The comp.security.pgp FAQ
7. Revoking a key
- 7.1 My secret key ring has been stolen or lost, what do I do?
- 7.2 I forgot my pass phrase. Can I create a key revocation certificate?
- 7.3 How do I create a key revocation certificate?
- 7.4 How do I indicate that my key is invalid when I don't have the secret key anymore?
7.1 My secret key ring has been stolen or lost, what do I do?
Assuming that you selected a good solid random pass phrase to encrypt
your secret key ring, you are probably still safe. It takes two parts
to decrypt a message, the secret key ring, and its pass phrase. The
secret key is encrypted with the passphrase before it is stored in the
Assuming you have a backup copy of your secret key ring, you should
generate a key revocation certificate and upload the revocation to one
of the public key servers. Prior to uploading the revocation
certificate, you might add a new ID to the old key that tells what
your new key ID will be. If you don't have a backup copy of your
secret key ring, then it will be impossible to create a revocation
certificate under the present version of PGP. This is another good
reason for keeping a backup copy of your secret key ring.
7.2 I forgot my pass phrase. Can I create a key revocation certificate?
As Phil Zimmermann put it: "I'm sorry, you're hosed."
You can't, since the pass phrase is required to create the certificate. You
must decrypt the secret key to sign the revocation statement, and for that
you need your pass phrase.
The way to avoid this dilemma is to create a key revocation
certificate at the same time that you generate your key pair. Put the
revocation certificate away in a safe place and you will have it
available should the need arise.
7.3 How do I create a key revocation certificate?
The easiest way to do this is:
- Make a backup of your public and secret keyrings.
- Revoke your key with
pgp -kd youruserid.
- Extract the revoked key to a file with
pgp -kxa youruserid.
This file is what the manual calls the "revocation certificate."
- Store the certificate in a safe location, for example on a floppy which
you keep someplace else.
- Restore the backed-up keyrings.
7.4 How do I indicate that my key is invalid when I don't have the secret key anymore?
This is a very tricky situation, and should be avoided at all costs. The
easiest way is to prepare a key revocation certificate (See
for details on how to do this) before you need it,
so you can always revoke the key, even without the secret key.
Alternatively, you can use a binary editor to change one of the user IDs
on your public key to read "Key invalid; use key 0x12345678" or something
to that effect. Keep in mind that the new user ID can't be longer than
the old one, unless you know what you are doing. Then extract the key,
and send it to the keyserver. It will think this is actually a new
user ID, and add it to your key there.
However, since anyone can do the above, many people will not trust
unsigned user IDs with such statements. As explained in question
6.3, all user IDs on your key should be self-signed. So again,
make a key revocation certificate in advance and use that
Table of Contents |
About this FAQ |
Copyright © 1996 by Arnoud Engelfriet.
Last updated: 22 Oct 1998.
Comments, additions and suggestions can be sent to <email@example.com>.
This FAQ was generated by Orb v1.3 for OS/2.