1PAPERKEY(1) General Commands Manual PAPERKEY(1)
2
3
4
6 paperkey - extract secret information out of OpenPGP secret keys
7
9 paperkey [--secret-key=FILE] [--output=FILE] [--output-type=base16|raw]
10 [--output-width=WIDTH]
11
12 paperkey --pubring=FILE [--secrets=FILE] [--input-type=auto|base16|raw]
13 [--output=FILE] [--ignore-crc-error] [--comment=STRING] [--file-format]
14
15 paperkey --version
16
18 As with all data, secret keys should be backed up. In fact, secret
19 keys should be backed up even better than other data, because they are
20 impossible to recreate should they ever be lost. All files encrypted
21 to lost keys are forever (or at least for a long time) undecipherable.
22 In addition to keeping backups of secret key information on digital
23 media such as USB-sticks or CDs it is reasonable to keep an if-all-
24 else-fails copy on plain old paper, for use should your digital media
25 ever become unreadable for whatever reason. Stored properly, paper is
26 able to keep information for several decades or longer.
27
28 With GnuPG, PGP, or other OpenPGP implementations the secret key usu‐
29 ally contains a lot more than just the secret numbers that are impor‐
30 tant. They also hold all the public values of key pairs, user ids,
31 expiration times and more. In order to minimize the information that
32 has to be entered manually or with the help of OCR software, paperkey
33 extracts just the secret information out of OpenPGP secret keys. For
34 recovering a secret key it is assumed that the public key is still
35 available, for instance from public internet keyservers.
36
38 paperkey has two modes of operation:
39
40 The first mode creates "paperkeys" by extracting just the secret infor‐
41 mation from a secret key, formatting the data in a way suitable for
42 printing or in a raw mode for further processing.
43
44 The other mode rebuilds secret keys from such a paperkey and a copy of
45 the public key, also verifying the checksums embedded in the paperkey.
46 This mode is selected when the --pubring option is used, which is
47 required in that case. If a passphrase was set on the original secret
48 key, the same passphrase is set on the rebuilt key.
49
50 Input is read from standard-in except when the --secret-key or
51 --secrets option is used; output is printed to standard-out, unless
52 changed with the --output option.
53
55 Please note that paperkey does not change the protection and encryption
56 status of and security requirements for storing your secret key. If the
57 secret key was protected by a passphrase so is the paperkey. If the
58 secret key was unprotected the paperkey will not be protected either.
59
61 --help, -h Display a short help message and exit successfully.
62
63 --version
64 Print version information and copyright information and exit
65 successfully.
66
67 --verbose
68 Print status and progress information to standard-error while
69 processing the input. Repeat for even more output.
70
71 --output=FILE
72 Redirect output to the file given instead of printing to stan‐
73 dard-output.
74
75 --comment=STRING
76 Include the specified comment in the base16 output.
77
78 --file-format
79 Paperkey automatically includes the file format it uses as com‐
80 ments at the top of the base16 output. This command simply
81 prints out the file format and exits successfully.
82
84 --output-type=base16, --output-type=raw
85 Select the output type. The base16 style encodes the informa‐
86 tion in the style of a classic hex-dump, including line numbers
87 and per-line CRC checksums to facilitate localizing errors in
88 the input file during the recovery phase. The raw, or binary,
89 mode is just a raw dump of the secret information, intended for
90 feeding to barcode generators or the like.
91
92 --output-width=WIDTH
93 Choose line width in the base16 output mode. The default is 78
94 characters.
95
96 --secret-key=FILE
97 File to read the secret key from. If this option is not given
98 paperkey reads from standard-input.
99
101 --input-type=auto, --input-type=base16, --input-type=raw
102 Specify that the given input is either in base16 format, as pro‐
103 duced by paperkey, or in raw format. The default, auto, tries
104 to automatically detect the format in use.
105
106 --pubring=FILE
107 File to read public key information from. It is assumed that
108 the user can get the public key from sources like public inter‐
109 net keyservers.
110
111 --secrets=FILE
112 File to read the extracted secrets, the paperkey, from. If this
113 is not given then the information is read from standard-input.
114
115 --ignore-crc-error
116 Do not reject corrupt input and continue despite any CRC errors.
117
119 Take the secret key in key.gpg and generate a text file
120 to-be-printed.txt that contains the secret data:
121
122 $ paperkey --secret-key my-secret-key.gpg --output to-be-printed.txt
123
124 Take the secret key data in my-key-text-file.txt and combine it with
125 my-public-key.gpg to reconstruct my-secret-key.gpg:
126
127 $ paperkey --pubring my-public-key.gpg --secrets my-key-text-file.txt
128 --output my-secret-key.gpg
129
130 If --output is not specified, the output goes to stdout. If
131 --secret-key is not specified, the data is read from stdin so you can
132 do things like:
133
134 $ gpg --export-secret-key my-key | paperkey | lpr
135
137 gpg(1), /usr/share/doc/paperkey/README.gz, http://www.jabber‐
138 wocky.com/software/paperkey/
139
141 paperkey is written by David Shaw <dshaw@jabberwocky.com>.
142
143
144
145PAPERKEY January 2008 PAPERKEY(1)