22

I have created a PGP key using GPGTools, and published it a while ago. Things are: I have no longer access to my secret key. Indeed, I unfortunately formatted the wrong drive (encryption was and is enabled).

And because I'm that kind of guy, I have no backup.

Well I know that I can't do anything about it:
Lost PGP private key and want to remove it from keyserver.ubuntu.com

However, I would like to know what I can do now. The expiration date was set (4 years), but there must be better way than to wait that long.

  1. Generate a new pair of keys

  2. Make a backup

  3. ???

Community
  • 1
CallMeStupid
  • 221
  • 1
  • 2
  • 3
  • Was the private key safely erased / overwritten? Usually it is recommeded to use a short expiration time like 1 year and generate revoke certs. –  Nov 15 '15 at 11:39
  • 1
    Depending what you mean by "formatted", it might still be possible for you to restore files, including the key. If you actually wrote the disk full of zeroes/random data, then not so much, but if you just eg. initialized an empty filesystem on top of the old one, all of the data should still be there. – Aleksi Torhamo Nov 15 '15 at 15:38
  • You might be interested on having a subkey besides your private key. The advantage of using a subkey is that you can carry it with you and eventually have it stolen (if your laptop is stolen) without too much hassle. All you need is keeping your private key safe (as it should always be). More details here: https://nxfifteen.me.uk/pgp/creation/ – Richard Gomes Oct 26 '17 at 01:19

2 Answers2

11

If you don't have the private key, and you don't have the revoke certificate, then there is nothing you can do about the existing key.

You should:

  1. Generate a new pair of keys
  2. Publish your new public key to a key server
  3. Let anyone who uses the old key know you have a new one
  4. Take the time to generate a revoke certificate and make and store backups.

One option to mark the lost key as revoked on the key server is detailed in this answer here

Community
  • 1
JonnyWizz
  • 1,961
  • 1
  • 15
  • 34
5

You can't change the old keys any more, you already realized that, so I'll skip that discussion. I'd change the order of things to do a little bit, though.

  1. Set up a reasonable, working backup. One, that will not fail if you format the wrong drive (because you forgot to unplug the backup disk). Do it now, or you'll likely never do it (on one hand because you're "that kind of guy", and on the other hand because this probably matches most people).
  2. Verify whether your backup is really working by restoring and comparing its contents.

Now (and not before) you're ready to perform any kind of work on your computer, no matter whether it involves OpenPGP keys or not.

  1. Create a new set of key pairs.
  2. If you use GnuPG 2.1 (or newer), a revocation certificate will automatically be generated, otherwise do so manually. Apart from having the revocation certificate in the backup you already configured before, consider printing one (QR codes are handy for reading it again). Put it in a safe place, for example a safe deposit box or simply with some trusted family member or friends. It's unlikely you mess up you working copy, backup AND this paper copy not in your house at the same time.
  3. Verify both your new set of keys and revocation certificate are in your backup by restoring them.
  4. Publish your new key.
  5. If your old key received certifications or know other people using your key, send a key transmission statement explaining the situation, prompt others to verify your new key again and not use the old one any more.
  6. Get your new key certified as needed.
  7. Wait until the lost key expires anyway.

You can't really do anything to notify others throughout the key server network about your old key being lost. Putting a note in other keys' user ID will not really help (people probably won't even read it), but at the same time be visible forever to people looking at your keys. Instead, better issue a third party revocation, which will not be considered valid (as your old key does not list your new key as allowed revoker), but hopefully all relevant OpenPGP clients will issue a warning message on something being fishy (GnuPG does).

Jens Erat
  • 23,816
  • 12
  • 75
  • 96