Embedded Files
In cases where you wish to have a trustee to revoke your key in the event of compromisation without distributing a powerful revoke certificate, you can add him/her as a revoker trustee. Keep in mind that this action is a one-way street: you cannot remove or revert back. This section guides you on how to add a revoker trustee into your key.
Preparations
Preparations
There are steps to prepare before implementing the addition.
Verify Your Primary "Certify" Key Is Available
Verify Your Primary "Certify" Key Is Available
For advanced users who deleted their "certify" capability secret key, you need to restore it back for key creations. You can verify it by using the following command:
$ gpg --list-secret-keysExample:
$ gpg --list-secret-keys...---------------------------sec rsa4096 2020-01-10 [C] AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EFuid [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>You want to observe the key with [C] capability and the sec label does not have a hash ("sec#"). If it does, you need to restore the key by loading the backup copy and use the following command to restore it:
$ gpg --import /path/to/you/key.ascImport Revoker's Public Key
Import Revoker's Public Key
You need to import your revoker's public key in order to perform a proper addition. To ensure the public key is in your key-ring, use --list-key --keyid-format LONG argument and find his/her email. Example:
$ gpg --list-key --keyid-format LONG/home/jane/.gnupg/pubring.kbx---------------------------------pub rsa4096/DFF009F42B8F65F1 2018-09-23 [SC] 1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9uid [ultimate] Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>sub rsa4096/E0F5C6ECC87BF4FB 2018-09-23 [E]sub rsa4096/226B3ACC3859EF97 2018-09-23 [E]sub rsa4096/DFF009F42B8F65F1 2018-09-23 [S]Add Revoker Trustee
Add Revoker Trustee
With everything is ready, it's time to add revoker.
Edit Your Primary Key
Edit Your Primary Key
With the key ID identified, it's time to edit the key. Use the following command pattern to edit the key:
$ gpg --expert --edit-key <key-id>From the example above, it is:
$ gpg --expert --edit-key AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EFYou will be presented with the gpg key editor's main menu. It looks something like:
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.This is free software: you are free to change and redistribute it.There is NO WARRANTY, to the extent permitted by law.Secret key is available.sec rsa4096/F5EF57A0FB4EF0EF created: 2020-01-10 expires: never usage: C trust: ultimate validity: ultimatessb rsa4096/66F2E45747AB2C90 created: 2020-01-10 expires: 2022-01-09 usage: S ssb rsa4096/9D485C5208D0859F created: 2020-01-10 expires: 2022-01-09 usage: E ssb rsa4096/90939A7DBBFC226D created: 2020-01-10 expires: 2022-01-09 usage: A ssb ed25519/16972F736B59F874 created: 2020-01-10 expires: 2022-01-09 usage: S ssb ed25519/D22D6E1FD575E506 created: 2020-01-10 expires: 2022-01-09 usage: A ssb cv25519/25252612A403B41C created: 2020-01-10 expires: 2022-01-09 usage: E [ultimate] (1). "Shotgun" John, Smith <john.smith@company.com>[ultimate] (2) "Shotgun" John, Smith (Main ID) <john.smith@email.com>gpg>Add Revoker
Add Revoker
Now use the addrevoker command to add your trustee. You'll be asked to search your key-ring for that designated email / user ID. Upon a successful search, you will notice the key's fingerprint is out, a warning confirmation and the revoker's statement.
gpg> addrevoker Enter the user ID of the designated revoker: jane.smith@example.compub rsa4096/445AC05FC0F56EA9 2018-09-23 Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com> Primary key fingerprint: ...WARNING: appointing a key as a designated revoker cannot be undone!Are you sure you want to appoint this key as a designated revoker? (y/N) yThis key may be revoked by RSA key Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>sec rsa4096/F5EF57A0FB4EF0EF created: 2020-01-10 expires: never usage: C trust: ultimate validity: ultimatessb rsa4096/66F2E45747AB2C90 created: 2020-01-10 expires: 2022-01-09 usage: S ssb rsa4096/9D485C5208D0859F created: 2020-01-10 expires: 2022-01-09 usage: E ssb rsa4096/90939A7DBBFC226D created: 2020-01-10 expires: 2022-01-09 usage: A ssb ed25519/16972F736B59F874 created: 2020-01-10 expires: 2022-01-09 usage: S ssb ed25519/D22D6E1FD575E506 created: 2020-01-10 expires: 2022-01-09 usage: A ssb cv25519/25252612A403B41C created: 2020-01-10 expires: 2022-01-09 usage: E [ultimate] (1). "Shotgun" John, Smith <john.smith@company.com>[ultimate] (2) "Shotgun" John, Smith (Main ID) <john.smith@email.com>gpg> Save and Quit
Save and Quit
Once everything is done, you may quit and save. Type quit and remember to confirm the save.
gpg> quitSave changes? (y/N) yCheck The Revocation
Check The Revocation
Use --edit-keys to re-confirm again. Once you're done, type quit to exit interface.
$ gpg --edit-key 1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9gpg (GnuPG) 2.1.18; Copyright (C) 2017 Free Software Foundation, Inc.This is free software: you are free to change and redistribute it.There is NO WARRANTY, to the extent permitted by law.Secret key is available.This key may be revoked by RSA key Jane (Michael) Smith (Personal Individual Identity) <jane.smith@example.com>sec rsa4096/F5EF57A0FB4EF0EF created: 2020-01-10 expires: never usage: C trust: ultimate validity: ultimatessb rsa4096/66F2E45747AB2C90 created: 2020-01-10 expires: 2022-01-09 usage: S ssb rsa4096/9D485C5208D0859F created: 2020-01-10 expires: 2022-01-09 usage: E ssb rsa4096/90939A7DBBFC226D created: 2020-01-10 expires: 2022-01-09 usage: A ssb ed25519/16972F736B59F874 created: 2020-01-10 expires: 2022-01-09 usage: S ssb ed25519/D22D6E1FD575E506 created: 2020-01-10 expires: 2022-01-09 usage: A ssb cv25519/25252612A403B41C created: 2020-01-10 expires: 2022-01-09 usage: E [ultimate] (1). "Shotgun" John, Smith <john.smith@company.com>[ultimate] (2) "Shotgun" John, Smith (Main ID) <john.smith@email.com>gpg> Distribute The Primary Key
Distribute The Primary Key
With the revoke trustee being added into your primary key, you should distribute the update to the keyservers and trustees. For how to distribute is outside of this section coverage. Please refer to "Distribute" in the index section.
REMEMBER: this action is a one-way street: you cannot remove or revert back once you distribute it. Think twice before distribute it.That's all about adding revoke trustee into your primary key.
Page updated
Google Sites
Report abuse