I moved to another Macbook. Because of expensive SSDs and really smaller disk size, and because I wanted to start clean with this install, I couldn't transfer the user folder. I have the old disk in an external case connected, and see I forgot to export two private keys. I would like to restore them from the external disk, or from Time Machine.
Where can I find the GPG Tools private keys, so I can export them, or copy the entire GPG Tools folder?
3 Answers
By default, the GnuPG keyrings are stored in the (hidden) folder ~/.gnupg; with other words the .gnupg folder in your home directory. You can simply copy the whole folder to the new machine. If GnuPG doesn't work properly afterwards or shows some error message indicating broken permissions, make sure to take ownership afterwards (even if your user name is the same, the internal IDs could be different) by running following command in the Terminal application (it will query for your user password):
sudo chown -R $USER:staff ~/.gnupgAlternatively, you can export your secret keys using the
gpg --export-secret-keys [key-id] >secret-keys.gpgcommand. As you want to recover the keys from your old disk, connect it to your computer. To work on the old disk's GnuPG keyring, use the --homedir option, which will result in something like
gpg --homedir /Volumes/[old-disks-name]/Users/[username]/.gnupg --list-secret-keysto list the secret keys available, and
gpg --homedir /Volumes/[old-disks-name]/Users/[username]/.gnupg --export-secret-keys [key-id] > secret-keys.gpgto export them. You can also directly import them to your new GnuPG keyring instead of storing in an intermediate file (observe the missing --homedir parameter in the GnuPG call after the pipe):
gpg --homedir /Volumes/[old-disks-name]/Users/[username]/.gnupg --export-secret-keys [key-id] | gpg --importUpdate for 2019 / macOS Catalina:
Time machine backups can be mounted, but they can't be modified in place. Which means that a chown will fail, and that you can't use the --homedir option with gpg without getting a stream of this:
gpg: failed to create temporary file '/Volumes/<Backup Drive>/ Name>/Latest/Macintosh HD/Users/<name>/.gnupg/': Permission denied
gpg: can't connect to the agent: Permission deniedThe chown will fail with a stream of messages like this:
$ sudo chown -R user:staff .gnupg
chown: .gnupg/tofu.db: Operation not permitted
chown: .gnupg/trustdb.gpg: Operation not permitted
chown: .gnupg: Operation not permittedCopy the .gnupg folder out of the Time Machine backup, chown it, and see/extract the private keys as above:
$ mkdir ~/gpg_recovery
$ cp -r /Volumes/<Backup Drive>/ Name>/Latest/Macintosh HD/Users/<name>/.gnupg ~/gpg_recovery/
$ cd ~/gpg_recovery/
$ sudo chown -R $USER:staff .gnupg
Password:
$ gpg --homedir ~/gpg_recovery/.gnupg --list-secret-keys
$ gpg --homedir ~/gpg_recovery/.gnupg --export-secret-keys | gpg --import
gpg: key xxxxxxxxxxxxxxxx: public key "xxxxxxxxxxxxxxxxxxxxxxx" imported
gpg: key xxxxxxxxxxxxxxxx: secret key imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1Windows
On windows systems you may use a software like Gpg4win. In this case you can migrate your (private) keys by copying the following files to your new computer:
- File
%AppData%\gnupg\pubring.kbx - File
%AppData%\gnupg\trustdb.gpg - Entire folder
%AppData%\gnupg\private-keys-v1.d
To list your current recognized (installed) local keys use gpg --list-secret-keys --keyid-format LONG. Tested with gpg (GnuPG) 2.3.4 (2021) installed via Gpg4win 4.0.0.
A small addition to @jens-erat's answer:
Export to a file:
gpg --output private_keys.backup --armor --export-secret-keysSSH import
gpg --export-secret-key SOMEKEYID | ssh othermachine gpg --importref: How to export a GPG private key and public key to a file
