10.1.1 Scrutinizing a keybox file

A keybox is a file format used to store public keys along with meta information and indices. The commonly used one is the file pubring.kbx in the .gnupg directory. It contains all X.509 certificates as well as OpenPGP keys³ .

When called the standard way, e.g.:

‘kbxutil ~/.gnupg/pubring.kbx’

it lists all records (called blobs) with there meta-information in a human readable format.

To see statistics on the keybox in question, run it using

‘kbxutil --stats ~/.gnupg/pubring.kbx’

and you get an output like:

Total number of blobs:       99
               header:        1
                empty:        0
              openpgp:        0
                 x509:       98
          non flagged:       81
       secret flagged:        0
    ephemeral flagged:       17

In this example you see that the keybox does not have any OpenPGP keys but contains 98 X.509 certificates and a total of 17 keys or certificates are flagged as ephemeral, meaning that they are only temporary stored (cached) in the keybox and won’t get listed using the usual commands provided by gpgsm or gpg. 81 certificates are stored in a standard way and directly available from gpgsm.

To find duplicated certificates and keyblocks in a keybox file (this should not occur but sometimes things go wrong), run it using

‘kbxutil --find-dups ~/.gnupg/pubring.kbx’