If you use SSH to connect to a server or other services, you know how frustrating it can be to reinstall your operating system and lose access because you have to generate a new SSH key and add it all over again. In this post, I’ll show you a straightforward way to back up your SSH keys using GPG.

Assymetric Encription of SSH key

I will not go into greater detail on how to create you GPG key nor your SSH key. Instead we will only see how you can back them up.

You could theoreticcaly use openssl to encrypt and store your SSH key, but we will explore how to achieve the same result using GPG as this method seems a lot easier and redundant. First we will need to create a compressed file containing both the public and private keys located on the .ssh/ folder.

tar -czf ssh-keys.tar.gz .ssh/id_ed25519 .ssh/id_ed25519.pub

In my case, I am suing an ed25519 based key, so the names may different depending on the type of key generation you may have used. Now, we will encrypt the tarball using gpg.

gpg --recipient youremail@example.com --encrypt ssh-keys.tar.gz

After running this command, the file encrypted ssh-keys.tar.gz.gpg file shall contain the key pairs. You may back this file up using cloud storage or whichever is you preference. Don’t worry as anyone but you will be able to decrypt the file.

Decrypting the file

When you may need the key pair again, you shall first decrypt the file and then decompress the tarball.

gpg --decrypt ssh-keys.tar.gz > keys.tar.gz
tar xvzf keys.tar.gz

If you did not have a folder .ssh, it will be created automatically but you still need to set the correct permissions and notify the ssh-agent of the new key pair.

chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
chmod 700 ~/.ssh
ssh-add ~/.ssh/id_rsa

It is good to note that this procedure works also for file encryption of any type.