How to generate and backup a gpg keypair on Linux

Gnu Privacy Guard (gpg) is the Gnu project free and open source implementation of the OpenGPG standard. The gpg encryption system is called “asymmetric” and it is based on public key encryption: we encrypt a document with the public key of a recipient which will be the only one able to decrypt it, since it owns the private key associated with it. Gpg allows us also to sign documents using our private key and let others verify such signature with our public key. In this tutorial we will see how to generate and create a backup of a gpg keypair.

In this tutorial you will learn:

  • How to install gpg
  • How to generate a gpg keypair
  • How to list our keys
  • How to create a backup/export a gpg keypair and trustdb


Software requirements and conventions used

Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System Distribution independent
Software gpg2
Other None
Conventions # – requires given linux-commands to be executed with root privileges either directly as a root user or by use of sudo command
$ – requires given linux-commands to be executed as a regular non-privileged user

Software installation

To be able to generate our Gpg keypair, the first thing we have to do is to install the gpg software. Although it should be already installed on our favorite Linux distribution, here is how to install it explicitly. On Debian we should run:

$ sudo apt-get update && sudo update-get install gpg

On Fedora, or more generally on all recent versions of the distributions member of the Red Hat family, we can use the dnf package manager to perform the installation:

$ sudo dnf install gnupg2

On Archlinux, instead, the package is called gnupg and is included in the distribution “Core” repository; we use the pacman package manager to install it:

$ sudo pacman -Sy gnupg

Generating a keypair

Once the gnupg software is installed on our system, we can proceed further and generate our keypair. To start the generation process we should run the following command:

$ gpg --full-gen-key

Once we run the above command we will be prompted to answer a series of questions. Fist of all we will need to choose what kind of keys we want to create:

gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection?

By default, the first option (RSA and RSA) is selected; we can just press enter and use it. The next step consists in choosing the keys size, which can be among 1024 and 4096 bits. The default is 3072. If we want to use any other value, we should just enter it, and confirm our choice. For example:

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096

The next thing we should decide is the expiration date for our keys (if any):

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)

Setting an expiration date is important to limit the damages we could suffer if we loose our personal keys: if something like that happens, anyone could impersonate us, but at least for a limited time. Whatever we choose here, anyway, at end of the process, a revocation certificate will also be generated. It is very important to keep it safe, so we can use it to revoke our keys in such situations.

The default choice is 0, so the keys will never expire. If we just enter a digit, it will be interpreted as the number of days after the keys will expire. To let the digit(s) be interpreted as weeks, months or years we can use the appropriate
suffixes, respectively w, m and y.

The next step in the process consists in the construction of the keys ID. We will be prompted to enter our personal information:

Real name: John Smith
Email address:
Comment: personal
You selected this USER-ID:
    "John Smith (personal) <>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?

The requested information include:

  1. Our real name
  2. Our email address
  3. An optional comment (this can be used, for example, to specify the use of the key)

Once we fill all the fields, we will be prompted with the constructed ID and we will be asked to confirm our information or to modify them. In order to do it we should press the key between parenthesis, so to modify the name, we should enter the n key. To confirm, just enter o and press Enter.

The key generation process will begin. The system needs a lot of random bytes to perform the action, so it will suggest us to perform some other actions on our in order to generate enough entropy. We will also be prompted to enter a passphrase and confirm it, to protect our private key:

Please enter the passphrase to protect your new key                                                                          

Notice that the prompt above could change if you are using a graphical environment. At the end of the process we will receive a confirmation of the keys and the revocation certificate generation:

gpg: /home/egdoc/.gnupg/trustdb.gpg: trustdb created
gpg: key 705637B3C58F6090 marked as ultimately trusted
gpg: directory '/home/egdoc/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/egdoc/.gnupg/openpgp-revocs.d/A4A42A471E7C1C09C9FDC4B1705637B3C58F6090.rev'
public and secret key created and signed.

pub   rsa4096 2021-04-20 [SC]
uid                      Jhon Smith (personal) <>
sub   rsa4096 2021-04-20 [E]

We can list the public keys in our keyring at any time by issuing the following command:

$ gpg --list-keys

To list our secret/private keys, instead, we should run:

$ gpg --list-secret-keys

Master and sub keys

If we take a look at our keyring, we can see that actually a master and a sub key pair were generated. The first is identified by the pub prefix at the beginning of the line, and between brackets, we can see the notation that specifies its use: [SC]. What does this stands for? The “S” means that the key is used for signing, while the “C” means that the key can also be used to sign other keys.

The subkey is described on the line which starts with the sub prefix. We can see the key type (rsa4096) and the generation date. Finally we can see what it is used for. Here the [E] means that the keypair the key is part of, is used
for encryption/decryption.

Here is the complete list of usage notations:

(S)ign: sign some data (like a file)
(C)ertify: sign a key (this is called certification)
(A)uthenticate: authenticate yourself to a computer (for example, logging in)
(E)ncrypt: encrypt data

Creating a backup/exporting the keys

Once we created our gpg keys, and in time, added public keys of some recipients to our keyring, we may want to create a backup of our setup. The most simple way we can proceed is to create a tarball of the entire ~/.gnupg directory. All we have to do is to run:

$ tar -cvpzf gnupg.tar.gz ~/.gnupg

The above command will create a compressed file named gnupg.tar.gz in our current working directory, we should then keep it somewhere safe. An alternative way to backup our public and private keys, together with our trustdb
(the trustdb keeps track of the level of trust of the keys in our keyring), is to use some dedicated gpg commands. For example, to export our public keys we can run:

$ gpg --export --output public_keys

When gpg is invoked with the --export option, it does export all keys from the keyrings to STDOUT, or to a file we can specify with the --output option. In this case we exported them to the public_keys file. Similarly, To export
our secret keys, we can run:

$ gpg --export-secret-keys --output secret_keys

When exporting or re-importing secret keys the password we used to secure our keys will be requested. To import back the file we generated with the commands above, we can use the --import option. For example, to import from the public_keys file, we would run:

$ gpg --import public_keys

Finally, to export/import our trustdb, we can use, respectively, the --export-ownertrust and the --import-ownertrust options:

$ gpg --export-ownertrust > otrust.txt

To import it back:

$ gpg --import-ownertrust otrust.txt


In this tutorial we saw how to generate a Gnu Privacy Guard (gpg) keypair, and we took a look at the guided procedure and the information requested to accomplish the task. We saw how the master and sub keys are created, and what is their default purposes. Finally, we learned how to backup and export our public and secret
keys, together with the trustdb information.

Comments and Discussions
Linux Forum