Storing the GPG Private Key securely using PaperKey

Last updated on January 30, 2018

One day I asked my friend, a cybersecurity expert, how to store my GPG private key securely. His answer did not impress me at all since he advised me to store the key on the USB thumb drive and I have to bring it everywhere I go. It’s not the best practice in my opinion since there’s a chance I will lose my thumb drive or, even worse, my thumb drive is broken. I searched on the internet and found that I can use the USB token to store the private key securely. But still, there’s a price I have to pay so I have to find another way. Until I know PaperKey, an OpenPGP key archiver, which will save my private key on the paper. The following are what I do to secure my private key.

1. Generating GPG key

Suppose we don’t have any GPG key yet, or we need to have the new one, we can generate the key pairs using the following command:

gpg --gen-key

1.1. Determining the key type

If we are asked to choose the key type, choose option 1, RSA and RSA (default).

1.2. Entering the key size

Enter the number between 1024 to 4096. Just press ENTER to make 2048 bits key which is the best choice.

1.3. Specifying the key life time

We can specify how long the key will valid. However, it’s common to make an infinity validity lifetime. For this purpose, just press ENTER to make our key life infinity. Then press Y to confirm.

1.4. Providing the key identity

Fill the Real name, Email address, and Comment to give the key identity. Then press O to confirm.

1.5. Entering a passphrase

To make our key more secure, give passphrase to the key. It can be anything, however, a short sentence or phrase that isn’t easy to guess is better. Repeat entering the passphrase to confirm.
Note: The passphrase can’t be retrieved so we need to not forget the passphrase.

1.6. Generating the key

A lot of random bytes will be generated. If the generator doesn’t have enough random bytes available, we can move the mouse around, browse the internet, tap on the keyboard or do anything we normally do to generate random bytes. We will get the following information once the key is generated successfully.

gpg: key 2E4A9C6A marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/2E4A9C6A 2017-12-29
      Key fingerprint = 3A5C 4E14 372A 660B C4C6  D19A 2BD3 8298 2E4A 9C6A
uid                  Wisnu Anggoro (Key for wisnu.id) <ask@wisnu.id>
sub   2048R/57AC4E4D 2017-12-29

Based on the preceding information, the key-id is 2E4A9C6A. Run the following command to list the key in the keyring:

gpg -k

You will get the list similar like the following:

/home/[yourname]/.gnupg/pubring.gpg
------------------------------
pub   2048R/2E4A9C6A 2017-12-29
uid                  Wisnu Anggoro (Key for wisnu.id) <ask@wisnu.id>
sub   2048R/57AC4E4D 2017-12-29

1.7. Exporting the key pairs

In order to store the key securely using PaperKey, we need to export the private and public key. To export the public key, we can use the following command:

gpg --output wisnu_id_pub.gpg --export 2E4A9C6A

To export the private key, we can use the following command:

gpg --output wisnu_id_sec.gpg --export-secret-key 2E4A9C6A

Now, we have wisnu_id_pub.gpg and wisnu_id_sec.gpg files in the /home/[yourname]/.gnupg/ directories.
Note: 2E4A9C6A is the key-id we get from the previous step.

1.8. Uploading the public key to Ubuntu server

We need to upload the public key to the server so we can retrieve it to reconstruct the private in the upcoming step.

gpg --send-keys --keyserver keyserver.ubuntu.com 2E4A9C6A

2. Installing PaperKey

Installing PaperKey package on Ubuntu is simple. We just need execute these two following commands:

sudo apt-get update
sudo apt-get install paperkey

To ensure the package has been installed successfully, run the following command to fetch the version of the installed package.

paperkey --version

3. Extracting the secret data in the private key

Since we now have gpg private key, we can extract the secret from it and write to the text file. Go to the /home/[yourname]/.gnupg/ directories then extract the secret data from the private key using the following command:

paperkey --secret-key wisnu_id_sec.gpg --output secret-data-only.txt

We will see the secret-data-only.txt will look like following (I only show the first five lines):

...
  1: 00 04 3A 5C 4E 14 37 2A 66 0B C4 C6 D1 9A 2B D3 82 98 2E 4A 9C 6A 6D5AD6
  2: 02 B9 FE 07 03 02 BC 29 B9 6E 94 77 56 81 60 E5 1C 60 63 8D 0D B8 118201
  3: 68 59 15 AC 93 9F 29 52 E6 8B D5 8B 04 55 62 81 F6 C4 72 5B C9 BC 11064C
  4: 3D DC B8 41 D2 D6 04 C6 85 81 20 56 10 C0 1D 94 20 97 DA 5D 68 F9 D09E67
  5: C9 7B 0B 0A 80 CB A0 A8 25 11 F6 6C D8 EF 86 FD 74 61 F0 4B B2 38 B3B783
. . .

We have successfully extracted the secret data in private key. We now can print the secret-data-only.txt and save it in the secure place.

