7

I have, in Ubuntu 14.10, generated a public and private GPG and SSH key set, but I am now needing to do a fresh install and don't want to lose them but don't just want to put them as text files on a USB.

So what's the safest way of backing them up?

Is there anyway in which I can encrypt the exported files of them or anything like that?

unor
  • 548
  • I would recommend you to use the option of Ubuntu's compressed archives manager to create encrypted archives. Look here for command line or here for GUI. As I know you, you can't sleep well at night with using a weak encryption, so please avoid zip and use 7z format, which also allows you to encrypt the file list. – Byte Commander Apr 24 '15 at 20:59

2 Answers2

3

This is how I would back up secure data like this. I'm assuming because you're using ssh keys that you're comfortable on the command line.

  1. Move all the keys to a single folder.
  2. Make a tar archive of that folder. tar -cf keys.tar /path/to/keys/folder
  3. Then I'd encrypt the tar file with OpenSSL, using the command openssl aes-256-cbc -a -in keys.tar -out keys.tar.aes and give it a secure password.
  4. All your keys are now encrypted in the one .aes file. You can safely move that to your backup device.
  5. When you're ready to open the files, run openssl aes-256-cbc -d -in keys.tar.aes -out keys.tar. Then extract the tar archive with tar -xvf keys.tar
John Cave
  • 221
  • 1
  • 3
  • When running the third command I get this error: Error Message –  Apr 25 '15 at 10:21
  • Edit: it looks like aes-256 isn't an option on your system. Try aes-256-cbc instead. – John Cave Apr 25 '15 at 10:45
  • 1
    I have not heard good things about OpenSSL or it's enc command, This is a non-standard and not-well vetted construct (!) ... the "iteration count" is set by the enc command to 1 and cannot be changed (!!!!). ... This is quite weak ! GPG looks like a better choice, according to a comment about the Snowden docs, and gpg's decades of use. And gpg pipes with tar wonderfully so you're not leaving unencrypted data in old/deleted tar files around your drive either. – Xen2050 Apr 29 '15 at 12:25
  • Thanks for that @Xen2050 . The above procedure is how I back up my servers. I will look further in to the post you linked and perhaps change my backup schema. – John Cave Apr 30 '15 at 02:09
3

Your GPG secret keyring is already encrypted, though it's only as strong as your passphrase (which is true of any encryption).

I'd make a tar file of all the files you want to backup (a few folders/files listed to tar, or with -T, --files-from get names to extract or create from FILE) and pipe tar's output to GPG. Basically:

tar -c folder | gpg --output archive.tar.gpg -e

But be careful that you don't encrypt your only copy of your secret key with your secret key... i.e. don't lock the key to your safe inside your safe. Conventional (passphrase-only) encryption works too:

tar -cz --files-from=addthese.txt | gpg --cipher-algo AES256 -z 0 --output archive.tar.gz.gpg -c

This avoids making any extra unencrypted copies of the data, that you'd have to find & wipe (or wipe all free space) if that's a concern. Any programs that use standard output can be piped into gpg too, in case it's not just plain files you're backing up.

Xen2050
  • 8,705