2

I am new to PGP and have created a keypair using Kleopatra. The public key is now published on certain sites so ppl can message me securely. The private key is held in Kleopatra software and when I get a message I paste it in and then decrypt and it asks me for the password...

However, I think it is a good idea to back up both the public and private keypair somewhere... but I cannot find a way to do this in the software?

I thought I had done this and it created a .gpg file which I did back up securely months ago.. but I now cannot remember/tell if this contains BOTH pub and private keys?? Because surely they would be in diff files?

I am going to get a new pc and laptop soon and completly securely wipe everything so need to ensure the kaypair is saved somewhere..

can anyone help? i find kleopatra software somewhat confusing to be honest...

exharris
  • 76
  • 1
  • 5
  • 1
    Do you know where to find the gnupg folder? I think Kleopatra uses that under the hood. It should contain files like `secring.gpg` and a folder named something like `private-keys-v1.d` containing a bunch of `.key` files. If you make a backup of all of that (for example in an encrypted 7zip), you can unpack it again on the new system. **Note: Always have backups, test that your backup works, and have two backups if you plan on wiping the original system!** – Luc Jan 04 '19 at 20:57
  • 1
    Kleopatra is great for daily key management but it helps to learn the command line options too. Check `gpg —armor —export-secret-keys `. – David Jan 04 '19 at 23:35
  • Kleopatra is a [front end to `gpg`](https://www.openpgp.org/software/kleopatra/) .... `gpg` on GNU/Linux systems stores all keys, the trust database, as well as the automatically generated revocation certificates under the `~/.gnupg/` directory. For easy backup of your keys, you can simply copy that directory and all sub-directories to a USB stick... but make sure you physically secure the backup. – RubberStamp Jan 05 '19 at 01:12
  • Thanks guys, I find the link between the backend/command line and the front end pretty confusing, I am used to doing terminal command work in Unix but find it weird in Windows command prompt. I managed to backup the keypair by right clicking the cert and 'exploring private key' to a binary file (it was not clear in the app, but online docs confirmed that the resulting output file also contains the public key too). I saved this file off, backed this file up securely and then deleted it. Thanks for the replies. –  Jan 06 '19 at 11:36

1 Answers1

4

I managed to backup the key pair by right clicking the cert in Kleopatra front-end, clicking 'export private key', and saving to a binary file. It was not clear in the app, but online docs confirmed that the single resulting output file also contains the public key too).

exharris
  • 76
  • 1
  • 5
  • It's important to remember that exporting keys, of either kind, does not include the trust level of the key. So, when importing that key at a later time on a different operating system or machine, the key will display **unknown trust**. [see here](https://unix.stackexchange.com/questions/407062/gpg-list-keys-command-outputs-uid-unknown-after-importing-private-key-onto) – RubberStamp Jan 06 '19 at 13:10
  • @RubberStamp Thank you for this. Can you elaborate on the impact? –  Jan 13 '19 at 09:15
  • That's the [web of trust](https://security.stackexchange.com/search?q=web+of+trust+pgp) rabbit hole.... All keys have a trust level assigned by the keyring user, even self-signed keys. Here are the different levels of trust as listed in GPG's menu system..... *Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.)* ................ **1** = *I don't know or won't say,* **2** = *I do NOT trust,* **3** = *I trust marginally,* **4** = *I trust fully,* **5** = *I trust ultimately* – RubberStamp Jan 13 '19 at 13:02