Magic numbers for keyring files?

David Shaw dshaw at
Wed Sep 25 17:46:03 CEST 2013

On Sep 25, 2013, at 9:18 AM, "Robert J. Hansen" <rjh at> wrote:

> I'm working on adding support for GnuPG keyrings to a file carver (a
> forensic tool that recovers data from damaged filesystems, or recovers
> things that have been deleted but not overwritten).  Detecting an
> ASCII-armored keyblock is pretty easy: look for the "BEGIN PGP PUBLIC"
> header.  Binary, though, is still an unsolved question.
> Before I start diving into code to find out if the keyring has a
> specific binary header I can detect, I figured I'd ask on-list.  :)
> Does anyone know of any magic numbers for GnuPG keyring files?

Do you mean OpenPGP keyrings (i.e. "transferable public/secret keys", a la RFC-4880)?  If so, it's statistical magic only.  There are binary headers you can look for that don't quite ensure it's a OpenPGP keyring, but can leave you fairly confident.

Take a look at the "file" magic database as a start.  It's not 100%, but should get you going.


More information about the Gnupg-users mailing list