What are we doing here?

This guide demonstrates the following:

1. How to create OpenPGP keys using GnuPG
2. How to export private GnuPG keys to a file
3. Create a backup of the exported Private Keys in a form of a PDF document
4. Recover from the scanned PDF backup
5. Import the recovered key back into GnuPG

Create your GnuPG Keys

If you want to learn more about good practices around managing your GnuPG keys, I highly recommend the following guide.

Here we'll create:

• A main Elliptic Curve Certification Key
• An RSA subkey for Signing
• An RSA subkey for Encryption
• An RSA subkey for Authentication

Export Private Keys to a file

openpgp-paper-backup needs your private keys to be exported to a file. The file can either be a text format (see --armour flag of the gpg command) or binary -- doesn't matter. In the cast below I pass --armour flag, but you don't have to do that. Doesn't matter -- you'll delete the file after creating the backup, anyway.

Generate Paper Backup

Now that we have the private keys in the file (my-demo-key-backup-dir/my-demo-key-bakcup.pdf), you have to print it and store in a safe location.

Restoring from the Backup

If it comes to the worst -- you've lost the key and have to restore from the backup, you have to scan the PDF into a set of JPEG files (one JPEG per page) and store them in a directory. The directory has to contain only the scanned pages of the PDF, nothing else.

See the following cast -- here I'm simulating the scanning by using pdftoppm, but in a real world scenario, you'd scan the PDF