6

I just created a new PGP key because I want to start using PGP to encrypt my emails. Lo and behold, this is apparently not my first attempt to use PGP. Five years ago, I created another PGP key using an ancient encryption algorithm (DSA 1024-bit). This would be very easy to crack.

Needless to say, I don't have a revoke certificate for it. What should I do?

schroeder
  • 125,553
  • 55
  • 289
  • 326
Jason Baker
  • 161
  • 1
  • 4
  • 1
    But you have the private key + passphrase for the old one, or not? Is it still valid? – sebix Jan 31 '15 at 20:48
  • If the user still has the private key + passphrase, they could generate another revocation certificate. I doubt that they do, given their surprise at finding their long forgotten key from five years ago. – JonnyWizz Oct 30 '15 at 12:18

2 Answers2

9

A DSA 1024 certificate will not be very easy to crack, not even having a high performance cluster at hand. An exception might only be if generated using weak random data, for example because of the Debian random flaw.

If you have lost control over the private key, and do not have a revocation certificate, you cannot do anything about it. Key server data cannot be deleted, and you cannot modify or revoke the key without having the private key (or as a special case, revoke it with a revocation certificate.

To designate that a key should not be used, you can issue a revocation for your old key. Client applications like GnuPG will not consider it and mark the old key as revoked, but most of them will at least issue a warning (so other users have a hint that something is fishy).

Generally, always generate a revocation certificate immediately after creating a new key, and store it in a place you will not lose it (ie. printed on a piece of paper, maybe inside an QR code).

Jens Erat
  • 23,816
  • 12
  • 75
  • 96
5

I found myself in a similar situation. There is a similar thread here: Anything to do about old gpg keys?. I have used the answer from Markus Malkusch, which is a sort of pseudo-revoke if you don't have the revocation certificate.

  • Create a new key with an identity like revoke@example.org
  • Use this new key to sign your old key with a comment like "WARNING: Key was revoked!"
  • Additionally sign your old key with your new key.

Anyone searching the key server will see this along side your old key:

"WARNING: Key was revoked! (Identity for revoking) <revoke@example.org>"

This will hopefully be enought for any potential users to realise that they should use the newer key, or at least that they should contact me through other means before sending me an encrypted email.

JonnyWizz
  • 1,961
  • 1
  • 15
  • 34
  • 1
    Also - make sure you store the revocation certificate for the new key in a safe place! You can print it out as a QR code and store it in a safe place. – JonnyWizz Oct 30 '15 at 09:27