Backup GPG Primary Key

Since GnuPG keyrings are important and vital to identify you in the virtual world, we need to protect it with our deal life. That also includes backing the keyrings up safely. In this section, we look into various ways of backing the primary key.

Backup Locally

Offline Encrypted USB Storage

The most common and recommended way to backup the data is to create an encrypted USB storage using cryptsetup software which is widely available in any Linux Operating System today. The idea is to ensure the USB storage partition is encrypted while offline if anyone picks up the USB and tries to use it, he/she will not be able to access it.

Here's a simple gist recommended by saminiir.com to create one (The codes are for references and comprehensions, not for copy-paste usage):

# Create an encrypted USB
# -----------------------
$ lsblk
$ mount /dev/sdb /mnt/usb
$ dd if=/dev/urandom of=/mnt/usb/disk.img bs=1M count=16
$ loopdev="$(losetup -f)"
$ losetup "$loopdev" /mnt/usb/disk.img
$ cryptsetup -v luksFormat "$loopdev"
$ cryptsetup isLuks "$loopdev" && echo "Success"
$ cryptsetup open "$loopdev" usbkey
$ mkfs.ext3 /dev/mapper/usbkey


# Mount the USB. You'll be prompted to unlock the device.
# -------------------------------------------------------
$ mount /dev/mapper/usbkey /media/encrypted


# Move the secret key into the USB device
# ---------------------------------------
$ mv masterkey.asc /media/encrypted/.


# Umount the USB for safe-keeping
# -------------------------------
$ umount /media/encrypted
$ cryptsetup remove usbkey
$ losetup -d $loopdev
$ umount /mnt/usb

# Delete the local copy
# ---------------------
$ rm masterkey.asc

CryptSetup uses LUKS encryption to protect the USB device just in case anyone has the device.


The good news is that:

  1. You have full-control over the backup unit.
  2. You can create multiple backup units.
  3. You have full-control over protecting the confidentiality for your secret keys.


The bad news is that:

  1. The backup shelf life is equivalent to the USB storage.
  2. You to remember 2 passphrases:
    • 1 for unlocking the encrypted USB device
    • 1 for the master-key passphrase
  3. A good place to store the USB storage device like a safe or something.

Backup Remotely

You can also choose some certified and recognized cloud software like your password managers. They can also store the key securely and remotely.


LastPass

If you choose to backup to LastPass, be sure to use the "Secure Note" instead of the conventional password storage for sites. As of current date (September 2018), LastPass has A LOT of issues with text processing with its existing templates. Therefore, you should create your own GPG template with the following fields:

  1. Name - for keeping the master key full name
  2. Email - for keeping the master key corresponding email
  3. Password - for keeping the master key passphrase
  4. Note - for keeping the key data
WARNING - DO NOT use text or password field to store your key data. LastPass has not been working on fixing the "new line" auto trimming bug for these fields. If you do that, your key will get corrupted as all the newline in the text gets trimmed.

Once you're done, place the data into it and save it into your LastPass account. Here's an example:

Choosing GPG Backup Medium - LastPass

The good news are:

  1. You have partial-control over the backup unit.
  2. It's very easy to access you master key when you needed, over the cloud.
  3. Battle-tested secure storage.
  4. Don't need to manage or hide your devices.
  5. Everything in one place.


The bad news are:

  1. You have partial-control over protecting the key.
  2. You need to trust LastPass in its commitment of service.
  3. You depends on LastPass.
  4. Slow improvement over LastPass development - critical bug not solved.
  5. Need to maintain an extremely powerful LastPass password (which you should at the beginning).
  6. LastPass may lock you out due to geopolitical reasons with cases like White House vs. Huawei, Google vs. Turkey, etc.

Foods For Thoughts

Here are some food for thoughts for backing up your files.


Backup 3-2-1 Rule

There are other methods to backup your secret keys available across the internet. However, I personally tested and find this 2 methods are sufficient enough to fulfill the backup rule. The rule states that at any time, the data must:

  • 3 - Always have 3 copies (local offline storage, remote cloud storage, local machine)
  • 2 - Store 2 copies in 2 different mediums (local offline storage, remote cloud storage/local machine)
  • 1 - Keep one copy offsite (remote cloud storage)

That's all about choosing backup medium for backing up GPG key.