In Linux kernel maintainer PGP guide I don’t understand the section “Back up your whole GnuPG directory”, and it is also asymmetric with the section discussing paperkey.
AFAIK, this should be sufficient:
gpg --output "priv_0.pgp" --armor --export-secret-key
I do 16 of these and then copy those to an USB stick (i.e. one for each hex digit).
@jarkko You should also backup public keys (of others) together with their ownertrust.
@duxsco My “alternative” approach to the one proposed in the guide (I quite strictly follow it otherwise) has a measurable benefit: it is more durable given the 16 spare copies of the secret material.
I’ve been even thinking to send a patch to kernel-pgp-guide.txt
and that was sort of grounds to make this post. I think that just packing ~/.gnupg
is somewhat dirty approach…
I’d like to also point out that this approach also mirrors on how paperkey
use is instructed, so it is not asymmetrical. IMHO, processes should have only asymmetry if you have some very well rationalized explicit reason to do that when it comes privacy and security.
@jarkko It depends on how large the list of your public keys is. And, saving it in a tamper-proof way (not Mastodon) is the way to go (IMHO).
I am not arguing pro/contra the tar approach. I am arguing against the statement "--export-secret-key" being sufficient.
> If you want to back up public keys it is better idea similarly just export them to a separate file
That's exactly what I stated with "You should also backup public keys (of others)".
> and also ownertrust has an export command)
That's where the term "ownertrust" I mentioned previously comes from...
@jarkko fyi, this might be of interest:
https://wiki.archlinux.org/title/Parchive
@jarkko And, you are better off saving on a CD.
> However, as with any flash storage, data loss from bit leaking due to prolonged lack of electrical power and the possibility of spontaneous controller failure due to poor manufacturing could make it unsuitable for long-term archiving of data.
@monsieuricon so is there some difference compared to:
gpg --output "$USER-public.pgp" --armor --export $USER
gpg --output "$USER-private.pgp" --armor --export-secret-key $USER
gpg --export-ownertrust > "$USER-ownertrust.pgp"
Not trying to argue against just trying to understand what I’m reading :-)