Remove key from an encrypted file?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Wed Oct 6 21:04:03 CEST 2010


On 10/06/2010 01:19 PM, Benjamin Bressman wrote:
> If I use GnuPG to encrypt a file with multiple keys is it possible to
> remove one of those keys at a later date?

it's possible, but it's a bit clumsy.  you could use gpgsplit to handle
the situation:

 mkdir cleandir
 cd cleandir
 gpgsplit < $message
 rm 00000X-001.pk_enc  (make sure this is the one you want to remove!)
 cat * > $message


if you're not sure which pk_enc packet is the one you want, you can see
which key belongs to which with gpg --list-packets.  If $keyID is the 16
hex-digit ID you want to strip out, then the following should work:

  for foo in *-001.pk_enc ; do
   if [ "$keyID" = \
 $( gpg --list-packets < $foo | grep ^:pubkey | sed 's/.*keyid //' ) ];
   then
     rm "$foo"
   fi
  done

(these scripts are untested -- please test and verify before using them
in production!)

> Let's say I encrypt sensitive information so that three users could
> decrypt it, but one of those users leaves the organization at some
> point. Could I just remove that key's access to the file, or would I
> need to decrypt the file and then re-encrypt it with only the desired keys?

you could also do this, though it would require you knowing one of the keys.

note that neither method will protect you if the user in question has a
local copy of the encrypted file that still has the old info.

> I'm assuming the file encryption is symmetric using a "random" key, and
> then that "random" key is encrypted asymmetrically once for each of the
> multiple keys, but let me know if that's not the case.

yes, this is right.  What you're calling the "random" key is known as
the session key.

Each of the *-001.pk_enc is a "Public-Key Encrypted Session Key Packet":

  http://tools.ietf.org/html/rfc4880#section-5.1

hth,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20101006/e5ec37ad/attachment-0001.pgp>


More information about the Gnupg-users mailing list