HOWTO Backup your GnuPG secret key on paper

Software backup, gnupg, howto

Paper is a safe way to backup a secret key: you can’t hack into it remotely, you can hide it very easily, and you will still be able to use it in 50+ years. No USB stick can do that…

If you want to store your GnuPG secret key on a paper sheet, it is quite simple to do. You can use PaperKey, a small tool that strips all the useless data from a secret key and formats it into a printable result. This is great, but the result can be quite long: printing my 2048 bits secret key would take 3 pages.

But there is a nice way to store more data on a small surface: 2D barcodes, for example in the DataMatrix format, using the great libdmtx library. For small keys, this is really easy:

gpg --export-secret-key KEY_ID | paperkey --output-type raw | dmtxwrite -e 8 -f PDF > secret-key.pdf

If your key is bigger (like my 2048 bits key), you will need to split it in several parts, because the result of the paperkey command will be too big to be encoded in a single DataMatrix. Here is a simple method:

# Generates key-aa, key-ab, ...
gpg --export-secret-key KEY_ID | paperkey --output-type raw | split -b 1500 - key-

# Convert each of them to a PNG image
for K in key-*; do
    dmtxwrite -e 8 $K > $K.png
done

You now have several PNG images that you can print together on a single page.


To restore your key, it’s just as simple: scan each DataMatrix into a separate image, decode them with dmtxread, concatenate all the resulting files (cat…), and use paperkey:

cat my-scanned-keys | paperkey --pubring ~/.gnupg/pubring.gpg > secret-key.gpg

Source: TPK Archival (by David Shaw, creator of PaperKey).

Comments

Join the conversation by sending an email. Your comment will be added here and to the public inbox after moderation.

Oliver

i tried to restore an printed test key but dmtxread can’t decode them any hints? i printed the key on two pages of DIN A4 Paper and made a picture of the DataMatrix with high contrast. dmtxread won’t work. it don’t detect the Datamatrix i think. Only for the orignial picture before printing work.

Schnouki

According to the libdmtx FAQ, this could be due to an insufficient “quiet zone”:

The Data Matrix standard, and therefore libdmtx, requires a “quiet zone” to surround every barcode region. If your image is cropped so the Data Matrix symbol is touching or nearly touching the image boundary, this might be preventing a successful scan.

If this is not enough, you should try using the -v flag to have a more precise error message — and maybe ask people who know better about libdmtx: see the “Get support” link on http://www.libdmtx.org/.