GPG Key, generate, set up, backup, and restore

I went through this process couple of times before, but it’s not something that we run every day, every time I need to search online to recap the commands, that time I’ll add this here to help me and help anyone who needs it.

What is a GPG Key?

I don’t wanna go into all details we have plenty of good information online but in a nutshell GPG Key or GnuPG is an implementation of the PGP standard (Pretty Good Privacy) uses public and private keys to encrypt, decrypt, and sign messages, data, etc. This allows for the secure transmission of information between parties and can be used to verify that the origin of a message is genuine.

Generating your GPG Key

Ok, let’s generate our first GPG Key, to do that let’s assume you have gpg already installed in your machine, if you don’t have please check the requirements and install methods for your operational system here.


There are many ways to backup/export your GPG keys, here I’m gonna show you the way I use to export and backup my keys, some people like to export public keys as well, but since the public key is a subset of the private key we can recover the public key anytime we want.

First, let’s export the secret keys (a.k.a private key)

To export your GPG key first you have to find the keys you want to export

List your GPG keys

$> gpg --list-secret-keys



sec   rsa4096 2014-12-04 [SC]

uid           [ultimate] ferbass <>
ssb   rsa4096 2014-12-04 [E]

Now that your know the key you want to export you can run the following command, replacing name with your key name (or email)

$> gpg --export-secret-keys --armor name > /path-to-bkp/gpg-secret-key-bkp.asc

Now we can export the trust database, note that a trusted database is not required when you recover your GPG key, the trust database will export the trust level of the keys you are exporting, if you don’t have many keys and don’t want to export the trust database you can easily change the trust level manually for each key that you have. To understand more about the trust level of your keys please read this thread in StackExchange

To export your GPG trust database run the following command:

$> gpg --export-ownertrust > /path-to-bkp/trustdb-bkp.txt

If you note, the text exported from the trust DB bkp contains the instructions to import the database back if you need it.


Restoring your keys is very simple, of course, you have to remember your key password.

First, let’s restore the secret key, the system should request the key password at this point.

$> gpg --import /path-to-bkp/gpg-secret-key-bkp.asc

After success import your secret key, now we need to import the GPG trust database

$> gpg --import-ownertrust < /path-to-bkp/trustdb-bkp.txt

Now everything should be ready to use, if you list your keys in your new computer you should be able to see the keys that you imported.

Note if your key trust level is marked as unknown, you may have some problem importing your trust DB, you haven’t restored or you haven’t backup it, but don’t worry about you can easily change your key trust level with the sequence of commands below.

$> gpg --edit-key name #name of your key
$> gpg> trust
$> gpg> save

That’s it, now you have your GPG key up and running on your computer ready to sign and verify received messages or files.