When you wish to expire a subkey for replacement or no longer in use, you need to revoke it before delete it. In fact, you should always revoke it and no longer using that subkey while leaving it as it is. The reason being not all your trustees is able to obtain your latest key or certificate immediately. They may need time to switch from your old subkey to your new version. Hence, you still need the old subkey to perform decryption or verifications.
This section guides you on how to revoke a subkey.
For advanced users who deleted their "certify" capability secret key, you need to restore it back for key creations. You can verify it by using the following command:
$ gpg --list-secret-keys
Example:
$ gpg --list-secret-keys
...
---------------------------
sec rsa4096 2020-01-10 [C]
AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF
uid [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>
You want to observe the key with [C
] capability and the sec
label does not have a hash ("sec#
"). If it does, you need to restore the key by loading the backup copy and use the following command to restore it:
$ gpg --import /path/to/you/key.asc
Once done, it's time to revoke the primary key by creating the revoke certificate.
We start off by obtaining your primary key ID and the targeted subkey. This is by using the following command and find your key:
gpg --list-secret-keys --keyid-format LONG
Example:
$ gpg --list-secret-keys --keyid-format LONG
...
---------------------------
sec rsa4096/F5EF57A0FB4EF0EF 2020-01-10 [C]
AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF
uid [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>
uid [ultimate] "Shotgun" John, Smith <john.smith@company.com>
ssb rsa4096/66F2E45747AB2C90 2020-01-10 [S] [expires: 2022-01-09]
ssb rsa4096/9D485C5208D0859F 2020-01-10 [E] [expires: 2022-01-09]
ssb rsa4096/90939A7DBBFC226D 2020-01-10 [A] [expires: 2022-01-09]
ssb ed25519/16972F736B59F874 2020-01-10 [S] [expires: 2022-01-09]
ssb ed25519/D22D6E1FD575E506 2020-01-10 [A] [expires: 2022-01-09]
ssb cv25519/25252612A403B41C 2020-01-10 [E] [expires: 2022-01-09]
In the example above:
AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF
. Make sure this is the primary key you wanted to use.66F2E45747AB2C90
, 9D485C5208D0859F
, 90939A7DBBFC226D
, 16972F736B59F874
, D22D6E1FD575E506
, and 25252612A403B41C
.With the key ID identified, it's time to edit the key. Use the following command pattern to edit the key:
$ gpg --expert --edit-key <key-id>
From the example above, it is:
$ gpg --expert --edit-key AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF
You will be presented with the gpg key editor's main menu. It looks something like:
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa4096/F5EF57A0FB4EF0EF
created: 2020-01-10 expires: never usage: C
trust: ultimate validity: ultimate
ssb rsa4096/66F2E45747AB2C90
created: 2020-01-10 expires: 2022-01-09 usage: S
ssb rsa4096/9D485C5208D0859F
created: 2020-01-10 expires: 2022-01-09 usage: E
ssb rsa4096/90939A7DBBFC226D
created: 2020-01-10 expires: 2022-01-09 usage: A
ssb ed25519/16972F736B59F874
created: 2020-01-10 expires: 2022-01-09 usage: S
ssb ed25519/D22D6E1FD575E506
created: 2020-01-10 expires: 2022-01-09 usage: A
ssb cv25519/25252612A403B41C
created: 2020-01-10 expires: 2022-01-09 usage: E
[ultimate] (1). "Shotgun" John, Smith <john.smith@company.com>
[ultimate] (2) "Shotgun" John, Smith (Main ID) <john.smith@email.com>
gpg>
Now you can select your sub-key using key
command. Upon selection, you'll notice an asterisk (*
) right after its ssb
label. Keep in mind that the numbering is following N-1
calculation (E.g. option #1 ➔ 0. option #2 ➔ 1, ...). Here's an example for selecting the 3rd key (key 2
):
gpg> key 2
sec rsa4096/F5EF57A0FB4EF0EF
created: 2020-01-10 expires: never usage: C
trust: ultimate validity: ultimate
ssb rsa4096/66F2E45747AB2C90
created: 2020-01-10 expires: 2022-01-09 usage: S
ssb* rsa4096/9D485C5208D0859F
created: 2020-01-10 expires: 2022-01-09 usage: E
ssb rsa4096/90939A7DBBFC226D
created: 2020-01-10 expires: 2022-01-09 usage: A
ssb ed25519/16972F736B59F874
created: 2020-01-10 expires: 2022-01-09 usage: S
ssb ed25519/D22D6E1FD575E506
created: 2020-01-10 expires: 2022-01-09 usage: A
ssb cv25519/25252612A403B41C
created: 2020-01-10 expires: 2022-01-09 usage: E
[ultimate] (1). "Shotgun" John, Smith <john.smith@company.com>
[ultimate] (2) "Shotgun" John, Smith (Main ID) <john.smith@email.com>
gpg>
With the subkey selected, you can proceed to revoke it using revkey
command. You will be asked for reconfirmation, details for revoke, decisions, and lastly the primary key passphrase for editing the key. Here's an example:
gpg> revkey
Do you really want to revoke this subkey? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
Your decision? 3
Enter an optional description; end it with an empty line:
> No longer using this key.
