How to move secret keys to USB drive

To further secure your secret key ring, you can move it to a USB drive.

When you do that, you will always be able to encrypt and verify information.
In order to sign or decrypt information however, you'll have to make sure your USB drive is plugged in.

Moving the secret key ring will make it harder for an attacker to get hold of your secret keys even if your computer is compromised.

Follow these steps to move the secret key ring (secring.gpg) file containing all your secret keys:

  1. close GPG Keychain, Mail and any other gpg application
  2. open finder, press Shift Cmd G (⇧⌘G), paste '~/.gnupg/secring.gpg' without the ' and click Go
  3. move the file '~/.gnupg/secring.gpg' to the USB drive
  4. right click the 'gpg.conf' file in the same directory and select Open With > TextEdit
  5. add the following lines at the end

    no-default-keyring
    secret-keyring /Volumes/USBdrive/Path/to/the/secring.gpg
    

    (replace /Volumes/USBdrive/Path/to/the/secring.gpg with the actual path)

  6. save the gpg.conf file

To test, if accessing your secret keys form the USB drive works, open Mail and create a new signed mail which you send to yourself.

If the incoming email is properly signed, your setup is working.