PGP key passphrase lost

kara.ml at arcor.de kara.ml at arcor.de
Fri Oct 15 13:24:55 UTC 2010


Hi,

> When I issue the command to revoke the key, I am prompted for the
> passphrase (which, of course, I don't have).  How can I revoke this key?
> If I can't, how should I handle this situation? Generate a new key and
> start over and just ignore the old one or....?

You can't, if you don't remember your passphrase.

You can add a comment like "old-key-id no longer in use" in the new key (with
your primary user-id or a special one).

And you can sign the old key with your new key and a cert notification like:
gpg --cert-notation old-key-id at old.domain.tld="no longer in use, use
new-key-id" --sign-key old-key-id (export it and send it to keyserver and/or
friends) - substituting *-key-id with the real ones, so that users of your
new key see, that you no longer use the (not revoked) old key and users of
the old key see, that there exist a new key ;)

And for your next key(1): make a backup of your keyrings, issue a revocation
certificate and save it in a secure manner, so that you can revoke a key
under all circumstances by importing the revcert in your keyring and than
exporting/sending the key with the attached revcert.

gpg --gen-revoke key-id > key-id_revcert
later:
gpg --import key-id_revcert
gpg --export -ao revkey.asc key-id

(1) another method: use two keys, add one key as a designated revoker with
gpg --edit-key
> addrevoker

-- 
Ciao
Kai




More information about the ubuntu-users mailing list