How to Backup and Restore Your GPG Key
Jan 11, 2020·2 min read
A couple of weeks ago I upgraded my MacBook to Catalina—the latest version of macOS. Once the upgrade was completed, I couldn't sign my Git commits because my GPG key was missing. Somehow the upgrade wiped out my entire
.gnupg directory where I stored all my GPG keys. Luckily I've made a backup of my private GPG keys.
What you need to backup is your GPG private key. To export your GPG private key, run the following command on your terminal:
$ gpg --export-secret-keys --armor name > /path/to/secret-key-backup.asc
name above with the name that you use when generating the GPG key. If you're not sure what
name you're using, run the following command:
$ gpg --list-secret-keys # Command output example: Users/risan/.gnupg/pubring.kbx ------------------------------- sec rsa4096 2017-12-12 [SC] D020LB50C994521EB6E9EEE932B805973FE94CAC uid [ultimate] risan <firstname.lastname@example.org> ssb rsa4096 2017-12-12 [E]
From the output above you can see on the
uid line that it uses
risan for the name.
--armor option is used to export the key in ASCII format. If we don't pass the
--armor option, the key will be exported in binary format. Now all you have to do is store the generated file (
secret-key-backup.asc) somewhere for your backup.
As an addition, you can also backup the GPG trust database. You can simply backup the file at
~/.gnupg/trustdb.gpg. Or you can also export it with the following command:
$ gpg --export-ownertrust > /path/to/trustdb-backup.txt
To restore your GPG key from the backup file, simply run the following command:
$ gpg —-import /path/to/secret-key-backup.asc
And to restore your GPG trust database, run the following command:
# Will delete the existing trust database. $ rm ~/.gnupg/trustdb.gpg gpg --import-ownertrust < /path/to/trustdb-backup.txt
If you didn't back up your trust database, the restored GPG key will have an "unknown" trust level. To set it to "ultimate" or another trust level, run the following command:
$ gpg --edit-key name # Replace "name" with yours $ gpg> trust # Choose "ultimate" or other trust level $ gpg> save # Save the changes