PGP - Transfer Key to New Machine

How to securely transfer a PGP key from an old computer to a new one

Problem

• The client needs to import their key pair to their new computer if they want to be able to keep decrypting and encrypting their emails in the new machine with their current keys.
• The key pair needs to be wiped in the old machine, as otherwise anyone having access to that device might also have access to the client’s private key.

Solution

1. Check the length of the client’s current PGP key. If the length is 2048 bits or lower, we should recommend the client generates a new 4096-bit key for security reasons. This requires assisting the client to revoke the PGP key and create a new one. The client’s contacts will then need to be notified to refresh their key chain.
   • See Article #18: FAQ - PGP Setup for instructions on how to generate a new key pair.
   • See Article #150: PGP - Revoking old key from key servers for instructions on how to revoke the old key.

2. If the length of the current key is 4096 bits or higher, we can proceed in guiding the client through the steps needed to export their key pair to their new machine, by sending them an email based on Article #297: PGP - Transfer Key to New Machine - Email.

3. Wait for the client’s encrypted reply and check that they can encrypt and decrypt emails in their new machine by replying to their email and making sure that they can read your encrypted message.

Comments

If the client is using GPGTools + Apple Mail, a very similar export/import process can be followed using the GPG Keychain. More details can be found in this guide.

Troubleshooting

If after moving the key pair to the new machine, the passphrase for the private key does not work, see Article #43: PGP - Issues with Key Transfer.

Related Articles

• Article #18: FAQ - PGP Setup
• Article #150: PGP - Revoking old key from key servers
• Article #297: PGP - Transfer Key to New Machine - Email
• Article #43: PGP - Issues with Key Transfer