Having a reliable backup of our GPG (Gnu Privacy Guard) secret key is not optional: the key represents our identity, and loosing it could potentially be a disaster. Creating a backup of our keys and sub-keys is quite a simple thing to do using gpg, and the resulting files can be easily backed up on one or more devices. Electronic devices such USB drives or hard disks, however, tend to fail, and usually in the most inappropriate times; therefore as an extreme resort, we may want to print our keys to paper.
In this tutorial we see how to export a GPG secret key in a format which can be easily printed on paper, and how to optionally generate a QR Code from its content.
In this tutorial you will learn:
- How to export a GPG secret key in a printable format
- How to extract secret information out of a a secret key using paperkey
- How to generate a QR Code from the exported key
| Category | Requirements, Conventions or Software Version Used |
|---|---|
| System | Distribution-independent |
| Software | gpg,paperkey,qrencode,split,zbarimg |
| Other | None |
| Conventions | # – requires given linux-commands to be executed with root privileges either directly as a root user or by use of sudo command $ – requires given linux-commands to be executed as a regular non-privileged user |
Introduction
In a previous tutorial we talked about how to generate a and export a GPG keypair, which is quite an easy operation to perform using the gpg utility. Exporting public and especially secret GPG keys is a convenient way to backup them and store them somewhere safe, however, if we want to be extra-sure we have a reliable way to recover our keys in case of disaster, we may want to export them in a human-readable and printable way. This is what we will learn to do in this tutorial.
Exporting a key using the “–armor” option
When we export a gpg key, by default a binary output is produced. This is ok if we want to store the key to a file, but cannot be read by us humans, and cannot be printed. To solve this problem we can invoke gpg with the --armor option. When this option is used an ASCII armored output is generated, which is easier to read and to print. Supposing we want to export our secret key in this format, we would run:
$ gpg --armor --export-secret-key --output secret.asc <keyid>
The command above generates a file which can be opened with a common text editor, containing the exported content between the following lines:
-----BEGIN PGP PRIVATE KEY BLOCK----- -----END PGP PRIVATE KEY BLOCK-----
The content can be easily printed and stored somewhere safe as an extra measure, however, should the need arise, restoring the key from the printed paper could be a quite tedious process. A possible alternative could be to generate a QR Code from the content of the file. Let’s see how to do it.
Generating a QR Code from the exported content
To generate a QR Code based on the content of the file containing the armored output exported by gpg, we can use the qrencode utility, which is available in the repositories of all the most common Linux distributions. The utility encodes data passed as input in a QR Code and saves the result as a PNG image by default. Let’s try to use it. We run:
$ qrencode -o secret.png < secret.asc
In the example above we invoked qrencode with the
-o option (short for --output), in order to specify the file in which to save the generated image, and used shell redirection to pass the content of the file we exported with gpg as input to the application. As soon as we launch the command above, however, we are notified of an error:
Failed to encode the input data: Input data too large
Since the data contained in the file is too large, qrencode fails to generate the code. How can we solve this problem? The solution is to split the armored output exported with gpg in multiple files, and create separated QR Codes from each one of them. To split the file we can use the split utility, for example:
$ split -C 1000 secret.asc secret.asc-
By running the command above we split the secret.asc file into files of maximum 1000 bytes each. Each files is named by using the second argument we provided, secret-asc-, as prefix, and adding a two-letters suffix by default. In this case we obtain the following result:
secret.asc-aa secret.asc-ab secret.asc-ac secret.asc-ad secret.asc-ae secret.asc-af secret.asc-ag secret.asc-ah secret.asc-ai secret.asc-aj secret.asc-ak secret.asc-al
Now that we have the content of the armored exported file in smaller chunks, we can easily loop over them and create separate the QR Codes:
$ for i in secret.asc-*; do qrencode -o "${i}.png" < "${i}"; done
The generated QR Codes can be easily read with any barcode scanner application on our smartphone, or, from the command line interface, by using the
zbarimg utility. To reconstruct the original content, the strings resulting from scanning the QR Codes must be concatenated. Using zbarimg, for example, we could run:
$ for i in secret.asc-*.png; do zbarimg --quiet --raw "${i}"| head -c -1 >> reconstructed-key.asc; done
In the example above, we loop over the QR Codes in the “.png” images and read each one of them with zbarimg. We invoke the utility using the --quiet option to disable statistic lines, and --raw to avoid additional symbology type information. We than piped the result of the command to the head -c -1 command: what this command does is printing all the passed content except the last byte, which in this case is a newline character (in ASCII each character is stored in one byte). Finally, using shell redirection, we append the content to the reconstructed-key.asc file, which we can use to import back our secret key:
$ gpg --import reconstructed-key.asc
Extracting only secret information using paperkey
The output produced when exporting a gpg secret key, normally contains also information about the public key associated with it, which we don’t need. The paperkey utility is designed to extract only the secret portion of information from the data, and is available in the repositories of the most used Linux distributions. Here is an example of its usage:
$ gpg --export-secret-key <key-id> | paperkey --output secret.txt
Notice that in the example above we didn’t armor the data exported with gpg! To restore the secret key from the output generated by paperkey, we need to have our public key at hand, but this should not a problem, since we usually distribute our public key on key servers like https://keyserver.ubuntu.com/, for example. Supposing our public key to be in the
public-key.gpg file, we would run:
$ paperkey --pubring mypublickey.gpg --secrets secret.txt | gpg --import
The command above will take the secret key data portion contained in the secret.txt file, combined with the public key, and reconstruct the whole, original secret key, which is than imported on the fly with gpg.
Conclusions
In this tutorial we saw how can we export our GPG secret key in a format which can be printed on paper, as an extra backup solution. We saw how to perform the operation with the gpg utility and with paperkey, a tool designed to extract only the secret information portion from the exported content. Finally, we saw how to generate multiple QR Codes from the exported key content.
