Re: What is a reliable way to backup/restore my keys and test?

2016-09-19 Thread Werner Koch 
On Wed, 14 Sep 2016 17:10, du...@nofroth.com said:

> Once I have completed my OS upgrade how do I restore my keys and the
> trust levels assigned to them?

If you restore the backup of ~/.gnupg (with all sub directories) with
the right permissions (tar xpf) you should be done.  GnuPGnstores all
its data in a mahinve independet format and thus a copy of the directory
works on all platforms.

For cleanness, you may not want to exclude ~/.gnupg/random_seed from the
backup or delete that file from the target box after restoring.

> I use Thunderbird/Enigmail which is using gpg2 but I originally
> created my key pair using gpg 1.4.  Does this have any ramifications?

No.  If you start using gnupg 2.1 the secret keys will be automatically
migrated to the new format (the old secring.gpg will be kept but not
used by 2.1).


Salam-Shalom,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.


pgp8Mxax03ZwI.pgp
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: What is a reliable way to backup/restore my keys and test?

2016-09-15 Thread Daniel Kahn Gillmor 
On Thu 2016-09-15 15:32:32 -0400, MFPA wrote:
> And if they are accidentally sent to a keyserver, does the keyserver
> strip them because they are marked as non-exportable?

It should but the current sks keyservers do not do this right, and an
attempt to fix this has been stalled for years:

  https://bitbucket.org/skskeyserver/sks-keyserver/pull-requests/20

sigh,

  --dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: What is a reliable way to backup/restore my keys and test?

2016-09-15 Thread Robert J. Hansen 
> Does exporting local signatures make it somehow more likely they might be
> accidentally sent to a keyserver?

No.



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: What is a reliable way to backup/restore my keys and test?

2016-09-15 Thread MFPA 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512



On Thursday 15 September 2016 at 3:32:22 PM, in
, Robert J.
Hansen wrote:-

> But I agree with Daniel that it's important to include those
> options if you have local signatures on your keyring.

Does exporting local signatures make it somehow more likely they might
be accidentally sent to a keyserver?

And if they are accidentally sent to a keyserver, does the keyserver
strip them because they are marked as non-exportable?


- --
Best regards

MFPA  

I think not, said Descartes, and promptly disappeared
-BEGIN PGP SIGNATURE-

iQF8BAEBCgBmBQJX2vdSXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXRCM0FFN0VDQTlBOEM4QjMwMjZBNUEwRjU2
QjdDNzRDRUIzMUYyNUYwAAoJEGt8dM6zHyXwEDwH/1hJnVhqT5tUlw7t5O7WUihC
QQil5xxKSrgQ29x769F9l9TTh9KG/oCTWJuRbZEFMyTzenV2BImEo5xX6ESzsP4r
cOmeKCXMFylSZb7kDVybvs9IlYGz6tC8JMYcmoQ4H5dpYzwPhQ15J0mk17cyaetv
Hl8ArSNfWIVi7G+98P1miphbIVwAR4jj+UEt1fYuaBT1Ad+DRo0ST5bkrNhRbkp5
WyQnNN6EYtAmlZ7r1GygxCyE9NbUgYAS6FUGe4+RHi/A1zRBnXd1W/PYZH/kQ2ez
H2odXrkziKh/Ak8JA9gFz3h2AL1s1tCd2Lk751tzJ5jYBRhyxnBOUH87nMhui0aI
vgQBFgoAZgUCV9r3Yl8UgAAuAChpc3N1ZXItZnByQG5vdGF0aW9ucy5vcGVu
cGdwLmZpZnRoaG9yc2VtYW4ubmV0MzNBQ0VENEVFOTEzNEVFQkRFNkE4NTA2MTcx
MkJDNDYxQUY3NzhFNAAKCRAXErxGGvd45N9QAQCNsyoieFo7UGa7g9GJVtfA+2V+
tQKe5KRfvvylM9dk0wEArqjxpyoEtwQsOZB20qYHGJfQD1rR3gNtn3i4RtsYWw4=
=Up9A
-END PGP SIGNATURE-


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: What is a reliable way to backup/restore my keys and test?

