How to revoke a key or user ID?
If you lost your secret key or forgot your password you should revoke your key. But before revoking too hastily give yourself a week. Maybe the missing password comes to mind or you can recall, that you actually do have a key backup of your secret key or entire mac.
If your key was created with GPG Suite 2015.06 or later, released 2015-06-04, and you are still using the same mac, revocation is possible, even if you only have the public key. A revocation certificate was automatically generating during key creation and to revoke your public key:
- right-click your public key in GPG Keychain
- select "Revoke..."
If your public key is not in your key list and you previously uploaded it to the key server, download it from there and then revoke it.
If you manually created a revocation certificate:
- navigate to your revocation certificate in finder
- open GPG Keychain
- drag the revocation certificate in question into the main window
- carefully read and confirm the dialog to revoke your key
Important: If your key was uploaded to the key server, make sure to upload the updated key. Only then,will the key servers reflect the revoked status and you don't want a revoked key to show as valid when friends search for your email.
If your key was created with GPG Suite 2013 or older and you have not manually create a revocation certificate you might be out of luck: Without the password and the secret key it is not possible to now create a revocation certificate and with that, revoke the key.
Whether you are unable to revoke your key or not, in both scenarios you want to create a new OpenPGP key to continue using encryption. We recommend to upload your new key to the key server and verify the email adress(es). That will ensure that if a friend searches for your email, they will be presented your new key and not the old potentially unrevoked key.
A revoked public key can still be used to verify signatures made by you in the past. However it can not be used to encrypt messages to you. Your ability to decrypt old encrypted messages is not affected by revoking the key. Thus you do want to keep the revoked sec/pub key in GPG Keychain. It will do no harm but allow you to keep access to old messages if you recall the password at a later point in time.
To keep using your key and revoke only a User ID:
- open GPG Keychain and double click the key with the User ID you are looking to revoke
- open tab
- right-click User ID to be revoked and select
- repeat steps to revoke additional User IDs
Important: If the key with this User ID was uploaded to the key servers, make sure to upload the updated key. Only then, the entry on the key servers will reflect the revoked User ID.
In order to modify your key in any form you need access to the secret key and the password.
To prevent being stuck with encrypted messages you are not able to decrypt, we highly recommend to do the following two things:
- store password in secure location
- backup key to secure location
A secure location can be a password manager, a USB drive in a safe, a safe deposit box if you trust your bank. Be creative and do not use online storage solutions for your key backup!
Should you ever loose your secret key, you won't be able to decrypt any messages which were encrypted with the corresponding public key. When you are unsure if you still have your secret key, open GPG Keychain and tick the bottom right box to "Show secret keys only". All sec/pub keys will be displayed. sec/pub keys are also displayed in bold while pub keys are displayed in normal font.
- if a key backup exists, grab your key from there and re-add it to GPG Keychain
- if you do not have a backup you should revoke your key and create a new key
If you did store your password in macOS keychain, you might be able to retrieve the password from there:
- open Keychain (not GPG Keychain)
- enter GnuPG in the search field
- if no search results do shows up, your password was not stored in macOS keychain
- otherwise double click the search result entry
- click Show Password and unlock with your admin password
In order to test possible passwords for your OpenPGP key, open TextEdit and enter the word test. Mark the word, right-click and select Service > OpenPGP: Sign Selection. You will then be asked for your password and have three attempts. This process can be repeated.
When you are certain you are unable to recall the password for your key and macOS keychain didn't bring up anything useful, you should consider to revoke your key and create a new key.
On the new key server you can enter your email to receive link allowing to remove your key from search results.
Regarding the old sks servers, this FAQ answers this question.
Since 2015 a revocation certificate is automatically created during key creation. Should you ever loose access to your secret key or forget your password, you can still revoke your key.
The revocation certificates are stored on your mac:
- open new finder window
- press SHIFT + CMD + G (⇧⌘G)
~/.gnupg/RevCertsinto the field
This folder holds all revocation certificates which have been created. The file name consists of the last 16 digits from your fingerprint allowing you to learn which cert is for which key.
Important: We recommended, to create a backup of all revocation certificates and store that in a secure location.