How to back up passbolt GPG keys


I am trying to setup a proper backup of my passbolt server. I understand all stuffs about SQL well. What I do not understand good is howto backup GPG. I saw a howto (Passbolt Help | Backing up a passbolt installation (v2)), there is written:
You can copy the server OpenPGP key in config/gpg or export it directly from GnuPG. I guess in config directory is stored public and private GPG of administrator or first user. Am I right ? Is it enough to backup ? When I tried the second option, I can list all users, I am unable to export private keys (which is ok), but when I tried to export private and public keys of administrator, I am not sure about exported files, there are some binary kind files, much much differs from files in config dir. The same issue when I tried to export public keys of users, exported files are binary, not readable GPG TXT as always. Is it OK ? Do I have to backup public keys of all users or not ?


@tlamik Hi welcome to the forum!

The server has a private and public key stored in the config/gpg folder, yes. Also, the key was created and is also found in the GPG keyring for the web server user. Server keys can be exported using the commands in the link your provided.

Private keys of the users are not on kept on the server - each user must keep their private key safe and it is downloaded on their end after they register.

(Edited for accuracy)Back up public keys of users, yes. However, the public keys of users are found in the database (as well as the gpg keyring) so backing up the database will also meet the need of backing up the public keys of the users.

Your specific server setup may include other apps, for example, and the general methods to export/import keys in bundled fashion is:

Export public keys:

gpg -a --export > mypubkeys.asc

Export private keys (may only be the one private server key):

gpg -a --export-secret-keys > myprivatekeys.asc


gpg --import myprivatekeys.asc
gpg --import mypubkeys.asc

List secret keys:

gpg -K

List public keys:

gpg -k



@tlamik I updated the answer for accuracy.