June 2003
Intermediate to advanced
336 pages
8h 54m
English
Content preview from Linux Security CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
7.22. Revoking a Key
Problem
You want to inform a keyserver that a particular public key (of yours) is no longer valid.
Solution
Create a revocation certificate:
$ gpg --gen-revoke --output certificate.asc
key_idImport the certificate:
$ gpg --import certificate.asc
Revoke the key at the keyserver:
$ gpg --keyserver
server_name--send-keyskey_idDelete the key (optional)
$ gpg --delete-secret-and-public-key
key_id
Warning
THINK CAREFULLY BEFORE DELETING A KEY. Once you delete a key, any files that remain encrypted with this key CANNOT BE DECRYPTED. EVER.
Discussion
At times it becomes necessary to stop using a particular key. For example:
Your private key has been lost.
Your private key has been stolen, or you suspect it may have been.
You have forgotten your private key passphrase.
You replace your keys periodically (say, every two years) to enhance security, and this key has expired.
Whatever the reason, it’s time to inform others to stop using the corresponding public key to communicate with you. Otherwise, if the key is lost, you might receive encrypted messages that you can no longer decrypt. Worse, if the key has been stolen or compromised, the thief can read messages encrypted for you.
To tell the world to cease using your key, distribute a revocation certificate for that key: a cryptographically secure digital object that says, “Hey, don’t use this public key anymore!” Once you create the certificate, send it directly to your communication partners or to a keyserver [Recipe 7.19] for ...