Revoking a GPG Key Pair

The Gnu Privacy Handbook stresses the importance of creating a revocation certificate for your gpg keys soon after you create your key-pair(s).

Update: the official FAQ lists the following, too, more or less. Why is it that you always find what you were looking for after the event?

It does not, however say how to revoke your keys using the generated certificate at a later date.

So here’s an overview:

Create a revocation certificate by :
gpg --output ~/myrevoke.asc --gen-revoke your_user_id
The above command will generate a revocation certificate, and save it as myrevoke.asc in your home directory. Save the myrevoke.asc file – guard it, since if I get my hands on it, I can revoke your certificate.

Protect it by:

  • Encrypt your revoke cert with gpg -c file. As you are using symmetric encryption with -c, the password is the only key you need. Then, burn the key on a cd (or two), store them away properly and erase the key plus any temp files the burning program might have created (also, dd if=/dev/zero of=/partition/of/swap might be a good idea, /dev/urandom for the tin foil hats)
  • You can enable others to generate revokation keys for your own private key with via gpg –desig-revoke (or just hand them a cd with your encrypted revoke cert if you trust them not to brute-force it.

Thanks to Richih of irc://irc.freenode.net/linuxhelp for help with the above.

On a later day, when like me, you grow suspicious about the integrity of your key-pair, you want to revoke the key-pair using the revocation certificate that you already have, do the following:

Import the revocation certificate to revoke the key-pair on your system:
gpg --import ~/myrevoke.asc
The above command assumes that the revocation certificate is named myrevoke.asc and resides in your home directory.

Now send the updated keys to a keyserver near you:
gpg --keyserver pgp.mit.edu --send-keys your_user_id

Now you are all set. Whenever someone refreshes their keys database, they will know that the old keys have been revoked.

This entry was posted in techknow and tagged , . Bookmark the permalink.

3 Responses to Revoking a GPG Key Pair

  1. Richih says:

    As the one who helped you doing this, I would like to point out two inportant additions:

    1) Encrypt your revoke cert with gpg -c file. As you are using symmetric encryption with -c, the password is the only key you need. Then, burn the key on a cd (or two), store them away properly and erase the key plus any temp files the burning program might have created (also, dd if=/dev/zero of=/partition/of/swap might be a good idea, /dev/urandom for the tin foil hats)

    2) You can enable others to generate revokation keys for your own private key with via gpg –desig-revoke (or just hand them a cd with your encrypted revoke cert if you trust them not to brute-force it 😉

    RichiH

  2. Zwack says:

    But… If you forget your passphrase and want to revoke your key, surely you need to be able to decrypt the revocation certificate. If you can’t remember your passphrase what chance do you have of remembering the key used for your revocation certificate?

    Actually, I can remember my passphrase, just not the right one.

    Z.

  3. admin says:

    The revocation certificate does not need to be deciphered using a key. That is what it is, a key to unlock and destroy the old keypair.