My scrapbook about almost anything I stumble upon in my tech world. If you find anything useful don't forget to give thumbs-up :)


Wednesday, December 6, 2023

How do we revoke GPG Key?

In last 2 post, we have learnt about how to generate GPG key and Revocation Certificate, But real question are, how to use Revocation Certificate to revoke the GPG key? If we do, does it really revoke it such that nobody can use the old GPG key? and many more. This post is more around these questions and their answers :-) So let's take a dive - 

Before we proceed, let's assume few things - 
a. You have a compromised GPG Key
b. A Revocation Certificate for the same key 
c. You have published the GPG (Public) Key on KeyServers 

Revoking a GPG key is a shared step for You as well as Receiver. You are responsible to share/publish the revoke cert which tells the world about the expired/revoked key and Receiver have to import the your revocation certificate to revoke the GPG key which they are using to communicate with you. If any step is miss, the KEY is not actually revoked. 

Steps to Revoke GPG Key - 

  • The revoke certificate is somewhat like below - 

  •     This is a revocation certificate for the OpenPGP key:
    pub   ed25519 2023-03-29 [S]
    uid          dummy (this is gpg key)
    A revocation certificate is a kind of "kill switch" to publicly
    declare that a key shall not anymore be used.  It is not possible
    to retract such a revocation certificate once it has been published.
    Use it to revoke this key in case of a compromise or loss of
    the secret key.  However, if the secret key is still accessible,
    it is better to generate a new revocation certificate and give
    a reason for the revocation.  For details see the description of
    of the gpg command "--generate-revocation" in the GnuPG manual.
    To avoid an accidental use of this file, a colon has been inserted
    before the 5 dashes below.  Remove this colon with a text editor
    before importing and publishing this revocation certificate.
    Comment: This is a revocation certificate
    • As the comment in Revocation cert, It is one way path, once revoked is Revoked. 
    • Remove the colon (:) as the instruction say and save it
    • Import the Revocation Certificate to your KEY Ring
      gpg --import REVOKE_CERT_FILE_NAME
    • This will revoke the GPG Key locally
    • Send the revoked Key to KeyServers
      # Upload Public key on keyserver/s
      gpg --keyserver hkps:// --send-key KEYID # or gpg --keyserver --send-key KEYID # or gpg --keyserver --send-key KEYID 
    • Your part is done, Next step is for Receiver, they have to re-sync the revoked KEY once again to revoke the locally stored GPG KEY, which can be done via - 
      # Import from Keyserver
      gpg --keyserver --recv-keys KEYID
      # or gpg --keyserver https://keyserver --recv-keys KEYID
      # or 

      gpg --keyserver --recv-keys KEYID
    • You will see below output when you import the revocation certs - 

    • ❯ gpg --import ~/.gnupg/openpgp-revocs.d/873D8D13C2XXXXXXXXXXXXXXXXXXX734A6PPF87.rev
      gpg: key E99CD734A6PPF87: "dummy (this is gpg key)" revocation certificate imported
      gpg: Total number processed: 1
      gpg:    new key revocations: 1
      gpg: marginals needed: 3  completes needed: 1  trust model: pgp
      gpg: depth: 0  valid:   3  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 3u
      gpg: next trustdb check due at 2024-09-05
    • and this one when you list the same KEYID
      ❯ gpg --list-keys 873D8D13C2XXXXXXXXXXXXXXXXXXX734A6PPF87
      pub   ed25519 2023-03-29 [SC] [revoked: 2023-03-29]
      uid           [ revoked] dummy (this is gpg key)

    Keep in mind that the GPG key that has been sent to the key server cannot be deleted, It will still be listed indefinitely. You only can revoke your public key and notify other users that this key is no longer useful so that they can re-sync your key from the KEYServers.

    Like the below page to get the update  
    Facebook Page      Facebook Group      Twitter Feed      Telegram Group

    No comments:

    Post a Comment


    The postings on this site are my own and don't necessarily represent IBM's or other companies positions, strategies or opinions. All content provided on this blog is for informational purposes and knowledge sharing only.
    The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. The owner will not be liable for any errors or omissions in this information nor for the availability of this information. The owner will not be liable for any losses, injuries, or damages from the display or use of his information.