GPG private key export: A quick guide

Here is a short step-by-step guide on how to extract your GPG key and how to import it on another machine.
Why: After extending the expiry date of a GPG key you might have to copy your key to another machine to use the same key there.

Step-by-step guide to export and import your key

1. Identify your private key:

   gpg --list-secret-keys user@example.com

Example output:

   pub   4096R/ABC12345 2020-01-01 [expires: 2025-12-31]
   uid                  Your Name <user@example.com>
   sub   4096R/DEF67890 2020-01-01 [expires: 2025-12-31]

Remember the ID of your key (second column, after the slash, e.g. "ABC12345"). If you have a "sub" entry, you can ignore it.

2. Run this command to export your key:

   gpg --export-secret-keys YOUR_ID_HERE > private.key

3. Copy the key file to the other machine using a secure transport (scp is your friend).

4. To import the GPG key, run

   gpg --import private.key

If the key already existed on the second machine, the import will fail saying "Key already known".
To force import, you will have to delete both the private and public key first (gpg --delete-keys and gpg --delete-secret-keys)

Issues with Enigmail / GnuPG v2 and a solution

Note that you probably also have gpg2 on your system which is backwards-compatible with gpg, but seems to manage a separate list of keys. When using Thunderbird with Enigmail, note that it uses version 2 and may be unable to see your private key after importing. To fix that, run

gpg2 --import private.key

Last Step: Restart Thunderbird afterwards. And you're done!

Thomas Eisenbarth
This website uses short-lived cookies to improve usability.
or learn more