Page MenuHome GnuPG

Backing up, transporting, and transferring private keys from device to device
Open, HighPublic


We will need information about how to back up, save, export, and verify the contents of a backup. This will help immensely with the usability of GnuPG, especially for its use with its target audience of developers that need to sign their GnuPG releases.

I'm going to look into the `--export-backup, --export-options and --import-options` flags and commands for GnuPG and see what I can puzzle out, along with export of the TrustDB, as my previous method of simply exporting the keys didn't capture everything, including local signatures and trust settings.

Event Timeline

JollyRoger created this object in space S1 Public.
JollyRoger lowered the priority of this task from Unbreak Now! to High.Oct 8 2018, 5:01 PM
JollyRoger updated the task description. (Show Details)
JollyRoger updated the task description. (Show Details)
  • --export-options backup
    • Implies
      • export-local-sigs
      • export-attributes
      • export-sensitive-revkeys
    • Turns off
      • export-clean
      • export-minimal
      • export-pka
      • export-dane
    • Causes build_packet_and_meta() to be used instead of build_packet()
      • This variant also writes the meta data using ring trust packets.
        • a8895c99a7d0
          • Ring trust packets are implementation defined and have always been used in gpg to cache the signature verification status.
          • Ring trust packets are only exported with the export option "backup" and only imported with the import option "restore".
          • As a side-effect of this patch the signature status cache works again and "gpg --check-sigs" is thus much faster.
        • RFC 4880 § 5.10
        • doc/DETAILS
/* Alter other options we want or don't want for restore.  */
if ((*options & EXPORT_BACKUP))
                 | EXPORT_SENSITIVE_REVKEYS);
* Format of the OpenPGP TRUST packet

  According to RFC4880 (5.10), the trust packet (aka ring trust) is
  only used within keyrings and contains data that records the user's
  specifications of which key holds trusted introducers.  The RFC also
  states that the format of this packet is implementation defined and
  SHOULD NOT be emitted to output streams or should be ignored on
  import.  GnuPG uses this packet in several additional ways:

  - 1 octet :: Trust-Value (only used by Subtype SIG)
  - 1 octet :: Signature-Cache (only used by Subtype SIG; value must
               be less than 128)
  - 3 octets :: Fixed value: "gpg"
  - 1 octet  :: Subtype
               - 0 :: Signature cache (SIG)
               - 1 :: Key source on the primary key (KEY)
               - 2 :: Key source on a user id (UID)
  - 1 octet :: Key Source; i.e. the origin of the key:
               - 0 :: Unknown source.
               - 1 :: Public keyserver.
               - 2 :: Preferred keyserver.
               - 3 :: OpenPGP DANE.
               - 4 :: Web Key Directory.
               - 5 :: Import from a trusted URL.
               - 6 :: Import from a trusted file.
               - 7 :: Self generated.
  - 4 octets :: Time of last update.  This is a a four-octet scalar
                with the seconds since Epoch.
  - 1 octet  :: Scalar with the length of the following field.
  - N octets :: String with the URL of the source.  This may be a
                zero-length string.

  If the packets contains only two octets a Subtype of 0 is assumed;
  this is the only format recognized by GnuPG versions < 2.1.18.
  Trust-Value and Signature-Cache must be zero for all subtypes other
  than SIG.
  • --import-options restore
    • Implies
      • import-local-sigs
      • keep-ownertrust
    • Turns off
      • import-minimal
      • import-clean
      • repair-pks-subkey-bug
      • merge-only
if (rc && (*options & IMPORT_RESTORE))
    /* Alter other options we want or don't want for restore.  */
                  | IMPORT_REPAIR_PKS_SUBKEY_BUG
                  | IMPORT_MERGE_ONLY);