This key is no longer usable:
pub 2048R/9C6C32C7 2014-02-16 Laura ARJONA REINA <firstname.lastname@example.org> Laura ARJONA REINA <email@example.com> Laura ARJONA REINA <firstname.lastname@example.org> Old key 0xE20474C3 no longer valid: lost secret key. (Clave antigua 0xE20474C4 ya no es válida: clave secreta perdida.) Fingerprint=F29B A6D8 D1DC A30F 3E34 53DF 5CD1 FDE5 9C6C 32C7
Please act as if it does not exist. The reason is that I cannot remember the passphrase of my master GPG key. This is why I didn’t signed any of the keys of people that I met in Barcelona MiniDebconf. My geek self steem is a bit undermined, but feeling sorry for myself accomplishes nothing, so I think I will not hide problems and move on.
I’ll post about my new key soon.
The bad news
The bad news are many.
I generated my key in February 2014 (I generated my very first GPG Key in 2010, as an exercise, but never used it again, and in 2014 I couldn’t remember the passphrase, and the paper where it was written, had got lost before). Anyway, February 2014, new GPG key. I followed the Howto in FSFE wiki in order to use my brand new FSFE SmartCard. I have to admit that I didn’t understand very well how all this works, and it seems that my main mistake was to miss-understand that since I was using a smartcard, with a PIN and an Admin PIN, remembering passphrases was no longer required (only remembering the PINs). I was WRONG! PINs are for daily use with the subkeys of your card (for encryption, decryption, and signing stuff different than GPG keys), you still have the master key that is not in the card (but in a separate medium in a safe place), and for the master key we still use passphrase, and the master key is the one that allows signing keys from other people, and changing, revoking, adding subkeys, etc.
So, it seems I used a random passphrase that I didn’t write down and I could not remember, due to this terrible missunderstanding.
Another bad news is that I didn’t generate a revocation certificate (well in fact, I was going to generate just before signing the first key of another person, and then I realize that it was asking the passphrase, hence the problem). First I thought that it should ask the PIN and my smartcard setup was wrong or anything, but after reading and interchanging emails with other people more experienced than me, I realized that I should remember that passphrase. And I couldn’t. So there are no revocation certificates😦
Another bad news is that some (awesome) people already signed my key, and it will be difficult to meet again so they sign my new key. I was thinking about applying to the Debian new member process this summer, and I have not many opportunities to meet Debian people in person, so I gathered quite a lot signs last March in MiniDebConf Barcelona. Now I’m again at the starting point (well, this is perfect excuse to try to join a Debian event soon I don’t know how I would manage to do it, but I’ll try!).
The good news (Always look at the bright side of life…)
The main good news is that I didn’t used the GPG key for signing/encrypting important stuff: I just interchanged some encrypted mail as test with friends, and signed some mails sent to public mailing lists (for signing mails I was using the smartcard PIN so I didn’t notiece the problem).
The other main good news is that my key is not compromised (well, you can never be sure, but I think so). I cannot revoke it but I’m quite sure nothing important depends on that key.
Other good news is that I have read a lot about how GPG works and how the smartcard works, keys and subkeys and all this stuff, and I think now I understand everything quite better. I have learned (and also tried) tools as nasty, John The Ripper and rephrase to try to recover the passphrase. I didn’t recover it, but at least I know that all those (free software) tools exist and how to use them
And I have learned the lesson: to be extremely careful, test that everything works (not just try one or two things, test everything) and to not leave work for later (and for example, generate the revocation certificates just right after the keys).
I’ll send a message to all the friends that signed or downloaded my old GPG key apologysing and pointing to this blog post so they learn the details about why I create a new key.
I’ll take this opportunity to download and use the Tails (The Agnostic Incognito System, a Debian derivative which is a “live system” and is focused in protecting privacy and anonymity of the user). Tails will be my safe, network disconnected environment to generate the new keys and do the sensible tasks with them. I think this time I will create my main key 4096-bit long (since now I understand that the main key is not stored in the card) and the subkeys can be 2048-bit or 3072 to fit in the smarcard.
Well, hands on! I’ll write another blog post when my new GPG keys are ready. I hope third time’s the charm!
Note: Thank you to all the people that gave me advice and support (knowledge, links, moral support) about this issue. You know who you are!