When you wish to expire a primary key for replacement or no longer in use, you need to revoke it before delete it. In fact, you should always revoke it and no longer using that primary key while leaving it as it is. The reason being not all your trustees is able to obtain your latest key or certificate immediately. They may need time to switch from your old primary key to your new version. Hence, you still need the old key to perform decryption or verifications.
This section guides you on how to revoke a primary key.
For advanced users who deleted their "certify" capability secret key, you need to restore it back for key creations. You can verify it by using the following command:
$ gpg --list-secret-keys
Example:
$ gpg --list-secret-keys
...
---------------------------
sec rsa4096 2020-01-10 [C]
AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF
uid [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>
You want to observe the key with [C
] capability and the sec
label does not have a hash ("sec#
"). If it does, you need to restore the key by loading the backup copy and use the following command to restore it:
$ gpg --import /path/to/you/key.asc
Once done, it's time to revoke the primary key by creating the revoke certificate.
We start off by obtaining your primary key ID. This is by using the following command and find your key:
$ gpg --list-secret-keys
Example:
$ gpg --list-secret-keys
...
---------------------------
sec rsa4096 2020-01-10 [C]
AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF
uid [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>
You want the long string under the [C
] key. In the example above, it is: AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF
.
With the key ID identified, it's time to create the revoke certificate. Use the following command:
$ gpg --gen-revoke <key-ID> > revoke.asc
From the example above, it is:
$ gpg --gen-revoke AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF > revoke.asc
You will be presented with the gpg key editor's main menu. Please answer them accordingly as the public and trustees will read the certificate for why your primary key is being revoked. Throughout the process, you may be asked for passphrase authentication. The output looks something like:
sec rsa4096/F5EF57A0FB4EF0EF 2020-01-10 "Shotgun" John, Smith (Main ID) <john.smith@email.com>
Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? 3
Enter an optional description; end it with an empty line:
> No longer in used.
>
Reason for revocation: Key is no longer used
No longer in used.
Is this okay? (y/N) y
ASCII armored output forced.
Revocation certificate created.
Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable. But have some caution: The print system of
your machine might store the data and make it available to others!
$ ls
revoke.asc
Once you're done, proceed to import that revocation certificate with --import <file>
argument.
$ gpg --import <path/to/cert>
Based on the example, it should be:
$ gpg --import revoke.asc
You can check the key again using --list-secret-keys
or --list-keys
. You should see that the key is now revoked:
$ gpg --list-secret-keys
/home/jane/.gnupg/pubring.kbx
---------------------------------
sec rsa4096 2020-01-10 [C]
AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF
uid [ revoked] "Shotgun" John, Smith (Main ID) <john.smith@email.com>
$
With the key is being marked as revoked, you should distribute the update to the keyservers and trustees. For how to distribute is outside of this section coverage. Please refer to "Distribute" in the index section.
That's all for revoking the GPG primary key.