IAS Security Hero

Creating a revocation key

IMPORTANT: if you want to revoke only a subkey, read these instructions.

One important part of having a GNUpg/PGP key is being able to revoke it incase it becomes lost, compromised or your lose your password. It is also important for your company to be able to revoke your key in the case of termination of employment. Without this ability, an ex-employee would be able to continue using their key after leaving a company.

The easiest way to create your revocation key is via the commandline. Here is a sample session in Windows on the command line (Start->Run->cmd). The instructions are the same for a Unix operating system (using the gpg command instead of the gpg.exe command).

Once you create your revocation key file (here it is bepstein_revocation_key.asc), please back it up to a safe place (the same place you backup your secret key is fine). This key has the ability to revoke your key at any time, so be careful with it. If this is a business only key, please forward a copy (via encrypted email) to bepstein@ias.edu.

These instructions are for Windows, but will work basically the same under Linux.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS>cd "\Program Files\GNU\GnuPG"

C:\Program Files\GNU\GnuPG>gpg --gen-revoke bepstein@ias.edu > bepstein_revocation_key.asc

sec  1024D/0371C12A 2006-09-22 Brian Epstein <bepstein@ias.edu>

Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  Q = Cancel
(Probably you want to select 1 here)
Your decision? 3
Enter an optional description; end it with an empty line:
> Generic revocation key

Reason for revocation: Key is no longer used
Generic revocation key
Is this okay? (y/N) y

You need a passphrase to unlock the secret key for
user: "Brian Epstein <bepstein@ias.edu>"
1024-bit DSA key, ID 0371C12A, created 2006-09-22

ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others!

C:\Program Files\GNU\GnuPG>more < bepstein_revocation_key.asc
Version: GnuPG v1.4.5 (MingW32)
Comment: A revocation certificate should follow



If you would like to permanently revoke your private key, simply import it into your keyring and send it to the keyserver. Be careful, once revoked, you cannot go back. You must create a new key at that time and go back through the process of keysigning.