Moving/Copying your PGP Keys

Once you're using PGP, you may want be able to sign email from more than location, or you may switch computers. There's a few ways to accomplish this.

Copy All GnuPG Data

Your first choice is to copy all of your GnuPG data. This is a lot more data than just your key, but is still likely to be under 5MB. This method will copy all of your keys, everyone's key you have, and your entire trust database. It's ideal for backup, or for moving to a new computer. Simply copy all the contents of your GnuPG data directory, which would be as follows:

Where username is your windows username. Just simply copy the entire contents of that directory from one machine to the other and you will be set. There are many ways to move this data, which I won't cover. Some examples might be zipping the data up and copying it to a disk.

This will also work between different operating systems.

Copy Just Your Keys

However, you may not want to bring all that trust data and lots of keys with you. If you'd just like to copy your keys over, first export them (as usual, we assume gpg is in your path):


$ gpg --export-secret-keys -a keyid > my_private_key.asc
$ gpg --export -a keyid > my_public_key.asc

Where keyid is your PGP Key ID, such as A1E732BB. Take the the two files, securely copy them to the new machine (it is unadvisable to ftp them or use plain-text protocols because even thought your private key there is encrypted with your passphrase, your passphrase is still the weakest link, and you want to avoid exposure to your private key wherever possible). On the new machine:


$ gpg --import my_private_key.asc
$ gpg --import my_public_key.asc

Ensure that the Key ID printed is the correct one, and if so, then go ahead and add ultimate trust for it:


$ gpg --edit-key foo@bar.com
gpg (GnuPG) 1.4.1; Copyright (C) 2005 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Secret key is available.

pub  1024D/BEEFF00D  created: 2005-09-05  expires: 2006-09-05  usage: CS  
                     trust: unknown       validity: unknown 
sub  2048g/DEADBEEF  created: 2005-09-05  expires: 2006-09-05  usage: E   
[ unknown] (1). Foo Bar <foo@bar.com>

Command>

Type in the command trust and it will prompt you:


Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Because this is your key (and you should verify that it is your key by ensuring it's your name and email above), you should choose ultimate. You shouldn't trust anyone else's key ultimately. In fact, setting explicit trust like this is rarely done for keys other than your own. See the page on PGP trust for more info.

Anyway, after you type 5 and answer y to confirm, you'll be back at the command> prompt and you can type quit to exit.

That's it, you've now copied your key!