Deutsch
Español
Française
Italiano
日本語
한국어
GPG Expired Keys Cleanup - Howto
08.04.2007 23:57 Filed in:
Mac
A lot of people leave their "expired"
public keys on the public key servers forever.
They even keep expired secret keys in their keys, or worst, they delete expired secret keys from their keyring before revoking according public keys and publishing this revokation to th key servers.
So did I....
...so, the correct way to take care of your keys is:
List your secret keys:
kobaans-computer:~ kobaan$ gpg --list-secret-keys
/Users/kobaan/.gnupg/secring.gpg
---------------------------------
sec 1024D/9DC0387E 2006-02-21 [expires: 2007-02-21] Blogentry April 2007
uid Andreas Kobara (privat)
ssb 2048g/E5122423 2006-02-21
sec 1024D/F373037D 2006-02-21 [expires: 2007-02-21] Blogentry April 2007
uid Andreas Kobara
ssb 2048g/712EA6D2 2006-02-21
sec 1024D/5BD5E033 2007-02-15 [expires: 2008-02-20]
uid Andreas Kobara
ssb 2048g/ACE9BC3A 2007-02-15
sec 1024D/06F5B3D4 2007-02-15 [expires: 2008-02-20]
uid Andreas Kobara
ssb 2048g/B5A90C83 2007-02-15
As one can see, I have two keys, that are already expired, and that I have already created a follow-up key for.
As long as I do not revoke the expired public key, others can still encrypt mails to me ignoring the expired key,
and I (or someone who has stolen my old secret key) will be able to still decrypt an expired key encrypted mail.
Usually you should create a revocation certificate for a newly generated key, to be able to revoke it later, in case it was stolen, or just expired.
In my case, I will create a revocation certificate now, to revoke my key from the keyservers.
kobaans-computer:~ kobaan$ gpg --gen-revoke 9DC0387E
sec 1024D/9DC0387E 2006-02-21 Andreas Kobara (privat)
Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? 3
Enter an optional description; end it with an empty line:
>
Reason for revocation: Key is no longer used
(No description given)
Is this okay? (y/N) y
You need a passphrase to unlock the secret key for
user: "Andreas Kobara (privat) "
1024-bit DSA key, ID 9DC0387E, created 2006-02-21
ASCII armored output forced.
Revocation certificate created.
Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable. But have some caution: The print system of
your machine might store the data and make it available to others!
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.6 (Darwin)
Comment: A revocation certificate should follow
iEkEIBECAAkFAkYZKk0CHQMACgkQSA/XCJ3AOH71eACeO+XLUL2pihKbaK2YkHUj
2kQshtgAn0GXcpByipSaJ6VRwbhch90YKwhk
=ijDs
-----END PGP PUBLIC KEY BLOCK-----
Nothing happened so far, you can store your revocation certificate now, or use it, based on your needs.
Lets check the status of my key before and after revocation:
kobaans-computer:~ kobaan$ gpg --check-sig 9DC0387E
pub 1024D/9DC0387E 2006-02-21 [expired: 2007-02-21]
uid Andreas Kobara (privat)
sig!3 9DC0387E 2006-05-07 Andreas Kobara (privat)
sig!3 9DC0387E 2006-02-21 Andreas Kobara (privat)
Now import the certificate:
kobaans-computer:~ kobaan$ gpg --import
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.6 (Darwin)
Comment: A revocation certificate should follow
iEkEIBECAAkFAkYZKk0CHQMACgkQSA/XCJ3AOH71eACeO+XLUL2pihKbaK2YkHUj
2kQshtgAn0GXcpByipSaJ6VRwbhch90YKwhk
=ijDs
-----END PGP PUBLIC KEY BLOCK-----
gpg: Total number processed: 1
And check the keyring again:
kobaans-computer:~ kobaan$ gpg --check-sig 9DC0387E
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: next trustdb check due at 2008-02-20
pub 1024D/9DC0387E 2006-02-21 [revoked: 2007-04-08]
rev! 9DC0387E 2007-04-08 Andreas Kobara (privat)
uid Andreas Kobara (privat)
sig!3 9DC0387E 2006-05-07 Andreas Kobara (privat)
sig!3 9DC0387E 2006-02-21 Andreas Kobara (privat)
Now it shows "revoked".
We can now publish this key back to the keyservers to tell everyone that this key is not any longer valid for signing and encryption.
kobaans-computer:~ kobaan$ gpg --send-key 9DC0387E
gpg: sending key 9DC0387E to hkp server subkeys.pgp.net
Although, as long as I do not delete this key from my own secret keyring, it will be always posible to open very old mail archives which used that old key.
Useful for someone ?
They even keep expired secret keys in their keys, or worst, they delete expired secret keys from their keyring before revoking according public keys and publishing this revokation to th key servers.
So did I....
...so, the correct way to take care of your keys is:
List your secret keys:
kobaans-computer:~ kobaan$ gpg --list-secret-keys
/Users/kobaan/.gnupg/secring.gpg
---------------------------------
sec 1024D/9DC0387E 2006-02-21 [expires: 2007-02-21] Blogentry April 2007
uid Andreas Kobara (privat)
ssb 2048g/E5122423 2006-02-21
sec 1024D/F373037D 2006-02-21 [expires: 2007-02-21] Blogentry April 2007
uid Andreas Kobara
ssb 2048g/712EA6D2 2006-02-21
sec 1024D/5BD5E033 2007-02-15 [expires: 2008-02-20]
uid Andreas Kobara
ssb 2048g/ACE9BC3A 2007-02-15
sec 1024D/06F5B3D4 2007-02-15 [expires: 2008-02-20]
uid Andreas Kobara
ssb 2048g/B5A90C83 2007-02-15
As one can see, I have two keys, that are already expired, and that I have already created a follow-up key for.
As long as I do not revoke the expired public key, others can still encrypt mails to me ignoring the expired key,
and I (or someone who has stolen my old secret key) will be able to still decrypt an expired key encrypted mail.
Usually you should create a revocation certificate for a newly generated key, to be able to revoke it later, in case it was stolen, or just expired.
In my case, I will create a revocation certificate now, to revoke my key from the keyservers.
kobaans-computer:~ kobaan$ gpg --gen-revoke 9DC0387E
sec 1024D/9DC0387E 2006-02-21 Andreas Kobara (privat)
Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? 3
Enter an optional description; end it with an empty line:
>
Reason for revocation: Key is no longer used
(No description given)
Is this okay? (y/N) y
You need a passphrase to unlock the secret key for
user: "Andreas Kobara (privat) "
1024-bit DSA key, ID 9DC0387E, created 2006-02-21
ASCII armored output forced.
Revocation certificate created.
Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable. But have some caution: The print system of
your machine might store the data and make it available to others!
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.6 (Darwin)
Comment: A revocation certificate should follow
iEkEIBECAAkFAkYZKk0CHQMACgkQSA/XCJ3AOH71eACeO+XLUL2pihKbaK2YkHUj
2kQshtgAn0GXcpByipSaJ6VRwbhch90YKwhk
=ijDs
-----END PGP PUBLIC KEY BLOCK-----
Nothing happened so far, you can store your revocation certificate now, or use it, based on your needs.
Lets check the status of my key before and after revocation:
kobaans-computer:~ kobaan$ gpg --check-sig 9DC0387E
pub 1024D/9DC0387E 2006-02-21 [expired: 2007-02-21]
uid Andreas Kobara (privat)
sig!3 9DC0387E 2006-05-07 Andreas Kobara (privat)
sig!3 9DC0387E 2006-02-21 Andreas Kobara (privat)
Now import the certificate:
kobaans-computer:~ kobaan$ gpg --import
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.6 (Darwin)
Comment: A revocation certificate should follow
iEkEIBECAAkFAkYZKk0CHQMACgkQSA/XCJ3AOH71eACeO+XLUL2pihKbaK2YkHUj
2kQshtgAn0GXcpByipSaJ6VRwbhch90YKwhk
=ijDs
-----END PGP PUBLIC KEY BLOCK-----
gpg: Total number processed: 1
And check the keyring again:
kobaans-computer:~ kobaan$ gpg --check-sig 9DC0387E
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: next trustdb check due at 2008-02-20
pub 1024D/9DC0387E 2006-02-21 [revoked: 2007-04-08]
rev! 9DC0387E 2007-04-08 Andreas Kobara (privat)
uid Andreas Kobara (privat)
sig!3 9DC0387E 2006-05-07 Andreas Kobara (privat)
sig!3 9DC0387E 2006-02-21 Andreas Kobara (privat)
Now it shows "revoked".
We can now publish this key back to the keyservers to tell everyone that this key is not any longer valid for signing and encryption.
kobaans-computer:~ kobaan$ gpg --send-key 9DC0387E
gpg: sending key 9DC0387E to hkp server subkeys.pgp.net
Although, as long as I do not delete this key from my own secret keyring, it will be always posible to open very old mail archives which used that old key.
Useful for someone ?
|