search

dmshaw / paperkey

Print an OpenPGP key on paper for archive and recovery
GNU General Public License v2.0
194 stars 12 forks source link

How to manually recover a secret key without the paperkey program? #1

Open flyinggreenfrog opened 3 years ago

flyinggreenfrog commented 3 years ago

Out of curiosity I wanted to test the manual restore of a secret key without the paperkey program. From the paperkey backup explanation:

# To recover a secret key without using the paperkey program, use the
# key fingerprint to match an existing public key packet with the
# corresponding secret data from the paper key.  Next, append this secret
# data to the public key packet.  Finally, switch the public key packet tag
# from 6 to 5 (14 to 7 for subkeys).  This will recreate the original secret
# key or secret subkey packet.  Repeat as needed for all public key or subkey
# packets in the public key.  All other packets (user IDs, signatures, etc.)
# may simply be copied from the public key.

But how to really do that? In which format has the existing public key packet to be, so that I can edit it by hand and add the secret key data?

rjhwelsh commented 3 years ago

Hi, I've never done this before but... out of curiosity I had a crack.

TLDR; (compare for yourself, not sure about the packet tag) alias hexdump="hexdump -ve '1/1 \"%02x\n\" ' " hexdump public.key.gpg > a ; hexdump private.key.gpg > b ; diff a b

It may not be immediately clear, but you can find your fingerprint in the data. (From gpg -K --fingerprint). If you compare the diff with your paperkey, you will notice it follows the format as stated...: a) Version of paperkey b) OpenPGP key version c) Key fingerprint (N octets) d) 16-bit endian length of secret data (2 octets) e) secret data

The diff is almost identical, except the first few differences you will notice are the "packet tag" which the OpenPGP implementation uses as a header, identifying whether the file is a public key, private key, encrypted data, etc; and how long the PGP packet is.

Following that is secret data, verbatim from diff to paper key it is identical. Just make sure you take into account (d) which is how long each packet goes for. The pattern repeats from b) - e) for each of your subkeys.

The thing that caught me out is I'm not sure exactly about how to switch out the packet tag, and what the differences are between old and new versions of the format. So how to do this manually is not yet confirmed for me.

Check out https://tools.ietf.org/html/rfc4880 for very detailed information about the format itself.