7.22. Revoking a Key
Problem
You want to inform a keyserver that a particular public key (of yours) is no longer valid.
Solution
Create a revocation certificate:
$ gpg --gen-revoke --output certificate.asc
key_id
Import the certificate:
$ gpg --import certificate.asc
Revoke the key at the keyserver:
$ gpg --keyserver
server_name
--send-keyskey_id
Delete the key (optional)
$ gpg --delete-secret-and-public-key
key_id
Warning
THINK CAREFULLY BEFORE DELETING A KEY. Once you delete a key, any files that remain encrypted with this key CANNOT BE DECRYPTED. EVER.
Discussion
At times it becomes necessary to stop using a particular key. For example:
Your private key has been lost.
Your private key has been stolen, or you suspect it may have been.
You have forgotten your private key passphrase.
You replace your keys periodically (say, every two years) to enhance security, and this key has expired.
Whatever the reason, it’s time to inform others to stop using the corresponding public key to communicate with you. Otherwise, if the key is lost, you might receive encrypted messages that you can no longer decrypt. Worse, if the key has been stolen or compromised, the thief can read messages encrypted for you.
To tell the world to cease using your key, distribute a revocation certificate for that key: a cryptographically secure digital object that says, “Hey, don’t use this public key anymore!” Once you create the certificate, send it directly to your communication partners or to a keyserver [Recipe 7.19] for ...
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.