I have generated keys using GPG, by executing the following command
gpg --gen-key Now I need to export the key pair to a file; i.e., private and public keys to private.pgp and public.pgp, respectively. How do I do it?
4 Answers
Export Public Key
This command will export an ascii armored version of the public key:
gpg --output public.pgp --armor --export username@email
Export Secret Key
This command will export an ascii armored version of the secret key:
gpg --output private.pgp --armor --export-secret-key username@email
Security Concerns, Backup, and Storage
A PGP public key contains information about one's email address. This is generally acceptable since the public key is used to encrypt email to your address. However, in some cases, this is undesirable.
For most use cases, the secret key need not be exported and should not be distributed. If the purpose is to create a backup key, you should use the backup option:
gpg --output backupkeys.pgp --armor --export-secret-keys --export-options export-backup user@email
This will export all necessary information to restore the secrets keys including the trust database information. Make sure you store any backup secret keys off the computing platform and in a secure physical location.
If this key is important to you, I recommend printing out the key on paper using paperkey. And placing the paper key in a fireproof/waterproof safe.
Public Key Servers
In general, it's not advisable to post personal public keys to key servers. There is no method of removing a key once it's posted and there is no method of ensuring that the key on the server was placed there by the supposed owner of the key.
It is much better to place your public key on a website that you own or control. Some people recommend keybase.io for distribution. However, that method tracks participation in various social and technical communities which may not be desirable for some use cases.
For the technically adept, I personally recommend trying out the webkey domain level key discovery service.
- 5Is the exported key (second command) encrypted or do I need to encrypt it by myself before storing it on a.g. a USB drive?Funkwecker– Funkwecker2019-02-18 10:53:00 +00:00Commented Feb 18, 2019 at 10:53
- 3@Julian ... The exported secret key has the same protection as the secret key that was exported. If there was a passphrase, the passphrase is required to import the secret key.RubberStamp– RubberStamp2019-02-18 12:55:01 +00:00Commented Feb 18, 2019 at 12:55
- 4@OMGtechy How did you try to recover the key(s)? I could restore public keys by
gpg --import-options restore --import backupkeys.pgp, but that does not restore secret keys, only the public ones, if backupkeys.pgp was created bygpg --output backupkeys.pgp --armor --export --export-options export-backup. In that--armoris not necessary andexport-backupcould be replaced bybackup.jarno– jarno2019-12-15 00:52:16 +00:00Commented Dec 15, 2019 at 0:52 - 2Note that Keybase has since been bought by Zoom, who have very close ties to China.Zoe - Save the data dump– Zoe - Save the data dump2020-07-04 19:12:14 +00:00Commented Jul 4, 2020 at 19:12
- 2It may be convenient to export based on the keypair fingerprint if the same email address has been used for multiple keypairs, e.g.
gpg --armor --export <fingerprint> > <fingerprint>.public.asc- you can also use the long keyid which is the last 16 chars of the fingerpint. cc @user643011cliff.meyers– cliff.meyers2024-12-05 15:26:29 +00:00Commented Dec 5, 2024 at 15:26
- List the keys you have:
gpg --list-secret-keys - Export the key:
gpg -o ~/my-key.asc --export-secret-key name - Copy it on another machine;
- Import the key:
gpg --import my-key.asc
- 14Note that
.ascstands for ASCII, but the output ofgpg --list-secret-keysis binary.Weihang Jian– Weihang Jian2020-06-02 15:49:36 +00:00Commented Jun 2, 2020 at 15:49 - 6Actually, .asc is for
ASCII armoredand the output is enciphered text. You can safely cat it and see for yourself. Also, like most linux files, the file extension is also arbitrary, doesn't technically have to be asc. @WeihangJianJeter-work– Jeter-work2020-12-04 14:44:51 +00:00Commented Dec 4, 2020 at 14:44 - 2It would be a good idea to remove the key file after it is imported and tests successfully. If the file is sitting there it could be used maliciously.Jeter-work– Jeter-work2020-12-04 14:45:56 +00:00Commented Dec 4, 2020 at 14:45
- 1simply use -a option will export it in ASCII format, gpg -a --export-secret-keys nameY00– Y002021-12-14 04:22:33 +00:00Commented Dec 14, 2021 at 4:22
- Note that
namecan be either the 40-char keypair fingerprint or the long format keyid which is the last 16 chars of the fingerprint.cliff.meyers– cliff.meyers2024-12-05 15:31:20 +00:00Commented Dec 5, 2024 at 15:31
To export SOMEKEYID public key to an output file:
gpg --output public.pgp --export SOMEKEYID When working with secret keys it's generally preferable not to write them to files and, instead, use SSH to copy them directly between machines using only gpg and a pipe:
gpg --export-secret-key SOMEKEYID | ssh othermachine gpg --import If you must, however, output your secret key to a file please make sure it's encrypted. Here's how to accomplish that using AES encryption using the Dark Otter approach:
gpg --output public.gpg --export SOMEKEYID && \ gpg --output - --export-secret-key SOMEKEYID |\ cat public.gpg - |\ gpg --armor --output keys.asc --symmetric --cipher-algo AES256 The last approach is ideal if you want to create a physical back-up of your public and private keys to safeguard against a disk failure when no other way exists to regain access to your keys.
Note: If you only have a copy of your private key but not your public key it is possible to recovery your public key by reimporting the private key, trusting it, and then re-exporting.
See Moving GPG Keys Privately for additional considerations.
- Gave the Dark Otter approach a try but it fails with the follow error gpg: cancelled by user gpg: error creating passphrase: Operation cancelled gpg: symmetric encryption of `[stdin]' failed: Operation cancelledSquashman– Squashman2022-10-17 20:59:14 +00:00Commented Oct 17, 2022 at 20:59
- I was able to get the Dark Otter Approach to work with GPG 1.4.21 but not GPG 2.0.22. Using 2.0.22 never prompts me to enter a passphrase.Squashman– Squashman2022-10-17 21:41:34 +00:00Commented Oct 17, 2022 at 21:41
"GnuPG (aka PGP/GPG)" More information
Generate key: gpg --gen-key
View all keys: gpg --list-keys
Export public key:
gpg --export -a --output [path-to-public-key].asc [email-address] Export secret key:
gpg -a --export-secret-keys > [path-to-secret-key].asc 
gpg --full-generate-keyto have a full interface for generating keys