Backup OpenPGP keys on paper


Recently I remember I was keeping a backup of my OpenPGP keys on an external hard drive that any day now could just cease to work. After my first attempts with PGP/GPG where I lost my private keys and could no longer revoke them, I wasn’t planning on loosing another one again.

After reading what others did to store their private PGP keys, I figured that the best way to store them was on paper. That’s where paperkey comes along. Paperkey is an OpenPGP key archiver by David Shaw, one of the main GPG developers.

What does paperkey do?

Due to metadata and redundancy, OpenPGP secret keys are significantly larger than just the “secret bits”. In fact, the secret key contains a complete copy of the public key. Since the public key generally doesn’t need to be escrowed (most people have many copies of it on various keyservers, web pages, etc), only extracting the secret parts can be a real advantage.

Paperkey extracts just those secret bytes and prints them. To reconstruct, you re-enter those bytes (whether by hand, OCR, QR code, or the like) and paperkey can use them to transform your existing public key into a secret key.

So to try it out, I installed it via homebrew.

brew install paperkey

Take the secret key in secret-key.gpg and generate a text file my-key-text-file.txt that contains the secret data:

paperkey --secret-key secret-key.gpg --output my-key-text-file.txt

I then printed the resulting text file and stored it somewhere safe.

To reconstruct secret-key.gpg, take the secret key data in my-key-text-file.txt and combine it with public-key.gpg:

paperkey --pubring public-key.gpg --secrets my-key-text-file.txt --output secret-key.gpg

I also stored a digital copy of my secret key on a new USB flash drive.

Bonus: You could also print a QR code of the paperkey output.

brew install qrencode
paperkey --secret-key secret-key.gpg --output-type raw | qrencode -o qr-paperkey.png

By the way, I’m in no way an #expert in PGP/GPG or security in general.

How do you backup your PGP keys?

Leave a Reply

Your email address will not be published. Required fields are marked *