This site is now 100% read-only, and retired.

Generating a revocation certificate with gpg

Posted by JoshTriplett on Tue 24 Oct 2006 at 09:26

If your GPG private key becomes compromised, you need to revoke it to warn others not to trust future signatures or encrypt data to your public key. However, by the time a key compromise happens, you might not have your GPG key available, such as if it resided on hardware stolen from you, or the attacker removed it after accessing it. This article shows you how to generate and preserve a revocation certificate now, before you actually need it.

A revocation certificate consists of a signed message, stating in machine-readable form that a key no longer has validity for future cryptographic operations. To generate a revocation certificate for a key, use the --gen-revoke option to gpg, passing it the key ID of the key you want a revocation certificate for. You should also supply the --output option to specify where to put the certificate. The exchange with gpg looks like this:

$ gpg --output revocation-certificate.asc --gen-revoke 86C30530

sec  1024D/86C30530 2006-10-23 Your Name <your.email@example.org>

Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  Q = Cancel
(Probably you want to select 1 here)
Your decision? 0
Enter an optional description; end it with an empty line:
>
Reason for revocation: No reason specified
(No description given)
Is this okay? (y/N) y

You need a passphrase to unlock the secret key for
user: "Your Name <your.email@example.org>"
1024-bit DSA key, ID 86C30530, created 2006-10-23

ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others!

Heed gpg's warning here: anyone with this certificate can revoke your private key. I recommend printing it out and storing it in a secure location. You could also burn it to a CD and store the CD in a secure location.

If the worst happens, and you need to revoke your key, obtain the revocation certificate, and import it into gpg:

$ gpg --import revocation-certificate.asc
gpg: key 86C30530: "Your Name <your.email@example.org>" revocation certificate imported
gpg: Total number processed: 1
gpg:    new key revocations: 1
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
You can now observe the key revocation via --list-keys with your key ID:
$ gpg --list-keys 86C30530
pub   1024D/86C30530 2006-10-23 [revoked: 2006-10-23]
uid                  Your Name <your.email@example.org>
In order for others to see the revocation, you should send the revoked key to a keyserver, with
gpg --send-keys 86C30530

For more information on using gpg, the GNU Privacy Guard, see the GNU Privacy Handbook.

 

 


Re: Generating a revocation certificate with gpg
Posted by Anonymous (159.46.xx.xx) on Thu 31 Jan 2008 at 14:56
It might be a good idea to actually print the revocation certificate on paper and store it in a safe place. One reason for revoking your private key is that it is destroyed because of a hard disk crash and you have no backup. If your revocation certificate was on the same disk, you cannot use that anymore, too. A revocation certificate is only a couple of lines, and you will not use it very often ;-) so the burden of copying it from paper to file is bearable.

[ Parent ]

Re: Generating a revocation certificate with gpg
Posted by JoshTriplett (66.93.xx.xx) on Thu 31 Jan 2008 at 16:53
It might be a good idea to actually print the revocation certificate on paper and store it in a safe place.
Agreed entirely, and I mentioned that in the article:
I recommend printing it out and storing it in a secure location. You could also burn it to a CD and store the CD in a secure location.

[ Parent ]