The safest way to backup GPG and SSH keys
Solution 1
Your GPG secret keyring is already encrypted, though it's only as strong as your passphrase (which is true of any encryption).
I'd make a tar file of all the files you want to backup (a few folders/files listed to tar, or with -T, --files-from get names to extract or create from FILE) and pipe tar's output to GPG. Basically:
tar -c folder | gpg --output archive.tar.gpg -e
But be careful that you don't encrypt your only copy of your secret key with your secret key... i.e. don't lock the key to your safe inside your safe. Conventional (passphrase-only) encryption works too:
tar -cz --files-from=addthese.txt | gpg --cipher-algo AES256 -z 0 --output archive.tar.gz.gpg -c
This avoids making any extra unencrypted copies of the data, that you'd have to find & wipe (or wipe all free space) if that's a concern. Any programs that use standard output can be piped into gpg too, in case it's not just plain files you're backing up.
Solution 2
This is how I would back up secure data like this. I'm assuming because you're using ssh keys that you're comfortable on the command line.
- Move all the keys to a single folder.
- Make a tar archive of that folder.
tar -cf keys.tar /path/to/keys/folder - Then I'd encrypt the tar file with OpenSSL, using the command
openssl aes-256-cbc -a -in keys.tar -out keys.tar.aesand give it a secure password. - All your keys are now encrypted in the one .aes file. You can safely move that to your backup device.
- When you're ready to open the files, run
openssl aes-256-cbc -d -in keys.tar.aes -out keys.tar. Then extract the tar archive withtar -xvf keys.tar
Related videos on Youtube
12 : 33
03 : 08
15 : 46
22 : 34
10 : 12
01 : 51
09 : 52
30 : 35
unor
Updated on September 18, 2022Comments
-
unor over 1 year
I have, in Ubuntu 14.10, generated a public and private GPG and SSH key set, but I am now needing to do a fresh install and don't want to lose them but don't just want to put them as text files on a USB.
So what's the safest way of backing them up?
Is there anyway in which I can encrypt the exported files of them or anything like that?
-
Admin about 9 yearsI would recommend you to use the option of Ubuntu's compressed archives manager to create encrypted archives. Look here for command line or here for GUI. As I know you, you can't sleep well at night with using a weak encryption, so please avoid zip and use 7z format, which also allows you to encrypt the file list.
-
-
Admin about 9 yearsWhen running the third command I get this error: Error Message
-
John Cave about 9 yearsEdit: it looks like aes-256 isn't an option on your system. Try aes-256-cbc instead.
-
Xen2050 about 9 yearsI have not heard good things about OpenSSL or it'senccommand, This is a non-standard and not-well vetted construct (!) ... the "iteration count" is set by theenccommand to 1 and cannot be changed (!!!!). ... This is quite weak !GPGlooks like a better choice, according to a comment about the Snowden docs, and gpg's decades of use. And gpg pipes with tar wonderfully so you're not leaving unencrypted data in old/deleted tar files around your drive either. -
John Cave about 9 yearsThanks for that @Xen2050 . The above procedure is how I back up my servers. I will look further in to the post you linked and perhaps change my backup schema.
