Backup your PGP key with pencil and paper

In this article you will learn how to backup your private PGP key by hand, using pencil and paper, and the reasons to do so.

Handwritten PGP key

Why you should backup your key and why mass memory is not enough

Once you create your PGP private key (don’t not know what PGP is? Check 1-2-3 PGP), backing it up becomes an interesting challenge: you need your key to encrypt/sign data, and if you lose it there is no way recover it (unlike — say — a site login). If your key is lost you are out of luck: all of your encrypted data (backups, emails, etc.) is gone forever.

A solution is to copy your private key to a USB flash drive and be done with it. Vendors like to make outrageous claims about their product’s shelf life (example 1):

If you simply write data to a USB flash drive and put it away in a safe place for 10 years, it will work again and all the data will still be there.

It does not work like that. Even if your flash drive has had just 10 write/erase cycles, something can and eventually will go wrong. It happened to me (Thank God, on a stick with backup archives and not with my PGP key), most likely it has happened to you. Once breakage happens you are on your own, a number of marketing claims by the manufactures mean nothing in civil court (actually, by the time you will need the data, there is a good chance your vendor will no longer be in business).

The tested method of paper and handwriting challenges

Most PGP users have internalised the notion that contemporary technology is ephemeral and not at all future-proof (hopefully by reading best practices and not by a painful life lesson).

A very good medium to store things is paper: paper has been with us for a long time and printed matter — if stored properly — withstands the test of time admirably (example: a beautiful book from the XVI century).

Hence many PGP manuals suggest to their users to print a hardcopy of their private keys for storage in a safe place. This is an excellent suggestion, but what if:

There is simple — if laborious — way around it: writing down your PGP key by hand.

Handwriting has been around for millenia and documents written by hand can stay around for millenia (this is no speculation, we know it by experience). So we are going to write down our PGP key by hand. Our goals are:

Before describing the process, let us examine the materials we are going to use and a handy *nix utility that will simplify our task.

Stationery to backup your key

TL;DR: use acid free paper (preferably permanent paper — ISO 9706) and a pencil with a firm core.

Firstly, let us choose the right paper. Paper is the medium we are going to write on, so it should not discolour over the years or become brittle and easily damaged."

Firstly, the paper. The paper is the medium we will write on; it should not yellow out over the years, neither it should become brittle. More information about paper degradation can be found in Caring for paper objects by the Canadian Conservation Institute.

Luckily for us, the International Organization for Standardization has developed a standard (ISO 9706* — Paper for documents) for such high quality:

Librarians and archivists have found that paper documents made as recently as 50 years ago are beginning to show serious deterioration under typical library and archive storage conditions. The history of the past 1 500 years shows that fibres of pure cellulose have considerable permanence. Modern research indicates that the deterioration is due to the presence of cellulose-degrading compounds in the paper furnish and materials incorporated in the paper during manufacture, e.g. acidic materials such as rosin-alum size.

The purpose of this International Standard is to provide a means of specifying and identifying paper that, according to the present state of knowledge, has a high degree of permanence and is likely to undergo little or no change in properties that influence readability and handling when stored in a protected environment for long periods of time.

Buy any ISO 9706 stack of paper or even a notebook. Not all manufacturers advertise ISO 9706 compliance, I settled on Fabriano paper.

Now, let us analyse the writing tool: after a bit of researching I settled on a pencil with a firm core. This might surprise some (“Why not a permanent marker? What about fading?”), but archivists are unanimous (e.g. Procedimenti di copia e problemi di conservazione, in Italian, PDF): “Graphite tracing is very chemically stable, and is sensitive only to rubbing and abrasion”.

Indeed graphite is eminently stable. This cannot be said of most inks. Humidity especially is not kind to inks, even archival ones. Time-tested inks are usually china inks (fluids with small particles of pigment inside). Today we use them for drawing, but alas they are not common in writing tools. Again, assurances from manufactures might or might not correspond with the truth.

Fading is a problem with soft pencils. Pencil are graded by the hardness of their core. Writing pencils range from 2B (US: #0) to 2H (US: #4). If you pick a hard core to write with (H or 2H, I chose H) and don’t store your paperkeys under a stack of twenty books, you will be fine. If you pick a notebook instead of loose-leaf paper to write your key on, avoid spiral ones as they increase the friction between pages when turning them. When possible, hardbound notebooks are the most preferable.

And that is that for archival qualities: do not add lamination or any kind of plastic, once you are finished copying just store your key in a paper or cardboard folder.

Let us see what is the best format for copying out the key:

A good textual format for PGP: paperkey

paperkey is a fundamental program for our task. An ASCII-armored PGP key looks like this:

-----BEGIN PGP PRIVATE KEY BLOCK-----

EACs33WqMO5OeSh6AKEUZb0S8CqikUEm8LVkzytf0aJqSHy2j2hQOwwyB8WEhgML
Od8Tt5cneOaRLdDRqWeGZINA5oX6VEww8EHmeg2KYTJRlOA3J7/6cJjpFMYUuLN+
e2XNa5mACCDEbIn9ZUK5QFTD8hnbLxKBhionJuxHQy6I6A0YwdEXBg7d3lwPRbQk
7M8gtw3lj3KiW8YuOs6/ljPVWmItFgGUMTs18rjbGKMt6Wb2DRtaUsdaeAkaGj4I
ID25F4gLABdhiMFx6MYicveL+KCcQGKzO1On2u8cTpKmR7LAhXnZYEv3b+t6BisI
4q06m2fGc7Zf8yAnVQVO4SgEN4UzYXFZ8uSVbeCXUa06ELjWQzwlYzyKw37gUoMT
EtRfBZ5vH5xEBfasmEstO5WaKjltCwzNQq8K4l57GgvJghF+l08rHaMZ/u7tMYOI
5l5amnoY8x4ueS2U8w/LpwfIy4LfPkESwpr8WDZ6aMhKdSILHTzkjs17krXTU1i6
⁝

No spaces, upper/lowercase mix, extremely unwieldly to copy by hand (and sometimes even to scan), no built-in error checking for bursts of data.

