Go to ...


A Better Technical Repository

RSS Feed

Forensics: How to find the public key used to encrypt a file

When coming across encrypted files you may have a need to see what key was used to encrypt the file.  Although this does not help you decrypt the file it can possibly provide a small piece of a much larger story.

The easy way is to use gpg -vv then your file name:


gpg -vv mytest.gpg

:pubkey enc packet: version 3, algo 1, keyid E4805172EBD35C7D
data: [4096 bits]
gpg: public key is EBD35C7D
:encrypted data packet:
length: 76
mdc_method: 2
gpg: encrypted with RSA key, ID EBD35C7D
gpg: decryption failed: secret key not available

If you are unfortunate enough not to have access to gpg you can also use a base64 encoder and a hex editor.  If you have both of these you are probably not using Windows and already have gpg, but lets have some fun for learning sake.  There are several ways to approach this.
The simplest it to make a copy of the file:
cp mytest.gpg copy-mytest.gpg

Encode the file
base64 copy-mytest.gpg

Use xxd or your favorite hex editor to look at the first 17th – 24th byte.
00000000: 8502 0c03 e480 5172 ebd3 5c7d 0110 00d7  ……Qr..}….