H4ck3rm1k3's Blog

exploration of free/libre open source software and things

How to deal with lost GPG keys — May 16, 2015

How to deal with lost GPG keys

if you lost access to your key and want to mark it as gone. You can never delete it.

First you want to use search to find and download all your old keys.

You can use gpg to edit the key, Then sign it . Then revoke sign it. Then Save it. Then publish your changes.

Details follow.

Searching:

gpg –search mike dupont
gpg: searching for “mike dupont” from hkp server keys.gnupg.net
(1) 1024 bit RSA key 9136003D, created: 1995-03-28
Keys 1-1 of 1 for “mike dupont”. Enter number(s), N)ext, or Q)uit > 1
gpg: requesting key 9136003D from hkp server keys.gnupg.net
gpg: key 9136003D: no user ID
gpg: Total number processed: 1

Editing:

gpg2 –edit-key D8F53FC2
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub 1024D/D8F53FC2 created: 2009-05-21 expires: never usage: SC
trust: unknown validity: unknown
sub 2048g/88E87CF9 created: 2009-05-21 expires: never usage: E
[ unknown] (1). James Michael DuPont (my gmail, not googlemail one) <JamesMikeDuPont@gmail.com>

First you want to sign your key :

gpg> sign

pub 1024D/D8F53FC2 created: 2009-05-21 expires: never usage: SC
trust: unknown validity: unknown
Primary key fingerprint: 2D2E C091 7376 735F 701A A44B 8957 EF39 D8F5 3FC2

James Michael DuPont (my gmail, not googlemail one) <JamesMikeDuPont@gmail.com>

Are you sure that you want to sign this key with your
key “James Michael DuPont <jamesmikedupont@googlemail.com>” (237DA5CF)

Really sign? (y/N) y

You need a passphrase to unlock the secret key for
user: “James Michael DuPont <jamesmikedupont@googlemail.com>”
2048-bit RSA key, ID 237DA5CF, created 2015-04-05

Now you can revoke sign it :

gpg> revsig
You have signed these user IDs on key D8F53FC2:
James Michael DuPont (my gmail, not googlemail one) <JamesMikeDuPont@gmail.com>
signed by your key 237DA5CF on 2015-05-15

user ID: “James Michael DuPont (my gmail, not googlemail one) <JamesMikeDuPont@gmail.com>”
signed by your key 237DA5CF on 2015-05-15
Create a revocation certificate for this signature? (y/N) y
You are about to revoke these signatures:
James Michael DuPont (my gmail, not googlemail one) <JamesMikeDuPont@gmail.com>
signed by your key 237DA5CF on 2015-05-15
Really create the revocation certificates? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
4 = User ID is no longer valid
Q = Cancel
Your decision? 4
Enter an optional description; end it with an empty line:
> Revoked. Please use 237DA5CF James Michael DuPont <jamesmikedupont@googlemail.com>
>
Reason for revocation: User ID is no longer valid
Revoked. Please use 237DA5CF James Michael DuPont <jamesmikedupont@googlemail.com>
Is this okay? (y/N) y

You need a passphrase to unlock the secret key for
user: “James Michael DuPont <jamesmikedupont@googlemail.com>”
2048-bit RSA key, ID 237DA5CF, created 2015-04-05
pub 1024D/D8F53FC2 created: 2009-05-21 expires: never usage: SC
trust: unknown validity: unknown
sub 2048g/88E87CF9 created: 2009-05-21 expires: never usage: E
[ unknown] (1). James Michael DuPont (my gmail, not googlemail one) <JamesMikeDuPont@gmail.com>

gpg> save

And now you can send it :

Key servers :

  • pgp.mit.edu
  • keyserver.ubuntu.com

More servers here : http://rossde.com/PGP/pgp_keyserv.html

gpg2 –send-keys D8F53FC2
gpg: sending key D8F53FC2 to hkp server keys.gnupg.net

See also :

Advertisements