To avoid disastrously losing your private keys, they should be redundantly backed up in a robust manner in a safe location.
As one possible approach, we will store the GPG keyring as QR codes, print them on paper, and demonstrate recovering the keyring. Do note that this method excludes backing up the trust database.
For general GPG usage, consult my previous post on handling GPG keys.
Consult the Internet or your distro’s package mirrors for the following packages:
Exporting the key
First, we’ll peruse gpg’s manual pages about exporting keys:
Important point being, never transmit private keys over an insecure medium.
Export your private and public keys into a keyring:
The reason I am not using
paperkey is that it requires corresponding public keys to be stored elsewhere. I want both private and public keys stored on the paper for easier retrieval in case of emergency.
Backing up the key
Let’s base64 encode the keyring and split it into smaller bytes because of QR code storage limitations1:
Then, we’ll use
qrencode2 to create QR code pictures:
Finally, concatenate the pictures into a single photo for printing purposes:
Then, print this on paper.
Recovering the key
Now, what to do when this paper backup is your only option left?
Scan the QR codes from the paper as JPEG, for example.
zbarimg to decode the QR codes as data:
Your mileage will probably vary on the scan’s success rate. I had to manually crop the QR codes into separate JPEGs in order to construct the resulting base64 in correct order.
zbarimg also adds newlines to the scanned data, so essentially manual reconstruction of the base64 data is needed.
Now, you can import it into a gpg instance:
You should now be able to decrypt any private data stored.
This approach is just one solution for backing up your GPG keys and recovering them in case of emergency. Also, if disaster strikes, it is good to have some routine/documentation on the recovery actions. This article serves as such document.