Check Ubuntu PGP Key Integrity

TL;DR

Someone might have swapped your trusted PGP keys in Ubuntu if you’ve been targeted by a sophisticated attacker. This guide shows how to check if your keys are still valid and haven’t been replaced.

Checking Your PGP Keys

1. List Your Current Keys: First, see what keys are currently registered with your user account.

   gpg --list-secret-keys --keyid-format LONG

   This command shows both public and private key information. Pay attention to the Key ID (a long hexadecimal string) for each key you expect to be there.

2. Verify Fingerprints: The most important step is comparing the fingerprints of your keys with known good copies.
   • From a Trusted Source: Obtain the fingerprints from where you originally got the keys (e.g., a website, a trusted friend, key server records *you* previously verified).
   • Using gpg --fingerprint: Display the fingerprint of each key.

     gpg --fingerprint <key_id>

     Replace <key_id> with the actual Key ID you found in step 1.

   • Compare Carefully: Manually compare the fingerprint output to your trusted source. Even a single character difference means something is wrong!
3. Check Key Server Records (with caution): You can check key servers, but these are not always reliable as they can be compromised.

   gpg --keyserver hkps://keys.openpgp.org --recv-keys <key_id>

   Replace <key_id> with the Key ID. Then, use gpg --fingerprint <key_id> again and compare to your trusted source.

   Important: Don’t rely solely on key servers for verification.

4. Review Your Trust Model: Look at who you’ve signed keys for. If someone you don’t trust has signed a key that then signs *your* key, it could indicate compromise.

   gpg --list-trusts

   This shows your web of trust and which keys you’ve directly or indirectly trusted.

5. Check for Unexpected Subkeys: Attackers sometimes add subkeys to a compromised key without changing the main key, making detection harder.

   gpg --list-secret-keys --keyid-format LONG

   Examine the output carefully for any subkeys you didn’t create.

6. If You Suspect Compromise:
   • Revoke Your Key: Immediately revoke your compromised key.

     gpg --revoke <key_id>

   • Generate a New Key Pair: Create a completely new PGP key pair.
   • Inform Contacts: Tell anyone who uses your public key that it has been compromised and provide them with the fingerprint of your new key.

Important Considerations

• Regular Checks: Regularly verify your PGP keys, especially if you use them for sensitive communications.
• Offline Verification: The most secure method is to verify fingerprints in person or through a highly trusted channel (e.g., a phone call).
• Key Server Security: Key servers are public and can be manipulated. Treat information from them with skepticism.