Find GnuPG revocation certificate on unmountable partition

Posted by Moser on 06 Jul 2010

When you encounter a hard disk crash like I did recently (my fault - dropped my laptop), one of the most important files to restore is your GnuPG private key ring or at least a revocation certificate for your public key(s). I did not have any backup :-(. But at least I had created a revocation certificate, which was now hidden somewhere on my unmountable partition. Scalpel, a file carving tool, helped me out. There is a Ubuntu package (and I believe there should be packages for most distributions):

sudo apt-get install scalpel

It’s configuration is in /etc/scalpel/scalpel.conf. It offers some GPG related rules, but none for a revocation certificate. I used these rules:

revoc	y	100000	-----BEGIN\040PGP\040PUBLIC\040KEY\040BLOCK-----\x0aVersion:\040GnuPG\040v1.4.10\040(GNU/Linux)\x0aComment:\040A\040revocation\040certificate\040should\040follow
revoc	y	100000	-----BEGIN\040PGP\040PUBLIC\040KEY\040BLOCK-----\x0aVersion:\040GnuPG\040v1.4.9\040(GNU/Linux)\x0aComment:\040A\040revocation\040certificate\040should\040follow
revoc	y	100000	-----BEGIN\040PGP\040PUBLIC\040KEY\040BLOCK-----\x0aVersion:\040GnuPG\040v1.4.8\040(GNU/Linux)\x0aComment:\040A\040revocation\040certificate\040should\040follow

I wasn’t quite sure which version of GPG I had installed at the time I created the keys, so I created rules for all possible versions. (See manpage for syntax explanation.)

It took about 2 hours to scan the image of my 250 GB hard drive and scalpel successfully restored my revocation certificate.

I also tried some of the supplied rules but I think they are not suitable for restoring files from an image of a whole hard drive. (Most of them just look for two bytes that mark the beginning of the file.)