July 7

Forensics: How to find the public key used to encrypt a file

When coming across encrypted files you may have a need to see what key was used to encrypt the file.  Although this does not help you decrypt the file it can possibly provide a small piece of a much larger story.

The easy way is to use gpg -vv then your file name:


gpg -vv mytest.gpg

:pubkey enc packet: version 3, algo 1, keyid E4805172EBD35C7D
data: [4096 bits]
gpg: public key is EBD35C7D
:encrypted data packet:
length: 76
mdc_method: 2
gpg: encrypted with RSA key, ID EBD35C7D
gpg: decryption failed: secret key not available

If you are unfortunate enough not to have access to gpg you can also use a base64 encoder and a hex editor.  If you have both of these you are probably not using Windows and already have gpg, but lets have some fun for learning sake.  There are several ways to approach this.
The simplest it to make a copy of the file:
cp mytest.gpg copy-mytest.gpg

Encode the file
base64 copy-mytest.gpg

Use xxd or your favorite hex editor to look at the first 17th – 24th byte.
00000000: 8502 0c03 e480 5172 ebd3 5c7d 0110 00d7  ……Qr..}….



Copyright 2021. All rights reserved.

Posted July 7, 2016 by Timothy Conrad in category "Forensics

About the Author

If I were to describe myself with one word it would be, creative. I am interested in almost everything which keeps me rather busy. Here you will find some of my technical musings. Securely email me using - PGP: 4CB8 91EB 0C0A A530 3BE9 6D76 B076 96F1 6135 0A1B