zngguvnf's Blog

Backup private keys


A few days ago, a good friend asked me: "How do you restore your encrypted offsite backup when you've lost all your other machines".

If all my devices are down at the same time, I might actually have a problem, as I would need at least a PGP key to decrypt my password manager.

So after some research I decided to copy my private ssh and gpg keys to an encrypted veracrypt volume. This is basically a small encrypted folder (~10MB) you can borrow to some of your friends.

Create encrypted volume

# Create a new volume through a text user interface
veracrypt --text --create

# Volume type
1  # normal, default

# Enter volume path:

# Enter volume size:
10M  #  du -sh ~/.gnupg/ ~/.ssh/ # will give you a good idea

# Encryption Algorithm:
1  # For AES, default

# Hash algorithm:
1  # For SHA-512, default

# Filesystem
2  # For FAT, default

# Enter passphrase

# Enter PIM
# For more information: https://documentation.help/VeraCrypt/Personal%20Iterations%20Multiplier%20(PIM).html
# I leave this empty because I think my passphrase is strong enough

# Enter keyfile
none # default

Decrypt volume and mount it

mkdir /tmp/keys
veracrypt --text /private/unencrypted/nextcloud/keys /tmp/keys

Copy keys

scp -rp ~/.ssh/ /tmp/keys/
scp -rp ~/.gnupg /tmp/keys/
# ...
touch /tmp/keys/FILES_ARE_HIDDEN  # just a hint for the future 

Dismount volume

veracrypt --text --dismount /tmp/keys/
# make sure you are not in /tmp/keys, otherwise you will see:
# Error: umount: /tmp/keys: target is busy.
rm -rf /tmp/keys
Creative Commons License
https://zngguvnf.org by zngguvnf is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.