26

Transferring your secret PGP key from one device to another.

I use PGP a lot, primarily for encrypting files or file-portions that I might want not to slip into the wrong hands.

I also use many different devices (3 personal laptops, 1 Nokia N900, 1 Nexus 7 tablet, and so on), and I like to access the data I'm looking for from the device I may currently be on.

This means I need my PGP secret key available to me locally: it's unwise to access a secret key across a network.

If you're copying the key from one device to another across a network only you have control over, then export; scp; import may be sufficient. However, if you're not certain about the security of the pipes between your two devices, you need to take a bit more care.

Here's how I do it, which involves a little more work, but is a lot more secure. The steps below use GNU Privacy Guard (a.k.a. GnuPG), but the actions are rather fundamental to a mature PGP tool, and should be easy to perform with what you're using.

  1. Install a PGP tool onto your device.
  2. Generate a new private/public key pair using this tool. Set the expiry date for this new key to tomorrow: you won't need this key again once all of this is done.

    eibhear@bondi:~$ gpg --gen-key
    gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc.
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    
    Please select what kind of key you want:
       (1) RSA and RSA (default)
       (2) DSA and Elgamal
       (3) DSA (sign only)
       (4) RSA (sign only)
    Your selection? 1
    RSA keys may be between 1024 and 4096 bits long.
    What keysize do you want? (2048) 4096
    Requested keysize is 4096 bits
    Please specify how long the key should be valid.
             0 = key does not expire
          <n>  = key expires in n days
          <n>w = key expires in n weeks
          <n>m = key expires in n months
          <n>y = key expires in n years
    Key is valid for? (0) 1
    Key expires at Mon 27 Jan 2014 14:41:38 GMT
    Is this correct? (y/N) y
    
    You need a user ID to identify your key; the software constructs the user ID
    from the Real Name, Comment and Email Address in this form:
        "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
    
    Real name: Temp Transfer
    Email address: eibhear@bondi.gibiris.org
    Comment: Temp to get real key across
    You selected this USER-ID:
        "Temp Transfer (Temp to get real key across) <eibhear@bondi.gibiris.org>"
    
    Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
    You need a Passphrase to protect your secret key.
    
    <<key-generation guff about entropy and all that.>>
    
    gpg: key AD26C065 marked as ultimately trusted
    public and secret key created and signed.
    
    gpg: checking the trustdb
    gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
    gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
    gpg: next trustdb check due at 2014-01-27
    pub   4096R/AD26C065 2014-01-26 [expires: 2014-01-27]
          Key fingerprint = A3CF 353E F184 AE8A 2F7A  D2E5 51E3 EB22 AD26 C065
    uid                  Temp Transfer (Temp to get real key across) <eibhear@bondi.gibiris.org>
    sub   4096R/BA51E94A 2014-01-26 [expires: 2014-01-27]
    
    eibhear@bondi:~$
    
  3. Export your new public into a file (I generally us the ASCII format for ease of handling).

    gpg --export -a eibhear@bondi.gibiris.org > tmpPublic.asc
    
  4. E-mail key new public key to an address whose account you can access from the device with your secret key. E-mail is the easiest for me, but all you want to achieve is to get this public key across.
  5. From the device with the secret key you want to get, download and import this new public key.

    eibhear@rome:~$ gpg --import ~/tmp/tmpPublic.asc 
    gpg: key AD26C065: public key "Temp Transfer (Temp to get real key across) <eibhear@bondi.gibiris.org>" imported
    gpg: Total number processed: 1
    gpg:               imported: 1  (RSA: 1)
    eibhear@rome:~$
    
  6. Now, export your secret and encrypt it using the newly-imported public key. Using the gpg tool, I export it to stdout and encrypt that stream. That way, the data aren't stored on the filesystem, even temporarily. If you can't do these in one step, it's probably safe to export your key to a file and to encrypt the file and then to remove the original file (as long as you're confident you have full control over the device, and as long as you use a strong passphrase to protect your secret key!)

    eibhear@rome:~$ gpg -a --export-secret-key GMail | gpg -ea -r eibhear@bondi.gibiris.org > ~/tmp/secretKeyEnc.asc
    gpg: BA51E94A: There is no assurance this key belongs to the named user
    
    pub  4096R/BA51E94A 2014-01-26 Temp Transfer (Temp to get real key across) <eibhear@bondi.gibiris.org>
     Primary key fingerprint: A3CF 353E F184 AE8A 2F7A  D2E5 51E3 EB22 AD26 C065
          Subkey fingerprint: A526 1366 B691 CF65 C317  88F0 C29C ABE5 BA51 E94A
    
    It is NOT certain that the key belongs to the person named
    in the user ID.  If you *really* know what you are doing,
    you may answer the next question with yes.
    
    Use this key anyway? (y/N) y
    eibhear@rome:~$
    
  7. Send this newly encryped file to your new device (an e-mailed attachment is normally what I use).
  8. Go back to your new device now, and download the file.
  9. Decrypt the file, using the temporary secret key, and then import the decrypted key data. Again, if you're using gpg, these two steps can be combined into one.

    eibhear@bondi:~$ gpg -d ~/tmp/secretKeyEnc.asc | gpg --import
    
    You need a passphrase to unlock the secret key for
    user: "Temp Transfer (Temp to get real key across) <eibhear@bondi.gibiris.org>"
    4096-bit RSA key, ID BA51E94A, created 2014-01-26 (main key ID AD26C065)
    
    gpg: encrypted with 4096-bit RSA key, ID BA51E94A, created 2014-01-26
          "Temp Transfer (Temp to get real key across) <eibhear@bondi.gibiris.org>"
    gpg: key F2177106: secret key imported
    gpg: key F2177106: public key "�ibhear � hAnluain (GMail) <eibhearDOTgeoATgmailDOTcom>" imported
    gpg: Total number processed: 1
    gpg:               imported: 1
    gpg:       secret keys read: 1
    gpg:   secret keys imported: 1
    eibhear@bondi:~$
    
  10. Confirm that the key has been imported.

    eibhear@bondi:~$ gpg --list-secret-keys
    /home/eibhear/.gnupg/secring.gpg
    --------------------------------
    sec   4096R/AD26C065 2014-01-26 [expires: 2014-01-27]
    uid                  Temp Transfer (Temp to get real key across) <eibhear@bondi.gibiris.org>
    ssb   4096R/BA51E94A 2014-01-26
    
    sec   1024D/F2177106 2003-08-26
    uid                  �ibhear � hAnluain (Gibiris) <XXXXXXXXXXXX>
    uid                  �ibhear � hAnluain (GMail) <eibhearDOTgeoATgmailDOTcom>
    ssb   2048g/532B1905 2003-08-26
    
    eibhear@bondi:~$
    
  11. Lastly, delete the temporary secret key.

    eibhear@bondi:~$ gpg --delete-secret-and-public-key eibhear@bondi.gibiris.org
    gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc.
    This is free software: you are free to change and redistribute it.
    There is NO WARRANTY, to the extent permitted by law.
    
    
    sec  4096R/AD26C065 2014-01-26 Temp Transfer (Temp to get real key across) <eibhear@bondi.gibiris.org>
    
    Delete this key from the keyring? (y/N) y
    This is a secret key! - really delete? (y/N) y
    
    pub  4096R/AD26C065 2014-01-26 Temp Transfer (Temp to get real key across) <eibhear@bondi.gibiris.org>
    
    Delete this key from the keyring? (y/N) y
    eibhear@bondi:~$
    

You're now ready to use your main secret key from your new device.