I moved to another Macbook. Because of expensive SSDs and really smaller disk size, and because I wanted to start clean with this install, I couldn't transfer the user folder. I have the old disk in an external case connected, and see I forgot to export two private keys. I would like to restore them from the external disk, or from Time Machine.
Where can I find the GPG Tools private keys, so I can export them, or copy the entire GPG Tools folder?
By default, the GnuPG keyrings are stored in the (hidden) folder ~/.gnupg; with other words the .gnupg folder in your home directory. You can simply copy the whole folder to the new machine. If GnuPG doesn't work properly afterwards or shows some error message indicating broken permissions, make sure to take ownership afterwards (even if your user name is the same, the internal IDs could be different) by running following command in the Terminal application (it will query for your user password):
sudo chown -R $USER:staff ~/.gnupg
Alternatively, you can export your secret keys using the
gpg --export-secret-keys [key-id] >secret-keys.gpg
command. As you want to recover the keys from your old disk, connect it to your computer. To work on the old disk's GnuPG keyring, use the --homedir option, which will result in something like
gpg --homedir /Volumes/[old-disks-name]/Users/[username]/.gnupg --list-secret-keys
to list the secret keys available, and
gpg --homedir /Volumes/[old-disks-name]/Users/[username]/.gnupg --export-secret-keys [key-id] > secret-keys.gpg
to export them. You can also directly import them to your new GnuPG keyring instead of storing in an intermediate file (observe the missing --homedir parameter in the GnuPG call after the pipe):
gpg --homedir /Volumes/[old-disks-name]/Users/[username]/.gnupg --export-secret-keys [key-id] | gpg --import
Time machine backups can be mounted, but they can't be modified in place. Which means that a chown will fail, and that you can't use the --homedir option with gpg without getting a stream of this:
gpg: failed to create temporary file '/Volumes/<Backup Drive>/Backups.backupdb/<Compute Name>/Latest/Macintosh HD/Users/<name>/.gnupg/': Permission denied
gpg: can't connect to the agent: Permission denied
The chown will fail with a stream of messages like this:
$ sudo chown -R user:staff .gnupg
chown: .gnupg/tofu.db: Operation not permitted
chown: .gnupg/trustdb.gpg: Operation not permitted
chown: .gnupg: Operation not permitted
Copy the .gnupg folder out of the Time Machine backup, chown it, and see/extract the private keys as above:
$ mkdir ~/gpg_recovery
$ cp -r /Volumes/<Backup Drive>/Backups.backupdb/<Compute Name>/Latest/Macintosh HD/Users/<name>/.gnupg ~/gpg_recovery/
$ cd ~/gpg_recovery/
$ sudo chown -R $USER:staff .gnupg
Password:
$ gpg --homedir ~/gpg_recovery/.gnupg --list-secret-keys
$ gpg --homedir ~/gpg_recovery/.gnupg --export-secret-keys | gpg --import
gpg: key xxxxxxxxxxxxxxxx: public key "xxxxxxxxxxxxxxxxxxxxxxx" imported
gpg: key xxxxxxxxxxxxxxxx: secret key imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1
Windows
On windows systems you may use a software like Gpg4win. In this case you can migrate your (private) keys by copying the following files to your new computer:
%AppData%\gnupg\pubring.kbx%AppData%\gnupg\trustdb.gpg%AppData%\gnupg\private-keys-v1.dTo list your current recognized (installed) local keys use gpg --list-secret-keys --keyid-format LONG. Tested with gpg (GnuPG) 2.3.4 (2021) installed via Gpg4win 4.0.0.
A small addition to @jens-erat's answer:
gpg --output private_keys.backup --armor --export-secret-keys
gpg --export-secret-key SOMEKEYID | ssh othermachine gpg --import
ref: How to export a GPG private key and public key to a file
