# Where to back up GPG key?

## grant123

My private GPG key is the only file I can't back up along with the rest of my encrypted backups since I would need it in order to decrypt the backups.  How do smart people back up their private GPG key?

----------

## John R. Graham

Your GPG key is protected with a nice long, non-dictionary-word-based passphrase, right? If so, just put it on a couple of memory sticks.

- John

----------

## grant123

 *Quote:*   

> Your GPG key is protected with a nice long, non-dictionary-word-based passphrase, right?

 

Actually no because I want to encrypt unattended.

----------

## khayyam

 *grant123 wrote:*   

>  *Quote:*   Your GPG key is protected with a nice long, non-dictionary-word-based passphrase, right? 
> 
> Actually no because I want to encrypt unattended.

 

grant123 ... so what prevents someone doing the same, and what purpose does the encyption then serve?

As far as backing up the key goes, you can create a luks partition without the use of a key.

```
# cryptsetup -c aes-xts-plain -y -s 512 luksFormat /dev/sdb1

# cryptsetup luksOpen /dev/sdb1 crypt-usb

# mkfs.ext4 /dev/mapper/crypt-usb

# mount /dev/mapper/crypt-usb /mnt/usbstick

# mkdir -p /mnt/usbstick/{headers,gnupg/keys}

# cp /path/to/key /mnt/usbstick/gnupg/keys

# cryptsetup luksHeaderBackup --header-backup-file /mnt/usbstick/headers/luks-header-sda2 /dev/sda2

# umount /mnt/usbstick

# cryptsetup luksClose crypt-usb
```

... of course the process will require you to memorise the passphrase. I also made a backup of the LUKS header on the disk (which is advisable).

best ... khay

----------

## grant123

 *Quote:*   

> so what prevents someone doing the same, and what purpose does the encyption then serve?

 

Machine #1's data is encrypted on machine #1 and then transferred to machine #2.  The encryption is meant to prevent someone from breaking into machine #2 and reading machine #1's data.

 *Quote:*   

> As far as backing up the key goes, you can create a luks partition without the use of a key.

 

Interesting.  Is there a simpler way to password protect my GPG key (without actually assigning a passphrase within the GPG protocol so I can still encrypt unattended)?  I'd rather not create and manage a partition for this.

----------

## khayyam

 *grant123 wrote:*   

>  *Quote:*   so what prevents someone doing the same, and what purpose does the encyption then serve? 
> 
> Machine #1's data is encrypted on machine #1 and then transferred to machine #2.  The encryption is meant to prevent someone from breaking into machine #2 and reading machine #1's data.

 

grant123 ... I think I misinterpreted your question, I'd read the above "encrypted backups" as though you were using LUKS and a gpg-key as the passphrase, thats why I provided how the header (of the encypted partition) could be backed up. Now, re-reading your inital post I don't know where I got that impression.

 *grant123 wrote:*   

>  *Quote:*   As far as backing up the key goes, you can create a luks partition without the use of a key. 
> 
> Interesting.  Is there a simpler way to password protect my GPG key (without actually assigning a passphrase within the GPG protocol so I can still encrypt unattended)?  I'd rather not create and manage a partition for this.

 

In the example I was using a LUKS encypted usbstick as the backup destination, so not a partiton, a seperate device. As to your question, no, if the key has to function without user input (in the form of a passphrase) then there is no additional protection that can be added.

best ... khay

----------

