How to revoke a key or user ID?
If you lost your secret key or forgot your password you should revoke your key. But before revoking too hastily give yourself a week. Maybe the missing password comes to mind or you can recall, that you actually do have a key backup.
If your key was created with GPG Suite 2015.06 or later (released: 2015-06-04), a revocation certificate can be found at ~/.gnupg/RevCerts. In that case revocation is easy.
- right-click your public key in GPG Keychain
- select "Revoke..."
If your public key is not in your key list and you previously uploaded it to the key servers, download it from there and proceed try above steps.
If you manually created a revocation certificate:
- navigate to your revocation certificate in finder
- open GPG Keychain and drag the cert in question into the main window
- carefully read and confirm the dialog to revoke your key
Important: If your key was uploaded to the key servers, make sure to upload the updated key. Only then, will the key servers reflect the revoked status and you don't want a revoked key to show as unrevoked!
If your key was created with GPG Suite 2013 or older and you have not manually create a revocation certificate you might be out of luck: Without the password and the secret key it is not possible to now create a revocation certificate or revoke the key.
If you did not upload your key to the key servers, the issue at hand is not as bad. Create a new key and let your friends know about the new key. When your public key resides on the key servers you cannot revoke that key and it will continue to show as valid, which is a situation we try to avoid but read on...
But how will people know, which key to use, if the old key is not revoked?
When searching for a key, the results will be presented with a creation date. It is likely that the key with the newest date is the key, the key owner wants you to use. It is important to get your new key signed by a few people after letting them check your identity. That will raise the trustlevel for the new key.
What to do with the revoked key?
A revoked public key can still be used to verify signatures made by you in the past, but it cannot be used to encrypt future messages to you. Your ability to decrypt old encrypted messages is not affected by revoking the key. Thus you do want to keep the revoked sec/pub key in GPG Keychain. It will do no harm but allow you to keep access to old messages.
- open GPG Keychain
- double click the key with the User ID in question
- select the "User IDs" tab
- right-click User ID to be revoked and select "Revoke"
- repeat steps if you want to revoke another User IDs
Important: If the key with this User ID was uploaded to the key servers, make sure to upload the updated key. Only then, the entry on the key servers will reflect the revoked User ID.
In our example Alice wants to revoke the
since she's left our team, but wants to keep using her key with the other User ID.
In order to modify your key in any form you need access to the secret key and the password.
To prevent being stuck with encrypted messages you are not able to decrypt, we highly recommend to do the following two things:
- store password in secure location
- backup key to secure location
A secure location can be a password manager, a USB drive in a safe, a safe deposit box if you trust your bank. Be creative and do not use online storage solutions for your key backup!
Should you ever loose your secret key, you won't be able to decrypt any messages which were encrypted with the corresponding public key. When you are unsure if you still have your secret key, open GPG Keychain and tick the bottom right box to "Show secret keys only". All sec/pub keys will be displayed. sec/pub keys are also displayed in bold while pub keys are displayed in normal font.
- if a key backup exists, grab your key from there and re-add it to GPG Keychain
- if you do not have a backup you should revoke your key and create a new key
If you did store your password in macOS keychain, you might be able to retrieve the password from there:
- open Keychain (not GPG Keychain)
- enter GnuPG in the search field
- if no search results do shows up, your password was not stored in macOS keychain
- otherwise double click the search result entry
- click Show Password and unlock with your admin password
In order to test possible passwords for your OpenPGP key, open TextEdit and enter the word test. Mark the word, right-click and select Service > OpenPGP: Sign Selection. You will then be asked for your password and have three attempts. This process can be repeated.
When you are certain you are unable to recall the password for your key and macOS keychain didn't bring up anything useful, you should consider to revoke your key and create a new key.
The MIT key server FAQ answers this question.
Since 2015 (GPG Keychain 1.2b1 to be exact) we automatically create a revocation certificate for you whenever a new key is created. That way, should you ever loose access to your secret key or forget your password, you still can revoke your key. If your public key resides on the key servers, don't forget to upload the revoked key since otherwise it will still show as valid on the key servers.
To see the revocation certificate on your disk
- open new finder window
- press SHIFT + CMD + G (⇧⌘G)
~/.gnupg/RevCertsinto the field
In that folder you find all revocation certificates which have been created. The file name consists of the last 16 digits from your fingerprint. If you want to know which cert is for which key, compare those values with the fingerprint of your keys.
Important: It is recommended, to additionally copy all your certs to a USB drive and store that in a secure location. If your key was created with a version below v1.2b1 you might not yet have a revocation certificate. In that case:
- from the top menu select Key > Generate Revoke Certificate...
- click "Save" to store the revocation certificate
Now is a good time to store a copy of all your revocation certs on a USB drive.