Embedded Files
When you wish to expire a primary key for replacement or no longer in use, you need to revoke it before delete it. In fact, you should always revoke it and no longer using that primary key while leaving it as it is. The reason being not all your trustees is able to obtain your latest key or certificate immediately. They may need time to switch from your old primary key to your new version. Hence, you still need the old key to perform decryption or verifications.
This section guides you on how to revoke a primary key.
Verify Your Primary "Certify" Key Is Available
Verify Your Primary "Certify" Key Is Available
For advanced users who deleted their "certify" capability secret key, you need to restore it back for key creations. You can verify it by using the following command:
$ gpg --list-secret-keysExample:
$ gpg --list-secret-keys...---------------------------sec rsa4096 2020-01-10 [C] AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EFuid [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>You want to observe the key with [C] capability and the sec label does not have a hash ("sec#"). If it does, you need to restore the key by loading the backup copy and use the following command to restore it:
$ gpg --import /path/to/you/key.ascCreating Revoke Certificate
Creating Revoke Certificate
Once done, it's time to revoke the primary key by creating the revoke certificate.
Obtain Your Primary Key ID
Obtain Your Primary Key ID
We start off by obtaining your primary key ID. This is by using the following command and find your key:
$ gpg --list-secret-keysExample:
$ gpg --list-secret-keys...---------------------------sec rsa4096 2020-01-10 [C] AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EFuid [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>You want the long string under the [C] key. In the example above, it is: AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF.
Create Certificate
Create Certificate
With the key ID identified, it's time to create the revoke certificate. Use the following command:
$ gpg --gen-revoke <key-ID> > revoke.ascFrom the example above, it is:
$ gpg --gen-revoke AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF > revoke.ascYou will be presented with the gpg key editor's main menu. Please answer them accordingly as the public and trustees will read the certificate for why your primary key is being revoked. Throughout the process, you may be asked for passphrase authentication. The output looks something like:
sec rsa4096/F5EF57A0FB4EF0EF 2020-01-10 "Shotgun" John, Smith (Main ID) <john.smith@email.com>Create a revocation certificate for this key? (y/N) yPlease select the reason for the revocation: 0 = No reason specified 1 = Key has been compromised 2 = Key is superseded 3 = Key is no longer used Q = Cancel(Probably you want to select 1 here)Your decision? 3Enter an optional description; end it with an empty line:> No longer in used.>Reason for revocation: Key is no longer usedNo longer in used.Is this okay? (y/N) yASCII armored output forced.Revocation certificate created.Please move it to a medium which you can hide away; if Mallory getsaccess to this certificate he can use it to make your key unusable.It is smart to print this certificate and store it away, just in caseyour media become unreadable. But have some caution: The print system ofyour machine might store the data and make it available to others!$ lsrevoke.ascImport Certificate
Import Certificate
Once you're done, proceed to import that revocation certificate with --import <file> argument.
$ gpg --import <path/to/cert>Based on the example, it should be:
$ gpg --import revoke.ascCheck The Revocation
Check The Revocation
You can check the key again using --list-secret-keys or --list-keys. You should see that the key is now revoked:
$ gpg --list-secret-keys/home/jane/.gnupg/pubring.kbx---------------------------------sec rsa4096 2020-01-10 [C] AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EFuid [ revoked] "Shotgun" John, Smith (Main ID) <john.smith@email.com>$Distribute The Key
Distribute The Key
With the key is being marked as revoked, you should distribute the update to the keyservers and trustees. For how to distribute is outside of this section coverage. Please refer to "Distribute" in the index section.
That's all for revoking the GPG primary key.
Page updated
Google Sites
Report abuse