7.22. Revoking a Key

Problem

You want to inform a keyserver that a particular public key (of yours) is no longer valid.

Solution

  1. Create a revocation certificate:

    $ gpg --gen-revoke --output certificate.asc key_id
  2. Import the certificate:

    $ gpg --import certificate.asc
  3. Revoke the key at the keyserver:

    $ gpg --keyserver server_name --send-keys key_id
  4. Delete the key (optional)

    $ gpg --delete-secret-and-public-key key_id

Warning

THINK CAREFULLY BEFORE DELETING A KEY. Once you delete a key, any files that remain encrypted with this key CANNOT BE DECRYPTED. EVER.

Discussion

At times it becomes necessary to stop using a particular key. For example:

  • Your private key has been lost.

  • Your private key has been stolen, or you suspect it may have been.

  • You have forgotten your private key passphrase.

  • You replace your keys periodically (say, every two years) to enhance security, and this key has expired.

Whatever the reason, it’s time to inform others to stop using the corresponding public key to communicate with you. Otherwise, if the key is lost, you might receive encrypted messages that you can no longer decrypt. Worse, if the key has been stolen or compromised, the thief can read messages encrypted for you.

To tell the world to cease using your key, distribute a revocation certificate for that key: a cryptographically secure digital object that says, “Hey, don’t use this public key anymore!” Once you create the certificate, send it directly to your communication partners or to a keyserver [Recipe 7.19] for ...

Get Linux Security Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.