diff --git a/doc/generating-2048-RSA-key.rst b/doc/generating-2048-RSA-key.rst index 129f580..3164c54 100644 --- a/doc/generating-2048-RSA-key.rst +++ b/doc/generating-2048-RSA-key.rst @@ -270,9 +270,35 @@ We make a file for the public key by ``--export`` option of GnuPG. :: $ gpg --armor --output .asc --export -We can publish the file by web server. Or we can publish it +We can publish the file by web server. Or we can publish the key to a keyserver, by invoking GnuPG with ``--send-keys`` option. :: $ gpg --keyserver pool.sks-keyservers.net --send-keys -Here, pool.sks-keyservers.net is a keyserver, widely used. +Here, pool.sks-keyservers.net is a keyserver, which is widely used. + + +Backup the private key +====================== + +There are some ways to back up private key, such that backup .gnupg +directory entirely, use of paperkey. Here we describe backup by ASCII +file. ASCII file is good, because it has less risk on transfer. +Binary file has a risk to be modified on transfer. + +Note that the key on host PC is protected by passphrase (which +is in the example above). Using the key +from the backup needs this passphrase. It is common that +people will forget passphrase for backup. Never forget it. +You have been warned. + +To make ASCII backup for private key, +invokde GnuPG with ``--armor`` option and ``--export-secret-keys`` +specifying the key identifier. :: + + $ gpg --armor --output .asc --export-secret-keys + +From the backup, +we can recover privet key by invoking GnuPG with ``--import`` option. :: + + $ gpg --import .asc diff --git a/doc/index.rst b/doc/index.rst index 174dd47..cbf8207 100644 --- a/doc/index.rst +++ b/doc/index.rst @@ -18,9 +18,9 @@ Contents: development.rst stop-scdaemon.rst udev-rules.rst - generating-2048-RSA-key.rst gnuk-token-initial-configuration.rst gnuk-personalization.rst + generating-2048-RSA-key.rst gnuk-keytocard.rst gnuk-keytocard-noremoval.rst using-gnuk-token-with-another-computer.rst