Hints: Migrating GPG Keys from one machine to another

in

GPG is a great utility used to encrypt and decrypt ... anything really. It's a public/private key infrastructure, and like most of these infrastructures, it's generally accepted that you share your public key with everyone, and you keep your private key very secret. Most operations involve both the private and public keys in some way. The operations enabled by your private key (decryption of messages sent to you, and signing of messages sent from you) are guaranteed to have actually come from you, as opposed to someone else attempting to impersonate you. Conversely, the operations enabled by the public key (encrypting a message and verifying the signature of a signed message) can be done by anyone. This works out in practice quite well: Anyone in the world (with the help of my public key) can send me an encrypted message that can be safely read by only myself (by using my private key). Additionally, whenever I send a message, I sign it with my private key, so that anyone receiving a message from me can verify it with my public key. This is all great and wonderful, and I fully support anyone who wishes to use it.

However, things get hairy when you, the owner of a brand spankin new private key, want to protect it.. You don't want to lose your private key in the madhouse that is hard drive failure, but you don't want to leave that private key hanging around somewhere that someone nefarious could pick it up and start impersonating you. You may, like I do, want to share a private key between multiple computers that you use on a regular basis. For this, we need a quick and secure method of transferring private and public keys between computers.

After you download and install GPG on your platforms of choice, and assuming you have SSH installed on those machines, you can run the following command on your source machine (the one that has the goods) to export your private or public keys between your machines without too much fear of interception in the middle.

gpg --export email@domain.com | ssh user@remote.host '/usr/local/bin/gpg --import' gpg --export-secret-keys email@domain.com | ssh user@remote.host '/usr/local/bin/gpg --import'

replacing as appropriate the email address, user and hostname of the remote host, and the path to gpg on the remote server (use which gpg on the remote machine to find that out). You should have your private and public keys exported over in no time!

EDIT - 5/1/11: It has come to my attention that you can export your entire private or public keychain in one go, saving you the trouble of sending each key individually. Just run...

gpg --export | ssh user@remote.host '/usr/local/bin/gpg --import' gpg --export-secret-keys | ssh user@remote.host '/usr/local/bin/gpg --import'

and watch all your keys come over. If you've already imported some, gpg will just skip over it.