It does not, however say how to revoke your keys using the generated certificate at a later date.
So here’s an overview:
Create a revocation certificate by :
gpg --output ~/myrevoke.asc --gen-revoke your_user_id
The above command will generate a revocation certificate, and save it as myrevoke.asc in your home directory. Save the myrevoke.asc file – guard it, since if I get my hands on it, I can revoke your certificate.
Protect it by:
- Encrypt your revoke cert with gpg -c file. As you are using symmetric encryption with -c, the password is the only key you need. Then, burn the key on a cd (or two), store them away properly and erase the key plus any temp files the burning program might have created (also, dd if=/dev/zero of=/partition/of/swap might be a good idea, /dev/urandom for the tin foil hats)
- You can enable others to generate revokation keys for your own private key with via gpg â€“desig-revoke (or just hand them a cd with your encrypted revoke cert if you trust them not to brute-force it.
Thanks to Richih of irc://irc.freenode.net/linuxhelp for help with the above.
On a later day, when like me, you grow suspicious about the integrity of your key-pair, you want to revoke the key-pair using the revocation certificate that you already have, do the following:
Import the revocation certificate to revoke the key-pair on your system:
gpg --import ~/myrevoke.asc
The above command assumes that the revocation certificate is named myrevoke.asc and resides in your home directory.
Now send the updated keys to a keyserver near you:
gpg --keyserver pgp.mit.edu --send-keys your_user_id
Now you are all set. Whenever someone refreshes their keys database, they will know that the old keys have been revoked.