Embedded Files
When you wish to expire a subkey for replacement or no longer in use, you need to revoke it before delete it. In fact, you should always revoke it and no longer using that subkey while leaving it as it is. The reason being not all your trustees is able to obtain your latest key or certificate immediately. They may need time to switch from your old subkey to your new version. Hence, you still need the old subkey to perform decryption or verifications.
This section guides you on how to revoke a subkey.
Verify Your Primary "Certify" Key Is Available
Verify Your Primary "Certify" Key Is Available
For advanced users who deleted their "certify" capability secret key, you need to restore it back for key creations. You can verify it by using the following command:
$ gpg --list-secret-keysExample:
$ gpg --list-secret-keys...---------------------------sec rsa4096 2020-01-10 [C] AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EFuid [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>You want to observe the key with [C] capability and the sec label does not have a hash ("sec#"). If it does, you need to restore the key by loading the backup copy and use the following command to restore it:
$ gpg --import /path/to/you/key.ascCreating Revoke Certificate
Creating Revoke Certificate
Once done, it's time to revoke the primary key by creating the revoke certificate.
Identify Your Primary Key ID and the targeted Subkey
Identify Your Primary Key ID and the targeted Subkey
We start off by obtaining your primary key ID and the targeted subkey. This is by using the following command and find your key:
gpg --list-secret-keys --keyid-format LONGExample:
$ gpg --list-secret-keys --keyid-format LONG...---------------------------sec rsa4096/F5EF57A0FB4EF0EF 2020-01-10 [C] AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EFuid [ultimate] "Shotgun" John, Smith (Main ID) <john.smith@email.com>uid [ultimate] "Shotgun" John, Smith <john.smith@company.com>ssb rsa4096/66F2E45747AB2C90 2020-01-10 [S] [expires: 2022-01-09]ssb rsa4096/9D485C5208D0859F 2020-01-10 [E] [expires: 2022-01-09]ssb rsa4096/90939A7DBBFC226D 2020-01-10 [A] [expires: 2022-01-09]ssb ed25519/16972F736B59F874 2020-01-10 [S] [expires: 2022-01-09]ssb ed25519/D22D6E1FD575E506 2020-01-10 [A] [expires: 2022-01-09]ssb cv25519/25252612A403B41C 2020-01-10 [E] [expires: 2022-01-09]In the example above:
- The primary key ID is:
AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EF. Make sure this is the primary key you wanted to use. - The subkey IDs are:
66F2E45747AB2C90,9D485C5208D0859F,90939A7DBBFC226D,16972F736B59F874,D22D6E1FD575E506, and25252612A403B41C.
Edit Primary Key
Edit Primary Key
With the key ID identified, it's time to edit the key. Use the following command pattern to edit the key:
$ gpg --expert --edit-key <key-id>From the example above, it is:
$ gpg --expert --edit-key AC51A10307C10B2A4BB1C89AF5EF57A0FB4EF0EFYou will be presented with the gpg key editor's main menu. It looks something like:
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.This is free software: you are free to change and redistribute it.There is NO WARRANTY, to the extent permitted by law.Secret key is available.sec rsa4096/F5EF57A0FB4EF0EF created: 2020-01-10 expires: never usage: C trust: ultimate validity: ultimatessb rsa4096/66F2E45747AB2C90 created: 2020-01-10 expires: 2022-01-09 usage: S ssb rsa4096/9D485C5208D0859F created: 2020-01-10 expires: 2022-01-09 usage: E ssb rsa4096/90939A7DBBFC226D created: 2020-01-10 expires: 2022-01-09 usage: A ssb ed25519/16972F736B59F874 created: 2020-01-10 expires: 2022-01-09 usage: S ssb ed25519/D22D6E1FD575E506 created: 2020-01-10 expires: 2022-01-09 usage: A ssb cv25519/25252612A403B41C created: 2020-01-10 expires: 2022-01-09 usage: E [ultimate] (1). "Shotgun" John, Smith <john.smith@company.com>[ultimate] (2) "Shotgun" John, Smith (Main ID) <john.smith@email.com>gpg>Select Your Subkey
Select Your Subkey
