Blog | G5 Cyber Security

Recovering Deleted PGP Secret Keys

G5 Cyber Security

TL;DR

Generally, a deleted PGP secret key from the private-keys-v1.d directory is very difficult to recover without backups. However, there are some possibilities depending on how it was deleted and your system setup. This guide explores those options.

Recovering Deleted PGP Secret Keys

  1. Understand the Situation
    • PGP secret keys are designed to be securely erased when deleted. Standard deletion doesn’t usually leave recoverable data.
    • The private-keys-v1.d directory stores encrypted versions of your private keys.
    • Recovery chances depend on factors like:
      • How the key was deleted (e.g., simple file deletion vs. secure wipe).
      • Whether the filesystem supports snapshots or previous versions.
      • If you have backups.
  2. Check for Backups

    This is the most reliable method.

    • GPG Backup File: Look for a backup file created by GPG, often named something like gpg-backup-YYYYMMDD.tar in your home directory or a designated backup location.
    • System Backups: Check your regular system backups (e.g., Time Machine on macOS, Windows Backup, Linux rsync/Bacula). Restore the relevant part of your GPG configuration directory (usually ~/.gnupg) from before the deletion.
  3. Filesystem Snapshots / Previous Versions (Windows)

    If you use a filesystem with snapshotting capabilities, you might be able to restore an older version of the ~/.gnupg directory.

    • macOS Time Machine: Enter Time Machine and browse back to a date before the key deletion. Restore the entire ~/.gnupg folder.
    • Windows Previous Versions: Right-click on the C:UsersYourUsername.gnupg directory, select ‘Properties’, then go to the ‘Previous Versions’ tab. If snapshots exist, restore a version from before the deletion.
  4. Undelete Tools (Caution: Low Success Rate)

    These tools attempt to recover files that haven’t been overwritten. Use with extreme caution as they can be unreliable and potentially damage your filesystem.

    • TestDisk/PhotoRec: These open-source tools can scan for deleted files. They are complex to use, but powerful.
    • Recuva (Windows): A user-friendly undelete tool.
    • extundelete (Linux): For ext4 filesystems. 
      sudo apt install extundelete

      Then, run: 

      sudo extundelete /dev/sdaX --restore-directory ~/.gnupg

      (Replace /dev/sdaX with your root partition).

    • Important Notes:
      • Stop using the drive immediately after realizing the key is deleted to prevent overwriting.
      • Undelete tools are more likely to succeed if the filesystem hasn’t been heavily used since deletion.
      • Recovered files may be corrupted or incomplete.
  5. Check for Key Revocation Certificates

    If you have a revocation certificate, you can use it to invalidate the compromised key and generate a new one.

    • Locate your revocation certificate (usually named something like keyid.rev).
    • Import the revocation certificate: 
      gpg --import keyid.rev
    • Publish the revocation to key servers: 
      gpg --send-keys keyid
  6. Generate a New Key

    If recovery fails, generating a new PGP key is the safest option. This is often the most practical solution.

    • gpg --gen-key

      Follow the prompts to create a new key pair.

    • Remember to back up your new secret key securely!
Exit mobile version