2016-09-15 Thread Robert J. Hansen 
> I am unable to find any references in man to export-local in
> - --export-options except for export-local-sigs.  Maybe this is an
> undocumented parameter to the --export-options option?  What is it
> supposed to do?

--export-local is the same as --export-local-sigs.  Likewise with
--import-local.

I don't use local signatures myself, which is why my process skips those.
But I agree with Daniel that it's important to include those options if you
have local signatures on your keyring.



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: What is a reliable way to backup/restore my keys and test?

2016-09-15 Thread Duane Whitty 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On 16-09-14 05:24 PM, Daniel Kahn Gillmor wrote:
> Thanks for the very thorough walk-through, Robert.
> 
> Perhaps GnuPG ought to produce some kind of interchangeable backup 
> automatically on its own that it can re-consume, so this kind of 
> involved process isn't necessary.
> 
> A couple notes below:
> 
> On Wed 2016-09-14 15:01:47 -0400, Robert J. Hansen wrote:
>> The following is the procedure I use on UNIX systems:
>> 
>> First, export all public certificates into a public keyring:
>> 
>> $ gpg --armor --export > pub.asc
>> 
>> Second, export all secret certificates into a secret keyring:
>> 
>> $ gpg --armor --export-secret-keys > priv.asc
> 
> the above two steps should include the arguments "--export-options 
> export-local" just before "--export".
> 
I am unable to find any references in man to export-local in
- --export-options except for export-local-sigs.  Maybe this is an
undocumented parameter to the --export-options option?  What is it
supposed to do?

>> Import your secret certificates:
>> 
>> $ gpg --import < priv.asc
>> 
>> Import your public certificates:
>> 
>> $ gpg --import < pub.asc
> 
> 
> The above two steps should include the arguments "--import-options 
> import-local" just before "--import".
> 
Same here, can't find the parameter import-local, just import-local-sigs

> 
> hth,
> 
> --dkg
> 

Best Regards,
Duane

- -- 
Duane Whitty
du...@nofroth.com
-BEGIN PGP SIGNATURE-

iQEcBAEBCAAGBQJX2q4aAAoJEOJfpr8UVxtkYKQIAJXXOW0XXwa8em36YjkyzGY3
bz2QpikFEe6b4mBvEE6IUy/DR7//fy4WnA3SZCUP2JbKrdRUFJGStgirmH1uMcby
TLBslsAh3tdmQ7ryrLKISZDqLIDhXcuSnKIjgaH01a6/JqNVK3Ig/HMo4wwQ4idU
HeOc7+5bzD/JSwbaACh/oPtiDglFmRrwr0JD/QjRvWfAJkctIJzFpMiM5JtwKn5M
4sKo9Q7sCd7CupL115gqjBDyrCH/O8QDqrFtBn628KIQmUp0nBY1Pqew2jWSzOpj
BFZAq/bh8SwAYhctSPnqm7y5Wz/06LANcrXHd9Tifaypo2xZXpTcklb9SkjBgw4=
=0hD0
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: What is a reliable way to backup/restore my keys and test?

