How to generate a revocation certificate for your GnuPG / GPG key

Email, Encryption, Fedora, Linux, Other Linux, Security, Shell, Software, Ubuntu, Windows 2 Minutes

Whenever you create a key pair using GNU Privacy Guard, you need to make sure you also generate a revocation certificate for your key. Sometimes, keys are lost, misplaced, deleted, passwords forgotten and so on. To ensure that you revoke the keys you created, you need a revocation certificate. Simply deleting a key file or a key does not help, because by functionality, several of your recipients or email colleagues would have received your public key. And the right approach is to inform everyone that the key has been revoked and you no longer use it. They will then start using your new public key.

$ gpg --gen-revoke john.doe@emaildomain.com <enter>

sec  4096R/3949C65A 2014-11-28 John N. Doe <john.doe@emaildomain.com>

Text to be entered is shown in red below.

Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? 3
Enter an optional description; end it with an empty line:
> For revocation <enter>
> <enter>
Reason for revocation: Key is no longer used
For revocation
Is this okay? (y/N) y

You need a passphrase to unlock the secret key for
user: "John N. Doe <john.doe@emaildomain.com>"
4096-bit RSA key, ID 3949C65A, created 2014-11-28

ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others!
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
Comment: A revocation certificate should follow

There are many random alphabets and number characters here. They are the key in ASCII format.
=DGMM
-----END PGP PUBLIC KEY BLOCK-----

The text in between the —–BEGIN PGP PUBLIC KEY BLOCK—– and —–END PGP PUBLIC KEY BLOCK—– inclusively has to be copied to a file and that file has to be stored in a safe place off the computer. You should store it in a safe place.

Published by Geetu R. Vaswani

Published