Now you can select your sub-key using key command. Upon selection, you'll notice an asterisk (*) right after its ssb label. Keep in mind that the numbering is following N-1 calculation (E.g. option #1 ➔ 0. option #2 ➔ 1, ...). Here's an example for selecting the 3rd key (key 2):
gpg> key 2sec rsa4096/F5EF57A0FB4EF0EF created: 2020-01-10 expires: never usage: C trust: ultimate validity: ultimatessb rsa4096/66F2E45747AB2C90 created: 2020-01-10 expires: 2022-01-09 usage: S ssb* rsa4096/9D485C5208D0859F created: 2020-01-10 expires: 2022-01-09 usage: E ssb rsa4096/90939A7DBBFC226D created: 2020-01-10 expires: 2022-01-09 usage: A ssb ed25519/16972F736B59F874 created: 2020-01-10 expires: 2022-01-09 usage: S ssb ed25519/D22D6E1FD575E506 created: 2020-01-10 expires: 2022-01-09 usage: A ssb cv25519/25252612A403B41C created: 2020-01-10 expires: 2022-01-09 usage: E [ultimate] (1). "Shotgun" John, Smith <john.smith@company.com>[ultimate] (2) "Shotgun" John, Smith (Main ID) <john.smith@email.com>gpg>Revoke Subkey
Revoke Subkey
With the subkey selected, you can proceed to revoke it using revkey command. You will be asked for reconfirmation, details for revoke, decisions, and lastly the primary key passphrase for editing the key. Here's an example:
gpg> revkey Do you really want to revoke this subkey? (y/N) yPlease select the reason for the revocation: 0 = No reason specified 1 = Key has been compromised 2 = Key is superseded 3 = Key is no longer used Q = CancelYour decision? 3Enter an optional description; end it with an empty line:> No longer using this key.> Reason for revocation: Key is no longer usedNo longer using this key.Is this okay? (y/N) ysec rsa4096/F5EF57A0FB4EF0EF created: 2020-01-10 expires: never usage: C trust: ultimate validity: ultimatessb rsa4096/66F2E45747AB2C90 created: 2020-01-10 expires: 2022-01-09 usage: SThe following key was revoked on 2020-01-13 by RSA key F5EF57A0FB4EF0EF "Shotgun" John, Smith (Main ID) <john.smith@email.com> ssb* rsa4096/9D485C5208D0859F created: 2020-01-10 expires: 2022-01-09 usage: Essb rsa4096/90939A7DBBFC226D created: 2020-01-10 expires: 2022-01-09 usage: A ssb ed25519/16972F736B59F874 created: 2020-01-10 expires: 2022-01-09 usage: S ssb ed25519/D22D6E1FD575E506 created: 2020-01-10 expires: 2022-01-09 usage: A ssb cv25519/25252612A403B41C created: 2020-01-10 expires: 2022-01-09 usage: E [ultimate] (1). "Shotgun" John, Smith <john.smith@company.com>[ultimate] (2) "Shotgun" John, Smith (Main ID) <john.smith@email.com>gpg>Save and Quit
Save and Quit
Once everything is done, you may quit and save. Type quit and remember to confirm the save.
gpg> quitSave changes? (y/N) yCheck The Revocation
Check The Revocation
Use --edit-keys to re-confirm again. Once you're done, type quit to exit interface.
$ gpg --edit-key 1F6E1C8C1F1A3458A267EEFD445AC05FC0F56EA9gpg (GnuPG) 2.1.18; Copyright (C) 2017 Free Software Foundation, Inc.This is free software: you are free to change and redistribute it.There is NO WARRANTY, to the extent permitted by law.Secret key is available.sec rsa4096/F5EF57A0FB4EF0EF created: 2020-01-10 expires: never usage: C trust: ultimate validity: ultimatessb rsa4096/66F2E45747AB2C90 created: 2020-01-10 expires: 2022-01-09 usage: SThe following key was revoked on 2020-01-13 by RSA key F5EF57A0FB4EF0EF "Shotgun" John, Smith (Main ID) <john.smith@email.com> ssb* rsa4096/9D485C5208D0859F created: 2020-01-10 expires: 2022-01-09 usage: Essb rsa4096/90939A7DBBFC226D created: 2020-01-10 expires: 2022-01-09 usage: A ssb ed25519/16972F736B59F874 created: 2020-01-10 expires: 2022-01-09 usage: S ssb ed25519/D22D6E1FD575E506 created: 2020-01-10 expires: 2022-01-09 usage: A ssb cv25519/25252612A403B41C created: 2020-01-10 expires: 2022-01-09 usage: E [ultimate] (1). "Shotgun" John, Smith <john.smith@company.com>[ultimate] (2) "Shotgun" John, Smith (Main ID) <john.smith@email.com>gpg> Distribute The Primary Key
Distribute The Primary Key
With the subkey is being marked as revoked, you should distribute the update to the keyservers and trustees. For how to distribute is outside of this section coverage. Please refer to "Distribute" in the index section.
That's all for revoking the GPG subkey.
Page updated
Google Sites
Report abuse