you migrate your server/computer or when you need to recover from a system failure. The commands you need to use are:

gpg --import public.mypgp.key
gpg --import private.mypgp.key
After restore you can execute the key listing commands again to check that everything was restored properly. You can now continue using your encryption programs such as Duplicity to fully restore a system or create new backups that are compatible with the old.


Post a Comment