1PAPERKEY(1)                 General Commands Manual                PAPERKEY(1)
2
3
4

NAME

6       paperkey - extract secret information out of OpenPGP secret keys
7

SYNOPSIS

9       paperkey [--secret-key=FILE] [--output=FILE] [--output-type=base16|raw]
10       [--output-width=WIDTH]
11
12       paperkey --pubring=FILE [--secrets=FILE] [--input-type=auto|base16|raw]
13       [--output=FILE] [--ignore-crc-error] [--comment=STRING] [--file-format]
14
15       paperkey --version
16

MOTIVATION

18       As  with  all  data,  secret keys should be backed up.  In fact, secret
19       keys should be backed up even better than other data, because they  are
20       impossible  to  recreate should they ever be lost.  All files encrypted
21       to lost keys are forever (or at least for a long time)  undecipherable.
22       In  addition  to  keeping  backups of secret key information on digital
23       media such as USB-sticks or CDs it is reasonable  to  keep  an  if-all-
24       else-fails  copy  on plain old paper, for use should your digital media
25       ever become unreadable for whatever reason.  Stored properly, paper  is
26       able to keep information for several decades or longer.
27
28       With  GnuPG,  PGP, or other OpenPGP implementations the secret key usu‐
29       ally contains a lot more than just the secret numbers that  are  impor‐
30       tant.   They  also  hold  all the public values of key pairs, user ids,
31       expiration times and more.  In order to minimize the  information  that
32       has  to  be entered manually or with the help of OCR software, paperkey
33       extracts just the secret information out of OpenPGP secret  keys.   For
34       recovering  a  secret  key  it  is assumed that the public key is still
35       available, for instance from public internet keyservers.
36

DESCRIPTION

38       paperkey has two modes of operation:
39
40       The first mode creates "paperkeys" by extracting just the secret infor‐
41       mation  from  a  secret  key, formatting the data in a way suitable for
42       printing or in a raw mode for further processing.
43
44       The other mode rebuilds secret keys from such a paperkey and a copy  of
45       the  public key, also verifying the checksums embedded in the paperkey.
46       This mode is selected when the  --pubring  option  is  used,  which  is
47       required  in that case.  If a passphrase was set on the original secret
48       key, the same passphrase is set on the rebuilt key.
49
50       Input  is  read  from  standard-in  except  when  the  --secret-key  or
51       --secrets  option  is  used;  output is printed to standard-out, unless
52       changed with the --output option.
53

SECURITY CONSIDERATIONS

55       Please note that paperkey does not change the protection and encryption
56       status of and security requirements for storing your secret key. If the
57       secret key was protected by a passphrase so is the  paperkey.   If  the
58       secret key was unprotected the paperkey will not be protected either.
59

OPTIONS

61       --help, -h Display a short help message and exit successfully.
62
63       --version
64              Print  version  information  and  copyright information and exit
65              successfully.
66
67       --verbose
68              Print status and progress information  to  standard-error  while
69              processing the input.  Repeat for even more output.
70
71       --output=FILE
72              Redirect  output  to the file given instead of printing to stan‐
73              dard-output.
74
75       --comment=STRING
76              Include the specified comment in the base16 output.
77
78       --file-format
79              Paperkey automatically includes the file format it uses as  com‐
80              ments  at  the  top  of  the base16 output.  This command simply
81              prints out the file format and exits successfully.
82

OPTIONS FOR EXTRACTING SECRET INFORMATION

84       --output-type=base16, --output-type=raw
85              Select the output type.  The base16 style encodes  the  informa‐
86              tion  in the style of a classic hex-dump, including line numbers
87              and per-line CRC checksums to facilitate  localizing  errors  in
88              the  input  file during the recovery phase.  The raw, or binary,
89              mode is just a raw dump of the secret information, intended  for
90              feeding to barcode generators or the like.
91
92       --output-width=WIDTH
93              Choose  line width in the base16 output mode.  The default is 78
94              characters.
95
96       --secret-key=FILE
97              File to read the secret key from.  If this option is  not  given
98              paperkey reads from standard-input.
99

OPTIONS FOR RE-CREATING PRIVATE KEYS

101       --input-type=auto, --input-type=base16, --input-type=raw
102              Specify that the given input is either in base16 format, as pro‐
103              duced by paperkey, or in raw format.  The default,  auto,  tries
104              to automatically detect the format in use.
105
106       --pubring=FILE
107              File  to  read  public key information from.  It is assumed that
108              the user can get the public key from sources like public  inter‐
109              net keyservers.
110
111       --secrets=FILE
112              File to read the extracted secrets, the paperkey, from.  If this
113              is not given then the information is read from standard-input.
114
115       --ignore-crc-error
116              Do not reject corrupt input and continue despite any CRC errors.
117

EXAMPLES

119       Take  the  secret  key  in   key.gpg   and   generate   a   text   file
120       to-be-printed.txt that contains the secret data:
121
122       $ paperkey --secret-key my-secret-key.gpg --output to-be-printed.txt
123
124       Take  the  secret  key data in my-key-text-file.txt and combine it with
125       my-public-key.gpg to reconstruct my-secret-key.gpg:
126
127       $ paperkey --pubring my-public-key.gpg  --secrets  my-key-text-file.txt
128       --output my-secret-key.gpg
129
130       If   --output  is  not  specified,  the  output  goes  to  stdout.   If
131       --secret-key is not specified, the data is read from stdin so  you  can
132       do things like:
133
134       $ gpg --export-secret-key my-key | paperkey | lpr
135

SEE ALSO

137       gpg(1),      /usr/share/doc/paperkey/README.gz,      http://www.jabber
138       wocky.com/software/paperkey/
139

AUTHORS

141       paperkey is written by David Shaw <dshaw@jabberwocky.com>.
142
143
144
145PAPERKEY                         January 2008                      PAPERKEY(1)
Impressum