PAPERKEY(1) | General Commands Manual | PAPERKEY(1) |
paperkey - extract secret information out of OpenPGP secret keys
paperkey [--secret-key=FILE] [--output=FILE] [--output-type=base16|raw] [--output-width=WIDTH]
paperkey --pubring=FILE [--secrets=FILE] [--input-type=auto|base16|raw] [--output=FILE] [--ignore-crc-error] [--comment=STRING] [--file-format]
paperkey --version
As with all data, secret keys should be backed up. In fact, secret keys should be backed up even better than other data, because they are impossible to recreate should they ever be lost. All files encrypted to lost keys are forever (or at least for a long time) undecipherable. In addition to keeping backups of secret key information on digital media such as USB-sticks or CDs it is reasonable to keep an if-all-else-fails copy on plain old paper, for use should your digital media ever become unreadable for whatever reason. Stored properly, paper is able to keep information for several decades or longer.
With GnuPG, PGP, or other OpenPGP implementations the secret key usually contains a lot more than just the secret numbers that are important. They also hold all the public values of key pairs, user ids, expiration times and more. In order to minimize the information that has to be entered manually or with the help of OCR, QR code or similar software, paperkey extracts just the secret information out of OpenPGP secret keys. For recovering a secret key it is assumed that the public key is still available, for instance from public Internet keyservers.
paperkey has two modes of operation:
The first mode creates "paperkeys" by extracting just the secret information from a secret key, formatting the data in a way suitable for printing or in a raw mode for further processing.
The other mode rebuilds secret keys from such a paperkey and a copy of the public key, also verifying the checksums embedded in the paperkey. This mode is selected when the --pubring option is used, which is required in that case. If a passphrase was set on the original secret key, the same passphrase is set on the rebuilt key.
Input is read from standard-in except when the --secret-key or --secrets option is used; output is printed to standard-out, unless changed with the --output option.
Please note that paperkey does not change the protection and encryption status of and security requirements for storing your secret key. If the secret key was protected by a passphrase so is the paperkey. If the secret key was unprotected the paperkey will not be protected either.
--help, -h Display a short help message and exit successfully.
Take the secret key in key.gpg and generate a text file to-be-printed.txt that contains the secret data:
$ paperkey --secret-key my-secret-key.gpg --output to-be-printed.txt
Take the secret key data in my-key-text-file.txt and combine it with my-public-key.gpg to reconstruct my-secret-key.gpg:
$ paperkey --pubring my-public-key.gpg --secrets my-key-text-file.txt --output my-secret-key.gpg
If --output is not specified, the output goes to stdout. If --secret-key is not specified, the data is read from stdin so you can do things like:
$ gpg --export-secret-key my-key | paperkey | lpr
gpg(1), http://www.jabberwocky.com/software/paperkey/
paperkey is written by David Shaw <dshaw@jabberwocky.com>.
June 2012 | PAPERKEY |