Accidentally leaked my main gpg private key!

Hashem A. Damrah

12/7/23, 3:49 AM

I only use one gpg key, which I use with pass, which currently holds a ton of password stuff. I also use that key to sign my github commits and a ton of other stuff. I leaked my key by posting my private key, thinking it was my public key on my github profile (it's been up for a couple of days now, and I just realized it).

I revoked this key on my computer, but how can I revoke it on github to where it still verifies my previous commits, but no further commits, since all my github commits since 2020 have been verified by this key (about 4k commits).

Let's say someone got my private key. If I revoke it on my local PC, does it get revoked on his PC as well? I'm not too experienced with gpg keys and whatnot.

Do you know of any good gpg courses that I can take a look at to get a better understanding of how this stuff works since when I run into an issue, I just google blindly without really understanding what the hell is going on?

Final question, how do I back up my gpg key? Can I just take my ~/.local/share/gnupg folder and shove it into my dotfiles repository, or should I create a private repo specifically for it?

141

0 + 3

fgrieu

12/7/23, 6:47 AM

Leaking one's private key is bad, but it's normally passphrase-protected. Depending on passphrase, and on settings at time of key generation/last passphrase change (some dependent on version of PGP/GPG), the protection given can vary from symbolic to fair. Last time I checked (years ago), the best (not default) settings for passphrase-to-key entropy stretching were: `s2k-cipher-algo AES256`, `s2k-digest-algo SHA512`, `s2k-mode 3`, `s2k-count 65011712`. Changing that (or more generally anything one can do) after the private key was leaked can't help for confidentiality of past messages.

Hashem A. Damrah

12/7/23, 6:08 PM

What are the `s2k-cipher-algo AES256`, `s2k-digest-algo SHA512` `s2k-mode 3` `s2k-count 65011712` stuff? I'm pretty new to all this stuff. Also, I just went ahead and revoked that leaked gpg key and generated a new one, since I wasn't sure what the best move was.

fgrieu

12/7/23, 6:24 PM

`s2k-cipher-algo AES256`, `s2k-digest-algo SHA512`, `s2k-mode 3`, `s2k-count 65011712` are [GPG options](https://www.gnupg.org/gph/en/manual/r1172.html) which control the amount and nature of the work performed to transform a passphrase into the key used to encipher a private key file when not in use. These options can be added in your gpg.conf file, one per line. They apply to passphrases for new keys, and changes of passphrases for existing keys. If you use a GUI on top of GPG, refer to it's doc for how to pass these options.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Accidentally leaked my main gpg private key!

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.