Export and import secret GPG keys from backup

When installing a new distro¹, I installed it on a new disk - leaving the previous disk as a ‘backup’. What I forgot to do (to be honest, I hadn’t thought about it) was exporting the GPG keys that I use, e.g. to sign commits.

I did not want to copy the .gnupg directory from the old disk, as I imported a lot of public keys for example, to verify downloaded files. I no longer need them - I want only my private keys.

I figured out a way to export them from the backup and import them to the local keyring. Below are the steps and the explanation. :-)

tl;dr: the magic sauce is --homedir parameter. It tells GnuPG to use that directory as its home (keyring, config, etc.) instead of the default one. This way, we can point GnuPG at the backed-up files and use them as if they were in place for a regular setup.

1. Copy from the backup to the home directory

Copy the .gnupg directory from backup to the home directory. This is to ensure that these will not be overridden by mistake.

For the latter steps, I assume that those are copied to ~/gnupg/.gnupg (gnupg is a directory in the home directory).

2. Verify that keys are there

Then verify that the secret keys are there:

gpg --homedir=~/gnupg/.gnupg --list-secret-keys

It should show secret keys that are available in the keyring.

3. Export keys from the backup

After that, I can export them to a file keys.key in the current directory. A passphrase for each private key needs to be provided for successful export.

gpg --homedir=~/gnupg/.gnupg --export-secret-keys > keys.key

4. Import keys from the file

As those are exported, they can now be imported. Same as previously, passphrases need to be provided:

gpg --import keys.key

Every key will be printed out (public and secret pair) with the summary. For example:

(...details are removed ;-)...)
gpg: Total number processed: 3
gpg:               imported: 3
gpg:       secret keys read: 3
gpg:   secret keys imported: 3

5. Verify and cleanup

To verify, we can run gpg --list-secret-keys - it should print out the details of the keys that we just imported. As for cleanup - remove the copied data and keys.key file - those are not needed anymore!

And that is all - now I can use my GPG keys to sign Git commits, just like I did on the previous machine!

I installed Fedora KDE 43. I must say that it works quite well! ↩︎