Skip to main content

I'm an idiot: forgotten GPG passphrase

Since nobody was using my GPG key, this doesn't matter to anybody right now. However, it may be relevant to people wanting to send me encrypted email in the future. I forgot my GPG passphrase, so I generated a new one.

Lost key:

pub   1024D/AB00B807 2008-10-11
uid                   Graham Percival
sub   2048g/2BAF95B3 2008-10-11

New, good, key:

pub   1024D/C352022F 2009-08-09 [expires: 2011-08-09]
uid                  Graham Percival
sub   4096g/95D7E0AF 2009-08-09 [expires: 2011-08-09]

Such announcements should be met with extreme suspicion -- after all, if a Bad Guy can convince you to use a different key, without offering a signed revocation of the old key, that completely defeats even the most powerful encryption techniques. In an attempt to convince you that it's safe to trust this announcement, I'll make the following points:

  • This announcement is on my public blog, which presumably I check every so often. I'm also linking to it from my "Contact" page. If this is a fake announcement by a Bad Guy, it's gone unnoticed by me. (this point will be more valid in X months or years from now)
  • The new key has an expiry date, as will any future key I generate. (The only people who should generate non-expiring cryptographic keys are those who have a "security facts" website about them: Things you might not know about Bruce Schneier.)
  • The new key will be signed by various people, once I convince myself that I can be trusted with the new passphrase. (this point will be more valid in X months or years from now)
  • This post contains a somewhat amusing tale of my take on the situation. It is (or at least, should be) fairly convincing on a "Turing test" model. (if I can't convince people that I sound like myself, I have even more problems)

I first realized that I couldn't remember the passphrase the first time I tried to use it -- last Spring, about half a year after generating it in the first place. This gap was the reason I forgot the passphrase in the first place... I don't have problems with things I use daily, but trying to remember a very complicated passphrase that I haven't used in six months is evidently beyond me.

I spent 4-5 hours over the next few days trying various phrases to no avail. I even tried running a cracking tool on the passphrase for a week... I still had my private key, after all. However, that didn't come up with anything. Admittedly, I was using a security researcher's "proof of concept" code. I spent fifteen minutes looking at it and managed to make it 10 times faster, which certainly gave credence to his "this is just to demonstrate how it would work, but it's not at all useful in practice".

Eventually I decided to wait until I returned to Vancouver from Singapore; perhaps it would come to me when I was sitting in my bedroom, surrounded by all the things that surrounded me when I first invented that passphrase. As it happened, I did remember part of it. At least, I think so. I'm pretty certain that I got that part right. However, I still couldn't remember the other part, so no go.

For the rest of the summer, I kept on putting off generating a new key, since I "might" remember it later. But today, one month before I leave for Glasgow, I figured enough was enough.

What does this mean? Well, I had uploaded my key to the public keyservers. Without the passphrase, I can't generate a revocation key. I suppose I could abandon my current public email address, but I'm reluctant to do so... even if I seriously put down roots in the UK, I'd still be a proud Canadian, so I'd still want to retain percival-music.ca.

So this means that anybody wanting to send me private emails in the future will find two gpg keys. To dispell that confusion, I'll need to point them at this post, reminding everybody that I'm an idiot. Ouch. My geek cred is certainly taking a beating over this mistake. :(

On the other hand, as far as "permenant mistakes" go, this is a pretty minor one. I mean, just compare it to all the other mistakes that people in their 20s do. I didn't get drunk and crash my car, I didn't get a girl pregnant (accidentally, I mean -- I guess it wouldn't be a mistake if it was planned), I didn't start doing drugs, I didn't cheat on any exams or papers.

I'm still an idiot, though.