I have used GpgEX for a while now to encrypt files on my computer. A recent meltdown of Windows forced me to re-install, now I cannot decrypt any of my previously encrypted files. I believe the problem is I don’t have my previous certificate open. I have searched for the certificate, but I don’t really know what I am looking for. Help!
Did you remember to make a backup copy of your private key before the meltdown and store it somewhere safe?
If so, just reinstall GPG and import the key.
If not…well…I’m afraid all is probably lost.
I did not back anything up. Where is the file that I should have backed up? I have a pretty complete backup of the hard drive, can I find it there somewhere?
In Windows, the default installation directory for the keyring is:
The files you need are:
Copy* these three files to the same location on your new OS installation. That should do it. Good Luck! Let us know how it turns out.
*If you have not created any new keys since the crash, you can overwrite the old files. Otherwise, you probably want to merge them.
Thank you, you are a life saver. I did not find the files along the path you specified (no roaming) but I did find them and all is recovered.
This raises a question: The whole reason I do this is to secure personal information on our computer. I read somewhere else on the forum where using Gnupg to encrypt files on the same computer is not secure, and I think I can see why. If a hacker were to access my harddrive, he could get my private keys and then decrypt my files - assuming he had the passphrase. So, the encryption is compromised, right? Now only the passphrase stands in the way, which is much less than PGP normally does? What would be the right way to do this?
First of all, let me say congratulations on being a mindful PC user by making a backup and getting all of your data back! I’m truly glad to hear it!
Second, to answer your question about encrypting files on the same PC that your key is on: you’re absolutely right. If an attacker gains physical access to your computer in general, you’re in trouble. All kinds of malicious stuff can be done with physical access. It’s a security nightmare and should be guarded against at all costs. Having said that, I give a nod to Murphy and his famous law.
One solution I have used is to store your keyring (or at least part of it) on some type of removable media, such as a USB stick. GPG can be instructed to add the keyring with the command:
C:>gpg --keyring pubring.gpg --secret-keyring secring.gpg <add’l options>
So, for example:
C:>gpg --keyring F:\Keys\pubring.gpg --secret-keyring F:\Keys\secring.gpg -u John -b message.txt
…would detach-sign a file named “message.txt” with John’s key, obtained from the folder “Keys” on a device labeled "F:".
To exclude the default directory, you can include the “–no-default-keyring” option.
The way I went about it was to generate the keys, then copy the contents of the ~\gnupg folder to the removable media, then selectively delete private/public keys from both directories to end up with some keys only stored on the removable drive. I suppose one could generate the keys directly on the USB, I just haven’t tried it yet.
I haven’t found a way to do this through Kleopatra or GPA yet. And, as always, you should still make a backup of the keys on a medium that’s safe for long-term storage and tuck it away somewhere safe.
For a tool to bury this problem for a single-person machine, investigate Truecrypt. With it you can encrypt a file, folder, partition, or drive to include your boot drive.
There may be other tools that would allow you to craft a solution to your security concern, but none better.
Yes, TrueCrypt is a great encryption solution. Conveniently, it ‘mounts’ encrypted volumes (files) as drives, and allows you to specify the letter used as the label.
This means you can use the example I gave earlier to retrieve keys from an encrypted file on the fly quite easily.
I would like to add (ad ?) a few advantages of Truecrypt :
- it also allows you to encrypt your whole system disc (great for laptops),
- AND the best of it : you can create TWO protected partitions. One you may disclose “under stress”, and one that is TRULY secret. See http://www.truecrypt.org/docs/hidden-volume.