4. Reconstructing the private key using secret data and public key

If we lost the private key, and even the public key, we can reconstruct the private key using the following steps:

4.1. Downloading the public key from the ubuntu server

In the we browser, go to http://keyserver.ubuntu.com:11371 and fill in the Search String text box with the name you’ve given to the key, then press the Search! button. You will then find your key in the public key list based on the key-id. Click the key-id and you should see your ASCII public key. Mine is like following

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.6
Comment: Hostname: keyserver.ubuntu.com

mQENBFpF+ZcBCAD2e3euAoODz1KVq9BmHQabObhocFGlep8ylwhDExXEKHEHvlx6zgSNnx6u
dx6/417aJIWyu0d9f/yfApK1qy27WxGuvxn9JtE3bX6C7CK5LONL3kMYb1i+ie4lxXJsYSj3
J6/fJ6Ng+HzqlRHudqeWUvoIlAQh+OrQVXdcW96lWLV/JngvqP2DDGrhQxZDod7Ac7sde52o
BlE/4BiCjhciP5Zmmpde+IvEcFrc5Ap1PvEMAospqHfXS2vnkIjT4IycoNQ74MhSicy/hKed
vfXiTQzuyNXipR/JYxNpEjtCttJ5UJqgM0Ra96cHUtli7yHkPMcIXseTNXuist18FW3LABEB
AAG0L1dpc251IEFuZ2dvcm8gKEtleSBmb3Igd2lzbnUuaWQpIDxhc2tAd2lzbnUuaWQ+iQE4
BBMBAgAiBQJaRfmXAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAr04KYLkqcag40
B/0f9+w33xah+fiQRMuS+rdsvD/ok2j2MBVipnat99mUBhawWHkFTOtWanF4g2xbs42Hc3ej
lqr8qtALj9qxpSMxE8utebqycXa8IkwVyxAZG4y80Ulfs+dgWjMoK8ubvX1bbGZFV/7COVln
kiCr6frr8MZWMjQL9XispN/QVh7TWFFZ7ToI+5diL9ah2UYP9Dhi9KBDi4w+RjHopyFNcD75
qqLcGvqclf00bhBkGNApaUacnpX7sUjwDLbc0et63l1KVfOXC0S93JSe3c/NxkNdjI8iz3XJ
kT4t2oUifz6er5tuUqPQmPpeKW9uwgUf0VISs2ex3JM67cMBCP5bo/peuQENBFpF+ZcBCADF
1y1WTcIO0OPb74zP0tI1A2O5EEb1ayG05h7SlsrW9fP23oHF0nI9aVeDVV9+OYzCKxEoNnUw
UwUm4rf9mdBzHfY8n+bzCRpQrn+s+jHPidY14i+A0wcgIOl+uFzCbLxlIgW6iWYauaS7o4s4
Kb1gwOyrH4SW9MZtlpWMIOyf/6mWZkezUQndIBrQ58tpwpCMsodLjlkr5T1rA+G0jXVQ5fj2
/u+zlRH9EWAMsg/HPLAdUioffoPkxFxAN9OE81Q1i2bqy48YXJozprxYeL6zN64MlXDa59+a
3QDVGaeym9GV0bYH2mEH9medc7BlVkVLwbYSLWT3vY8483Oxb7pdABEBAAGJAR8EGAECAAkF
AlpF+ZcCGwwACgkQK9OCmC5KnGq1HggA3O19AmTXb5KvyHqAOpnBwzgQ+WwtCODfvlbj5PhL
iOxqFCq+PSnEX8uMV5LOdq3cDhqCafuUYeaKAwOPyh4ybw8c5CCcZ1eYaLyB7p7h9MD9BOMR
8MT61FQ5HzTvujJyPCtVjaQDg9mnB9ZtvcPD8xtAevBrgGfc+QRIfBC8SR1BRuTWpM7rKsq8
E8pxtogK8xr8KV1VpPDr82tA/y18fke2vv+QUtve6WiwCG+Piz0KiMBtsnmX3trvJB3shf+j
BQ5rQFqHhsF0PaGxkwB+74+U6TrFK9N9Ar5zd9Qoc37oWvK0dugbwG86VW9V9EBXl/+vSCM5
UH3dSnwBhTD2Tw==
=i88o
-----END PGP PUBLIC KEY BLOCK-----

Copy those ASCII private key and save it to an *.asc file. Suppose we will save it into public-key.asc, open the nano editor using the following command:

sudo nano public-key.asc

In the nano editor, paste the ASCII public key copied from Ubuntu server, then press Ctrl+X to save and close.

4.2. Dearmor-ing the ASCII public key

In order to reconstruct the private key using PaperKey, we need to dearmor the ASCII the key. Just do the following command and the public-key.asc.gpg will be generated automatically:

gpg --dearmor public-key.asc

4.2. Converting the secret data in the paper to the txt file

We have a print out of the secret data only in the previous step. Use OCR to move it back to txt file. We will save it as secret-text.txt.

4.3. Reconstructing the private key

Now, we are ready to reconstruct the private key. Run the following command, and we are going to have our private key named secret-key.gpg.

paperkey --pubring public-key.asc.gpg --secrets secret-text.txt --output secret-key.gpg

Reference: