Revoking a key
======== 7. Revoking a key ======== 7.1. My secret key ring has been stolen or lost, what do I do? Assuming that you selected a good solid random pass phrase to encrypt your secret key ring, you are probably still safe. It takes two parts to decrypt a message, the secret key ring, and its pass phrase. Assuming you have a backup copy of your secret key ring, you should generate a key revocation certificate and upload the revocation to one of the public key servers. Prior to uploading the revocation certificate, you might add a new ID to the old key that tells what your new key ID will be. If you don't have a backup copy of your secret key ring, then it will be impossible to create a revocation certificate under the present version of PGP. This is another good reason for keeping a backup copy of your secret key ring. ======== 7.2. I forgot my pass phrase. Can I create a key revocation certificate? YOU CAN'T, since the pass phrase is required to create the certificate! The way to avoid this dilemma is to create a key revocation certificate at the same time that you generate your key pair. Put the revocation certificate away in a safe place and you will have it available should the need arise. You need to be careful how you do this, however, or you will end up revoking the key pair that you just generated, and a revocation can't be reversed. To do this, extract your public key to an ASCII file (using the "-kxa" option) after you have generated your key pair. Next, create a key revocation certificate and extract the revoked key to another ASCII file using the -kxa option again. Finally, delete the revoked key from your public key ring using the - kr option and put your non-revoked version back in the ring using the -ka option. Save the revocation certificate on a floppy so that you don't lose it if you crash your hard disk sometime.