GPG Expired Keys Cleanup – Howto

A lot of people leave their “expired”
public keys on the public key servers forever.
They even keep expired secret keys in their keys, or worst, they
delete expired secret keys from their keyring before revoking
according public keys and publishing this revokation to th key
servers.So did I….

…so, the correct way to take care of your keys is:

List your secret keys:

kobaans-computer:~ kobaan$
gpg –list-secret-keys
/Users/kobaan/.gnupg/secring.gpg
———————————
sec 1024D/9DC0387E 2006-02-21 [expires: 2007-02-21]
uid Andreas Kobara (privat)
ssb 2048g/E5122423 2006-02-21

sec 1024D/F373037D 2006-02-21 [expires: 2007-02-21]
uid Andreas Kobara
ssb 2048g/712EA6D2 2006-02-21

sec 1024D/5BD5E033 2007-02-15 [expires: 2008-02-20]
uid Andreas Kobara
ssb 2048g/ACE9BC3A 2007-02-15

sec 1024D/06F5B3D4 2007-02-15 [expires: 2008-02-20]
uid Andreas Kobara
ssb 2048g/B5A90C83 2007-02-15

As one can see, I have to keys, taht are already expired, and that
I have already created a follow-up key for.
As long as I do not revoke the expired public key, others can still
encrypt mails to me ignoring the expired key,
and I (or someone who has stolen my old secret key) will be able to
still decrypt an expired key encrypted mail.

Usually you should create a revocation certificate for a newly
generated key, to be able to revoke it later, in case it was
stolen, or just expired.
In my case, I will create a revocation certificate now, to revoke
my key from the keyservers.
kobaans-computer:~ kobaan$
gpg –gen-revoke 9DC0387E

sec 1024D/9DC0387E 2006-02-21 Andreas Kobara (privat)

Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? 3
Enter an optional description; end it with an empty line:
>
Reason for revocation: Key is no longer used
(No description given)
Is this okay? (y/N) y

You need a passphrase to unlock the secret key for
user: “Andreas Kobara (privat) ”
1024-bit DSA key, ID 9DC0387E, created 2006-02-21

ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory
gets
access to this certificate he can use it to make your key
unusable.
It is smart to print this certificate and store it away, just in
case
your media become unreadable. But have some caution: The print
system of
your machine might store the data and make it available to
others!

—–BEGIN PGP PUBLIC KEY BLOCK—–
Version: GnuPG v1.4.6 (Darwin)
Comment: A revocation certificate should follow

iEkEIBECAAkFAkYZKk0CHQMACgkQSA/XCJ3AOH71eACeO+XLUL2pihKbaK2YkHUj

2kQshtgAn0GXcpByipSaJ6VRwbhch90YKwhk
=ijDs
—–END PGP PUBLIC KEY BLOCK—–

Nothing happened so far, you can store your revocation certificate
now, or use it, based on your needs.
Lets check the status of my key before and after revocation:
kobaans-computer:~ kobaan$
gpg –check-sig 9DC0387E
pub 1024D/9DC0387E 2006-02-21 [expired: 2007-02-21]
uid Andreas Kobara (privat)
sig!3 9DC0387E 2006-05-07 Andreas Kobara (privat)
sig!3 9DC0387E 2006-02-21 Andreas Kobara (privat)

Now import the certificate:
kobaans-computer:~ kobaan$
gpg –import

—–BEGIN PGP PUBLIC KEY BLOCK—–
Version: GnuPG v1.4.6 (Darwin)
Comment: A revocation certificate should follow

iEkEIBECAAkFAkYZKk0CHQMACgkQSA/XCJ3AOH71eACeO+XLUL2pihKbaK2YkHUj

2kQshtgAn0GXcpByipSaJ6VRwbhch90YKwhk
=ijDs
—–END PGP PUBLIC KEY BLOCK—–
gpg: Total number processed: 1

And check the keyring again:
kobaans-computer:~ kobaan$
gpg –check-sig 9DC0387E
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust
model
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f,
2u
gpg: next trustdb check due at 2008-02-20
pub 1024D/9DC0387E 2006-02-21 [revoked: 2007-04-08]
rev! 9DC0387E 2007-04-08 Andreas Kobara (privat)
uid Andreas Kobara (privat)
sig!3 9DC0387E 2006-05-07 Andreas Kobara (privat)
sig!3 9DC0387E 2006-02-21 Andreas Kobara (privat)

Now it shows “revoked”.

We can now publish this key back to the keyservers to tell everyone
that this key is not any longer valid for signing and
encryption.
kobaans-computer:~ kobaan$
gpg –send-key 9DC0387E
gpg: sending key 9DC0387E to hkp server
subkeys.pgp.net

Although, as long as I do not delete this key from my own secret
keyring, it will be always posible to open very old mail archives
which used that old key.

Useful for someone ? Winking