How to revoke old OpenPGP keys?
It depends on whether you still have the private key, or not.
-
Having access to the private key:
You're lucky, and will be able to revoke the key. It is as easy as running
gpg --edit-key [key-id]
. Inside the edit menu, runrevkey
. Import the revocation certificate if needed (gpg --import [file]
), and send it to the key servers (gpg --send-keys [key-id]
). -
Having no access to the private key:
This is very bad, as you're now not the key owner any more, but an "evil attacker".
Short answer: You're out of luck an will not be able to remove the keys, they will stay forever.
Long answer, with some perspective:
- In future times, it might be possible to brute-force old RSA 1024 keys within a reasonable amount of computing time. But don't expect this happen soon. Quantum computers might change this situation, once they actually arrive.
- There is another thing you can do to at least hint that you're not using these keys any more: OpenPGP knows so-called designated revocations, where a key may be revoked by another one. You could use your newest key to generate such revocations, but be aware these will not really be valid (as the old keys very likely did not specify your new one as designated revoker). But other users might observe this and draw their own conclusions. In the end, it's the best thing you can do.
Anyway: you're nor alone, this happens to a lot of people. If the keys do not have any certifications, it's pretty safe to ignore them anyway, as anybody could have created fake keys for your name (and even key ID).
GnuPG 2.1 automatically generates revocation certificates together with new keys. Make sure to generate one manually if using an older version, and also make sure to have a save backup of this certificate: I recommend creating a QR code (qrencode
is helpful here) and print it on a piece of paper you could also hand over to a trusted person (the only thing that could happen is this person maliciously revokes your key, but cannot gain further access).