Using paperkey transforms our private key to something easier to manipulate, like this:

# Base16 data extracted Thu Feb 17 16:20:43 2022
1: 00 04 E3 63 35 4F A8 1A 5A F9 33 4F 02 EB D6 30 4A F5 02 D9 39 19 494042
2: 05 39 FE 07 03 02 A8 D4 41 26 21 29 93 F4 E7 59 2F C4 8B E3 22 C3 E5C919
3: 0A BE 63 AC 1D CA 06 B6 43 FF F5 E5 69 B3 7C FF B4 24 E3 6B 3C DD 3BEEE4
4: 07 70 93 42 01 1D 9F 08 5E 25 EF 15 C5 39 50 D5 2F 24 68 EA F3 52 088714
5: AF 1A A8 32 03 39 04 B3 EF C9 83 74 E4 3F 4B 44 6A 83 25 10 50 74 6CDF7A
⁝

A couple of notes:

Following this paperkey tutorial you will get acquainted with the utility.

A useful gpg option to experiment with paperkey is --homedir:

gpg --homedir ~/test-folder/gpghome/ --list-keys

This way your default keyring, trust database, etc. get ignored and you have a fresh keyring with which you can test if the conversion/import was succesful.

Overview of the copying process

Apart from your sheet of paper, you will work with two files:

  1. The first file (let us call it paperkey-live.txt) is the one that contains your generated paperkey. You will write down your key to paper from this source; each line successfully copied will be erased from paperkey-live.txt).

  2. A second file (named handwritten.txt) will be needed to assure everything is correct. You will copy the data from your paper to handwritten.txt.

    The extra step of copying your handwritten key back to a file means the two files can be compared, ensuring that your handwriting is legigible, that there are no errors in transcription, etc. This ensures your handwritten hardcopy is accurate, readable, and can be stored away with the assurance that you will still be able to retreive your private PGP key years from now.

Let me illustrate a possible setup:

Key and folder setup

First you need to generate your paperkey.

paperkey --secret-key secret.gpg --output paperkey.txt
# to obtain your secret key from `gpg` type
# $ gpg -o secret.gpg --export-secret-key <your-email-or-key-id>

Now it is a good time to move paperkey.txt to a read-only folder.

Create a folder where you will put three files:

.
├── paperkey-live.txt
├── handwritten.txt
├── public.gpg
└── check.sh

check.sh is nothing more than a script that will recover your secret PGP key from your paperkey (we will see in a moment why it is useful).

# contents of check.sh
clear
paperkey --pubring=originale/public.gpg --secrets=handwritten.txt

paperkey-live.txt is the copy of your original paperkey.txt; handwritten.txt is an empty text file, for now.

Method

Let us again paste the folder structure:

.
├── paperkey-live.txt
├── handwritten.txt
├── public.gpg
└── check.sh

The operation is very simple: you will copy the contents of paperkey-live.txt (where your paperkey is) to paper. Then you will copy the data back from your handwritten paper to handwritten.txt. Then you will check programmatically that everything went fine during transcription.

Detailed steps (once paperkey-live.txt and handwritten.txt are both open):

Remember: it is paramount to copy the line back from paper once you have written it down. Only in this way you can rest assured that there were no errors in the transcription and your private key will eventually be recoverable.

Hexadecimal codes on paper

Hexadecimal numbers are composed with these digits: 0123456789abcdef (uppercase: 0123456789ABCDEF). When handwriting, some of these signs can be mistaken for another; this especially if you are writing lots of them.

I searched scientific literature on the matter, but came out empty handed. Hence I had to do some experimentations myself.

The digits I found most troubling were D (which often deformed into a 0) and F (which, when transcribing, I often confused with a 7).

uppercase hexadecimal digits, written in pencil

So I decided to replace those two signs with a different, less deformable, less confusing alternative. You can see all the digits here:

uppercase modified hexadecimal digits, written in pencil

Types of errors

The process to transfer your key to paper is composed of three steps: first you write it down on paper (transcription), second you copy it from paper (copying), then you check (with paperkey) that everything went correctly (verification).

The most common type of error I made was inverting the two digits of an hexadecimal numbers (e.g. reading C0 when 0C is written on paper).

I experienced many more errors during the verification phase than the trascription one. I suspect this is becasue, although I can touch type, I cannot do it on digits (only on letters). So it might be a time saver to exercise yourself with a touch-type program on digits before starting the transcription process.

End notes

I approached copying my PGP key to paper in short bursts: each day I copied just three lines, and that took me from 10 to 15 minutes, depending on how many mistakes I had to correct.

Considering a paperkey is less than 150 lines, that means it should take 50 sessions, or a little less than 2½ months to get it on paper. The whole effort costs 50×10m ≃ 8 hours of your time (may 2022 addendum: as Ingo Klöcker notices, modern ed25519 keys are way shorter. If you have one of those — or are prepared to switch —, it will take a fraction of the time).

It might be a cumbersome process, but since there was no information on the net, it was well worth trying it out and documenting it.

Thanks

Thanks to Carina for having written/scanned the first picture. Thanks to Galen for proofreading the article. Thanks to Jack for spotting additional typos.