Will Clarke

How to share private GPG keys securely


GPG, short for GNU Privacy Guard, is a free cryptographic software suite. Lots of important sofware relies on it.

Personally, I use pass, “the standard unix password manager” to manage my passwords and it works a treat. Under the hood, pass uses gpg. This lets me use my terminal as a password manager.

There’s a great Android app which implements the same pass “spec” . This app relies on openkeychain for GPG-key management. In their FAQs, they elegantly sum up how best to transfer your private key:

generate a strong random password

gpg --armor --gen-random 1 20

encrypt key, use password above when asked

gpg --armor --export-secret-keys YOUREMAILADDRESS | gpg --armor --symmetric --output mykey.sec.asc

on the receiving computer

gpg --decrypt mykey.sec.asc | gpg --import

These steps will encrypt your secret keys symmetricly with a secure & one-time random password.

I’ve used magic-wormhole in the past to transfer sensitive information from computer to computer. It’s worked really well. If you’re paranoid about your keys (and it may be worth being paranoid…), I’d look into using magic-wormhole to move your encrypted private GPG keys around. It’s really easy. Literally wormhole send mykey.sec.asc.


gpg security