2016-09-15 Thread Duane Whitty 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On 16-09-14 04:01 PM, Robert J. Hansen wrote:
>> I am relatively new to GNUPG so my apologies in advance if this
>> question
> is
>> trivial.
> 
> Welcome!  And your question is not trivial.
> 
> The following is the procedure I use on UNIX systems:
> 
> First, export all public certificates into a public keyring:
> 
> $ gpg --armor --export > pub.asc
> 
> Second, export all secret certificates into a secret keyring:
> 
> $ gpg --armor --export-secret-keys > priv.asc
> 
> Third, export ownertrust values and save those:
> 
> $ gpg --armor --export-ownertrust > trust.asc
> 
> Fourth, copy all the *.conf files in ~/.gnupg into your current
> directory:
> 
> $ cp ~/.gnupg/*.conf .
> 
> Fifth,  put these, and all your GnuPG .conf files, all into a
> single archive:
> 
> $ tar cJf gpg-backup.txz pub.asc priv.asc trust.asc *.conf
> 
> Copy gpg-backup.txz to the new machine.  Once you've done that,
> uncompress it on the new machine:
> 
> $ tar xJf gpg-backup.txz
> 
> Import your secret certificates:
> 
> $ gpg --import < priv.asc
> 
> Import your public certificates:
> 
> $ gpg --import < pub.asc
> 
> Import your ownertrust values:
> 
> $ gpg --import-ownertrust < trust.asc
> 
> Make sure your ~/.gnupg directory exists.  If it doesn't, run gpg
> with no arguments and hit Ctrl-C to break out of it.
> 
> $ gpg
> 
> Copy your .conf files into ~/.gnupg:
> 
> $ cp *.conf ~/.gnupg
> 
> ... And at that point you should be done.  This technique should
> work regardless of whether you're migrating from 1.4 to 2.0, 1.4 to
> 2.1, 2.0 to 1.4, 2.0 to 2.1, 2.1 to 2.0, or 2.1 to 1.4.  No matter
> which you're doing, you're covered.
> 
>> I've just copied my .gnupg directory to a usb key as a backup
>> measure,
> which
>> I found as a method (more or less) on 
>> http://www.glump.net/content/gpg_intro/.
> 
> It's a good idea to not copy the random_seed file.  PRNG states
> should not be shared between computers.
> 
>> How can I make sure my private key and trust assignments were
>> copied
> properly?
> 
> Follow the above process and they will be.  Your private
> certificates were exported, as were the trust assignments.
> 
>> Once I have completed my OS upgrade how do I restore my keys and
>> the trust levels assigned to them?
> 
> See the above process.
> 
>> I use Thunderbird/Enigmail which is using gpg2 but I originally
>> created my
> key
>> pair using gpg 1.4.  Does this have any ramifications?
> 
> None.
> 
> 

Thanks for the detailed walk-through, Robert.  Much appreciated!

Best Regards,
Duane

- -- 
Duane Whitty
du...@nofroth.com
-BEGIN PGP SIGNATURE-

iQEcBAEBCAAGBQJX2qv1AAoJEOJfpr8UVxtkNEQH/iImTGTQNomSipe0B2yccLMd
I1OKbeAIP59sORzC8UegelhtH4k1F9WZRVZUjRXfeEY4jWK5GX1pSsZbSIuDZGL/
0qHS63nrLm5qbSD7VSEzEmadHCVATkChYFBUGdPP2i1fCWjU1cWlJrNQxAohBZHr
ZUC/zh8BsXzIAbtLnb6zRgQ8lxgxLZzozLprwn5eGfnTBsC7GtSO/sjSQgC2hVpn
rRTviX3TNapt3DlnY4MtM/NNUOdWKeCGp+DkZBXiem1KDkIr+cfnuUY8+N/oJtfo
SlgJ3LrLS6I/w8eQ4Ru+qBK4qal28OChrO8fbtX+BY+4H8cdXjrsjqk7MpQZtEM=
=qOtt
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: What is a reliable way to backup/restore my keys and test?

2016-09-15 Thread murphy 
Also how to handle the tofu.db?  A quick check doesn't find any
--import-tofu or --export-tofu options.  Does a simple backup and
transfer of tofu.db suffice?  --Murphy



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: What is a reliable way to backup/restore my keys and test?

2016-09-14 Thread Piotr Chmielnicki 


On 09/14/2016 06:31 PM, Thomas Glanzmann wrote:
> Hello Duane,
>
>> How can I make sure my private key and trust assignments were copied
>> properly?
> for me in the past taking a backup of .gnupg was sufficient. However you
> can also export your secret key using:
>
> gpg --export-secret-keys -a  > secret.asc
>
> And the manual trust assignments by doing:
>
> gpg --export-ownertrust > ownertrust.txt
>
> Cheers,
> Thomas
>
> ___
> Gnupg-users mailing list
> Gnupg-users@gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
You also migth want to take a look at --export-options in the gpg man page.

Piotr Chmielnicki
@piotrcki

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: What is a reliable way to backup/restore my keys and test?

2016-09-14 Thread Daniel Kahn Gillmor 
Thanks for the very thorough walk-through, Robert.

Perhaps GnuPG ought to produce some kind of interchangeable backup
automatically on its own that it can re-consume, so this kind of
involved process isn't necessary.

A couple notes below:

On Wed 2016-09-14 15:01:47 -0400, Robert J. Hansen wrote:
> The following is the procedure I use on UNIX systems:
>
> First, export all public certificates into a public keyring:
>
>   $ gpg --armor --export > pub.asc
>
> Second, export all secret certificates into a secret keyring:
>
>   $ gpg --armor --export-secret-keys > priv.asc

the above two steps should include the arguments "--export-options
export-local" just before "--export".

> Import your secret certificates:
>
>   $ gpg --import < priv.asc
>
> Import your public certificates:
>
>   $ gpg --import < pub.asc


The above two steps should include the arguments "--import-options
import-local" just before "--import".


hth,

--dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

RE: What is a reliable way to backup/restore my keys and test?

2016-09-14 Thread Robert J. Hansen 
> I am relatively new to GNUPG so my apologies in advance if this question
is
> trivial.

Welcome!  And your question is not trivial.

The following is the procedure I use on UNIX systems:

First, export all public certificates into a public keyring:

$ gpg --armor --export > pub.asc

Second, export all secret certificates into a secret keyring:

$ gpg --armor --export-secret-keys > priv.asc

Third, export ownertrust values and save those:

$ gpg --armor --export-ownertrust > trust.asc

Fourth, copy all the *.conf files in ~/.gnupg into your current directory:

$ cp ~/.gnupg/*.conf .

Fifth,  put these, and all your GnuPG .conf files, all into a single
archive:

$ tar cJf gpg-backup.txz pub.asc priv.asc trust.asc *.conf

Copy gpg-backup.txz to the new machine.  Once you've done that, uncompress
it on the new machine:

$ tar xJf gpg-backup.txz

Import your secret certificates:

$ gpg --import < priv.asc

Import your public certificates:

$ gpg --import < pub.asc

Import your ownertrust values:

$ gpg --import-ownertrust < trust.asc

Make sure your ~/.gnupg directory exists.  If it doesn't, run gpg with no
arguments and hit Ctrl-C to break out of it.

$ gpg

Copy your .conf files into ~/.gnupg:

$ cp *.conf ~/.gnupg

... And at that point you should be done.  This technique should work
regardless of whether you're migrating from 1.4 to 2.0, 1.4 to 2.1, 2.0 to
1.4, 2.0 to 2.1, 2.1 to 2.0, or 2.1 to 1.4.  No matter which you're doing,
you're covered.

> I've just copied my .gnupg directory to a usb key as a backup measure,
which
> I found as a method (more or less) on
> http://www.glump.net/content/gpg_intro/.

It's a good idea to not copy the random_seed file.  PRNG states should not
be shared between computers.

> How can I make sure my private key and trust assignments were copied
properly?

Follow the above process and they will be.  Your private certificates were
exported, as were the trust assignments.

> Once I have completed my OS upgrade how do I restore my keys and the
> trust levels assigned to them?

See the above process.

> I use Thunderbird/Enigmail which is using gpg2 but I originally created my
key
> pair using gpg 1.4.  Does this have any ramifications?

None.



___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: What is a reliable way to backup/restore my keys and test?

2016-09-14 Thread Thomas Glanzmann 
Hello Duane,

> How can I make sure my private key and trust assignments were copied
> properly?

for me in the past taking a backup of .gnupg was sufficient. However you
can also export your secret key using:

gpg --export-secret-keys -a  > secret.asc

And the manual trust assignments by doing:

gpg --export-ownertrust > ownertrust.txt

Cheers,
Thomas

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users