GPG Export – How to Export GPG Private and Public Keys to a File

gpgopenpgppgp

I have generated keys using GPG, by executing the following command

gpg --gen-key

Now I need to export the key pair to a file;
i.e., private and public keys to private.pgp and public.pgp, respectively.
How do I do it?

Best Answer

Export Public Key

This command will export an ascii armored version of the public key:

gpg --output public.pgp --armor --export username@email

Export Secret Key

This command will export an ascii armored version of the secret key:

gpg --output private.pgp --armor --export-secret-key username@email

Security Concerns, Backup, and Storage

A PGP public key contains information about one's email address. This is generally acceptable since the public key is used to encrypt email to your address. However, in some cases, this is undesirable.

For most use cases, the secret key need not be exported and should not distributed. If the purpose is to create a backup key, you should use the backup option:

gpg --output backupkeys.pgp --armor --export-secret-keys --export-options export-backup user@email

This will export all necessary information to restore the secrets keys including the trust database information. Make sure you store any backup secret keys off the computing platform and in a secure physical location.

If this key is important to you, I recommend printing out the key on paper using paperkey. And placing the paper key in a fireproof/waterproof safe.

Public Key Servers

In general, it's not advisable to post personal public keys to key servers. There is no method of removing a key once it's posted and there is no method of ensuring that the key on the server was placed there by the supposed owner of the key.

It is much better to place your public key on a website that you own or control. Some people recommend keybase.io for distribution. However, that method tracks participation in various social and technical communities which may not be desirable for some use cases.

For the technically adept, I personally recommend trying out the webkey domain level key discovery service.

Related Solutions

GPG Hangs When Private Keys are Accessed

I came across this exact issue (OSX Sierra 10.12.6, gpg/GnuPG 2.2.5)

Commands that would hang:

gpg -K # --list-secret-keys
gpg -d # --decrypt
gpg --edit-key
gpgconf --kill gpg-agent

My solution was the same as mentioned by John above (ie. kill gpg-agent) as most other methods on how-can-i-restart-gpg-agent would also hang.

# Solution    
pkill -9 gpg-agent

Then for signing git commits I set the tty env as mentioned by cas above and also at gpg-failed-to-sign-commit-object.

export GPG_TTY=$(tty)

Gpg cannot unlock passphrase-less key: “gpg: public key decryption failed: No passphrase given”

I solved this by using an older system which had the key.

I set a new passphrase on the old system where empty-passphrase input works.
Export old system private key and copy it over new system
Clean gpg state of new system (move .gnupg to .gnupg.bak)
Import the non-empty passphrase private key

Here are the commands I ran:

# put a non-empty passphrase on current key
me@old$ gpg --passwd xxxx@xxxx.com
(leave empty on first prompt)
(put a new non-empty passphrase on 2nd)
(confirm new passphrase)

# now we export it

me@old$ gpg --list-secret-keys                               
/home/xxxxx/.gnupg/secring.gpg
-------------------------------
sec   4096R/AAAAAAAA 2015-01-01
uid                  Foo Bar <xxxx@xxxxx.com>
uid                  Bar Foo <xxxx@yyyyy.com>
ssb   4096R/BBBBBBBB 2015-01-01

# I've used the first key id (should be 8 hex digits)
me@old$ gpg --export-secret-keys AAAAAAAA > priv.key

# copy key over new system

# backup .gnupg dir just in case
me@new$ mv .gnupg .gnupg.back
# import new priv key
me@new$ gpg --import priv.key
(type new passphrase set previously)

# done!

For completeness sake here are the software versions of both systems, maybe that can help someone:

New system (cannot input empty passphrase) software version:

gpg (GnuPG) 2.2.5
libgcrypt 1.8.2
pinentry-curses (pinentry) 1.1.0

Old system (can input empty passphrase) software version:

gpg (GnuPG) 2.0.24
libgcrypt 1.6.1
pinentry-curses (pinentry) 0.8.3