Tuesday, July 16, 2013

How to generate a revocation certificate in GPG

It surprises me how many people use PGP and GPG without ever creating a revocation certificate. These are the same people who wreak havoc on mailing lists when they either lose their private key or forget their passphrase and can no longer use the key. I know it wreaks havoc because I've been one of those people and, trust me, it's not a fun position to be in. People get irritated and it always brings up questions when you try to submit a new key.

Generating a revocation certificate in GPG (and I assume it's a similar process for PGP proper) is fairly easy. Here is the process:

$ gpg --output revocation-certificate.asc --gen-revoke 86C30530

sec  1024D/86C30530 2006-10-23 Your Name

Create a revocation certificate for this key? (y/N) y

Please select the reason for the revocation:
  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  Q = Cancel
(Probably you want to select 1 here)

Your decision? 0

Enter an optional description; end it with an empty line:

Reason for revocation: No reason specified
(No description given)

Is this okay? (y/N) y

You need a passphrase to unlock the secret key for
user: "Your Name "
1024-bit DSA key, ID 86C30530, created 2006-10-23

ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others!

It's really important that you take the warning GPG prints out at the end seriously. Protect your revocation certificate with the same care with which you protect your private key and passphrase. Anyone having your certificate can revoke your key and make it unusable.

What happens if you lose your private key or it's compromised?

If you ever need to revoke your key, for example you've lost your passphrase or your key has been compromised, simply import the revocation certificate into your keyring and send your key to your contacts and keyservers. When your contacts import your key into their keyrings, it will be revoked and become unusable. Just remember though: ANYONE with this certificate can revoke your key so keep it safe!


No comments: