The day when I (almost) lost my keys

Once opon a time, I screwed up my GPG keys. Here’s how everything happeded.

There are a lot of ways to manage GPG keys, from a simple generate and use on a single machine to a more complex setup like I have.

As we say in Portugal, every monkey on his branch. I’ve have four key pairs in total. The certify key stays on an offline machine while the other ones are stored on my NitroKey (NK) for everyday use.

I need to renew the keys every six months, and the procedure is fairly simple:

1. Renew
2. Backup
3. Move all but the master to the NitroKey
4. Restore from the backup

This seems like a good plan right? So to me, and I even test the backup on the last step, but the way I did it was totally wrong since I didn’t test if I was able to use the private keys.

Last time I had to renew the keys, everything went according to plan and I was happy, until I needed to SSH into a machine. The first thought that came into my head was that I missed something on step 3, so back to the offline machine and hello! Where are my private keys? I panicked for 1 minute and then I thought “That’s OK, I just login into every machine using the backup key and replace with the new one”. And them I really panicked a lot. Do you want to guess what encrypted the backup SSH key?

Yeah, on that moment I lost everything. including passwords and backups.

Ok I thought, let’s rollback every single backup I have of the keys, I just needed one to have the encryption private key. And at last, of all backups, the first one had all the private keys. I quickly copied it into the NK and voilá, I had access to my passwords and my backups.

After that horror story, I revoked the now privateless keys and, created newer ones and pubished them into keys.openpgp.org .

And now, before I copy the keys into the NK, I restore the backup and check if all private keys are there, just to make sure that the backup is fully working.

Remember kids, a non tested backup, it’s not a backup!