How to share private GPG keys securely
2022-01-05
GPG, short for GNU Privacy Guard, is a free cryptographic software suite. Lots of important sofware relies on it.
Personally, I use pass,
“the standard unix password manager” to manage my passwords and it works
a treat. Under the hood, pass uses gpg. This
lets me use my terminal as a password manager.
There’s a great Android app which implements the same pass “spec” . This app relies on openkeychain for GPG-key management. In their FAQs, they elegantly sum up how best to transfer your private key:
generate a strong random password
gpg --armor --gen-random 1 20encrypt key, use password above when asked
gpg --armor --export-secret-keys YOUREMAILADDRESS | gpg --armor --symmetric --output mykey.sec.ascon the receiving computer
gpg --decrypt mykey.sec.asc | gpg --importThese steps will encrypt your secret keys symmetricly with a secure & one-time random password.
I’ve used magic-wormhole
in the past to transfer sensitive information from computer to computer.
It’s worked really well. If you’re paranoid about your keys (and it may
be worth being paranoid…), I’d look into using
magic-wormhole to move your encrypted private GPG keys
around. It’s really easy. Literally
wormhole send mykey.sec.asc.