16

I created a public/secret key using Seahorse (GNOME managing tool for encryption keys). I haven't had issues encrypting and decrypting files from the computer the keys are located in but I'd like to be able to decrypt and encrypt in other computer. What is a secure way to transfer public and private keys in this case?

I ultimately copied my .gnupg directory to the second computer and Ubuntu's key manager detected both keys so after typing my passphrase I was able to open my file but I'd like to know what is a secure/proper way to do it?

Improve this question

4 Answers 4

Reset to default
7

There's no better way, really (at least if you did the copy with an eavesdropping-resistant medium, e.g. through a SSH tunnel, or with a USB key). The key files being stored as files on the hard disks of both systems, this is a simple data transfer issue.

Ultimately, your private keys are protected by your passphrase.

(Of course, public keys can be transfered by any way you see fit, without any security issue: they are public.)

Improve this answer
3
  • Thanks. Another question. If someone gets a copy of my private key, he wouldn't be able to read my encrypted files but he would be able to impersonate me? Is that right? Commented Aug 21, 2012 at 4:57
  • If the files are encrypted using a surrogate key protected by your private key, they'll be able to read them. Commented Aug 21, 2012 at 5:50
  • 1
    Transferring public keys doesn't need confidentiality unless you're concerned about privacy, but you still need to ensure integrity. It's less of a risk in practice, but it is a security issue. Commented Aug 21, 2012 at 7:09
10

Encrypt your private key with a long password and decrypt it on the target computer. Here's how:

First, export the public key:

gpg --output public-key.gpg --export {KEYID}

Then export the secret key and encrypt the result before it's written to disk:

gpg --output - --export-secret-key {KEYID} |\ gpg --armor --output secret-key.asc --symmetric --cipher-algo AES256

Use either a very long or just entirely random password for the encryption.

Then transfer the keys.asc on a FAT-formatted flash and shred them afterwards, or if you know how to destroy CDs (ENTIRELY), use a CD and then destroy it.

To import the key on the other machine, run:

gpg --no-use-agent --output - keys.asc | gpg --import

This will prompt for your password, then decrypt and import the key.

Make sure you destroy the encrypted file after running this! On a small file like a private key bruteforcing the password is fairly trivial and can be done in a matter of weeks to months depending on the hardware available to the attacker. The attacker's job is further simplified by the fact that the structure of a PGP private key is publicly known, so known-cleartext attacks can be attempted. If the encrypted version of your private key is leaked, revoke the key and generate a new one IMMEDIATELY.

Source for the commands: http://montemazuma.wordpress.com/2010/03/01/moving-a-gpg-key-privately/

Improve this answer
1
  • Where does keys.asc come from? All I have is public-key.gpg and secret-key.asc. Commented Dec 21, 2016 at 2:13
3

Encrypt your public and private key before you transfer them to another computer. Use a 30 character random password. Decrypt the file on the other computer with the same password.

Improve this answer
1
  • Thanks for your answer. Then other than encryption, this is the best way available. Commented Aug 21, 2012 at 4:55
0

Send the key to the recipient over different channels.

Send from different accounts, to different accounts.

The recipient's first job is to assemble the pieces.

The second job is to replace the key.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.