Backup GPG Primary Key

Offline Encrypted USB Storage

The most common and recommended way to backup the data is to create an encrypted USB storage using cryptsetup software which is widely available in any Linux Operating System today. The idea is to ensure the USB storage partition is encrypted while offline if anyone picks up the USB and tries to use it, he/she will not be able to access it.

Here's a simple gist recommended by saminiir.com to create one (The codes are for references and comprehensions, not for copy-paste usage):

# Create an encrypted USB

# -----------------------

$ lsblk

$ mount /dev/sdb /mnt/usb

$ dd if=/dev/urandom of=/mnt/usb/disk.img bs=1M count=16

$ loopdev="$(losetup -f)"

$ losetup "$loopdev" /mnt/usb/disk.img

$ cryptsetup -v luksFormat "$loopdev"

$ cryptsetup isLuks "$loopdev" && echo "Success"

$ cryptsetup open "$loopdev" usbkey

$ mkfs.ext3 /dev/mapper/usbkey

# Mount the USB. You'll be prompted to unlock the device.

# -------------------------------------------------------

$ mount /dev/mapper/usbkey /media/encrypted

# Move the secret key into the USB device

# ---------------------------------------

$ mv masterkey.asc /media/encrypted/.

# Umount the USB for safe-keeping

# -------------------------------

$ umount /media/encrypted

$ cryptsetup remove usbkey

$ losetup -d $loopdev

$ umount /mnt/usb

# Delete the local copy

# ---------------------

$ rm masterkey.asc

CryptSetup uses LUKS encryption to protect the USB device just in case anyone has the device.

The good news is that:

1. You have full-control over the backup unit.
2. You can create multiple backup units.
3. You have full-control over protecting the confidentiality for your secret keys.

The bad news is that:

1. The backup shelf life is equivalent to the USB storage.
2. You to remember 2 passphrases:
   • 1 for unlocking the encrypted USB device
   • 1 for the master-key passphrase
3. A good place to store the USB storage device like a safe or something.

The good news are:

1. You have partial-control over the backup unit.
2. It's very easy to access you master key when you needed, over the cloud.
3. Battle-tested secure storage.
4. Don't need to manage or hide your devices.
5. Everything in one place.

The bad news are:

1. You have partial-control over protecting the key.
2. You need to trust LastPass in its commitment of service.
3. You depends on LastPass.
4. Slow improvement over LastPass development - critical bug not solved.
5. Need to maintain an extremely powerful LastPass password (which you should at the beginning).
6. LastPass may lock you out due to geopolitical reasons with cases like White House vs. Huawei, Google vs. Turkey, etc.