>
Reason for revocation: Key is no longer used
No longer using this key.
Is this okay? (y/N) y
sec rsa4096/F5EF57A0FB4EF0EF
created: 2020-01-10 expires: never usage: C
trust: ultimate validity: ultimate
ssb rsa4096/66F2E45747AB2C90
created: 2020-01-10 expires: 2022-01-09 usage: S
The following key was revoked on 2020-01-13 by RSA key F5EF57A0FB4EF0EF "Shotgun" John, Smith (Main ID) <john.smith@email.com>
ssb* rsa4096/9D485C5208D0859F
created: 2020-01-10 expires: 2022-01-09 usage: E
ssb rsa4096/90939A7DBBFC226D
created: 2020-01-10 expires: 2022-01-09 usage: A
ssb ed25519/16972F736B59F874
created: 2020-01-10 expires: 2022-01-09 usage: S
ssb ed25519/D22D6E1FD575E506
created: 2020-01-10 expires: 2022-01-09 usage: A
ssb cv25519/25252612A403B41C
created: 2020-01-10 expires: 2022-01-09 usage: E
[ultimate] (1). "Shotgun" John, Smith <john.smith@company.com>
[ultimate] (2) "Shotgun" John, Smith (Main ID) <john.smith@email.com>
gpg>
Once everything is done, you may quit and save. Type quit and remember to confirm the save.
gpg> quit
Save changes? (y/N) y
Use --edit-keys
to re-confirm again. Once you're done, type quit
to exit interface.
$ gpg --edit-key 1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9
gpg (GnuPG) 2.1.18; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa4096/F5EF57A0FB4EF0EF
created: 2020-01-10 expires: never usage: C
trust: ultimate validity: ultimate
ssb rsa4096/66F2E45747AB2C90
created: 2020-01-10 expires: 2022-01-09 usage: S
The following key was revoked on 2020-01-13 by RSA key F5EF57A0FB4EF0EF "Shotgun" John, Smith (Main ID) <john.smith@email.com>
ssb* rsa4096/9D485C5208D0859F
created: 2020-01-10 expires: 2022-01-09 usage: E
ssb rsa4096/90939A7DBBFC226D
created: 2020-01-10 expires: 2022-01-09 usage: A
ssb ed25519/16972F736B59F874
created: 2020-01-10 expires: 2022-01-09 usage: S
ssb ed25519/D22D6E1FD575E506
created: 2020-01-10 expires: 2022-01-09 usage: A
ssb cv25519/25252612A403B41C
created: 2020-01-10 expires: 2022-01-09 usage: E
[ultimate] (1). "Shotgun" John, Smith <john.smith@company.com>
[ultimate] (2) "Shotgun" John, Smith (Main ID) <john.smith@email.com>
gpg>
With the subkey is being marked as revoked, you should distribute the update to the keyservers and trustees. For how to distribute is outside of this section coverage. Please refer to "Distribute" in the index section.
That's all for revoking the GPG subkey.