When you encounter a hard disk crash like I did recently (my fault - dropped my laptop), one of the most important files to restore is your GnuPG private key ring or at least a revocation certificate for your public key(s). I did not have any backup :-(. But at least I had created a revocation certificate, which was now hidden somewhere on my unmountable partition. Scalpel, a file carving tool, helped me out. There is a Ubuntu package (and I believe there should be packages for most distributions):
sudo apt-get install scalpel
It’s configuration is in /etc/scalpel/scalpel.conf. It offers some GPG related rules, but none for a revocation certificate. I used these rules:
revoc y 100000 -----BEGIN\040PGP\040PUBLIC\040KEY\040BLOCK-----\x0aVersion:\040GnuPG\040v1.4.10\040(GNU/Linux)\x0aComment:\040A\040revocation\040certificate\040should\040follow
revoc y 100000 -----BEGIN\040PGP\040PUBLIC\040KEY\040BLOCK-----\x0aVersion:\040GnuPG\040v1.4.9\040(GNU/Linux)\x0aComment:\040A\040revocation\040certificate\040should\040follow
revoc y 100000 -----BEGIN\040PGP\040PUBLIC\040KEY\040BLOCK-----\x0aVersion:\040GnuPG\040v1.4.8\040(GNU/Linux)\x0aComment:\040A\040revocation\040certificate\040should\040follow
I wasn’t quite sure which version of GPG I had installed at the time I created the keys, so I created rules for all possible versions. (See manpage for syntax explanation.)
It took about 2 hours to scan the image of my 250 GB hard drive and scalpel successfully restored my revocation certificate.
I also tried some of the supplied rules but I think they are not suitable for restoring files from an image of a whole hard drive. (Most of them just look for two bytes that mark the beginning of the file.)
