Revoking a PGP key

Using the command line:

I use PGP with my emails mostly to sign with digital signature. For some reasons I had to create a new PGP key and revoke my last key (0x43687201) from public key servers like pgp.mit.edu. Key revocation might be necessary for many reasons. Someone might lost his laptop for example. Hence, it’s wise to create a revocation certificate just after the key is generated. I generated it with the following command:

$ gpg –gen-revoke 43687201

A revocation key indicates that the respective key is comprised, superseded or no longer used. Generating a revocation key only needs passphrase and then an ascii-armoured key block is printed out. Paste this text into a file. In my case, it looked like this:

—–BEGIN PGP PUBLIC KEY BLOCK—–
Version: GnuPG v1.4.11 (MingW32)
Comment: A revocation certificate should follow
iQIfBCABAgAJBQJURi2fAh0CAAoJEMwbbl9DaHIBfH4P/2Kzgk6kKmqrAJ/a2d2b
I3zNWlz4yi+dXy2C8SVf8kujBkZdQ7H9yuZpu4OF1ALm7C43zBssHO+SuxsinpOI
BGx7nDgx9BykkEwoRQ4i/iIZmTpLkYzDq4bkivzB9qYtCY7fVTTFwjP1W8utKQoK
g8j1TkEzQBhRvq8MBR2bl3N9c03Lqs13zSJAva6Qu4WsvowTVbIpCUSZeieZfBbc
0aaEssy3lIK+hoCziIXnxpTrTKNvNbQxIRywD/obMO2BWakv89VzjxxpiG/xA1eP
Vwuwwc8QvKKa/KZsG5+lk5TOQ3u0g6nBpJ4uYvL+wmY7IrubhS4u+5EJuMPPaaIh
cZiUUK3+IlbHO6LZzfG7+OjjzbweXAhDvlQvEj32aq3VeP+wCptrF+84IGSZmTLg
va4XtrP3I40OO4EVLYrsOn+OqSfLnLbRuDr07XKrQIYcqz/Um5ZKJWDWontJDSoT
PXWthDoHL0u6Ul6SoQ2CxEaJMQ+rp5/pXcswyxPyRfg1SRxSgPRwFFI8hQQ8eHow
DlOMkcGuv+/2c0nsMegEAtzFOkaOPgifI+KUdYTqW7t0SMoBzdKGG0azCh0LsB7O
J+g8UnsLt1aQ91pQ4YlR+ZfEjQjSPmiqnNmeihmY4DEHj96e1hrV88O1j3NwA5vF
5L7RsW95l2C7Awa80iLULTg4
=ceP0
—–END PGP PUBLIC KEY BLOCK—–


If you have a backup of your original key pair (which is always recommended) you can generate the revocation key any time later. However, I generate it as soon as I create my key and keep a back up of the original key pair as well as the revocation key.

Anyways, as this was my new computer, I imported my public key using the following command:

$ gpg –recv-keys 43687201
gpg: requesting key 43687201 from hkps server hkps.pool.sks-keyservers.net
gpg: key 43687201: public key “Md. Abdul Awal <awal.ece@gmail.com>” imported
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)

Now, I need to import my revocation certificate as well using the command:

$ gpg –import [path/location of the revocation certificate]
gpg: key 43687201: “Md. Abdul Awal <awal.ece@gmail.com>” revocation certificate imported
gpg: Total number processed: 1
gpg:    new key revocations: 1
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: next trustdb check due at 2018-07-03

After that, I issued the following command to push my revocation certificate to MIT Key Server

$ gpg –keyserver pgp.mit.edu –send-keys 43687201
gpg: sending key 43687201 to hkp server pgp.mit.edu

I can now check the status of the key from pgp.mit.edu. It shows *** KEY REVOKED ***

By the way, my new key is 0x94E4C396.

 

Using the web interface of a public key server:

An alternative (if your revocation certificate is an ASCII-armored file, thus not binary) would be to use the web interface of any keyserver of your choice (MIT, Ubuntu etc.), where you can directly paste the revocation certificate.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.