Key Revocation
Public key cryptography relies on the long-term security and trustworthiness of private keys. However, situations may arise where a key can no longer be trusted, such as when it is lost, compromised, or no longer needed. In these cases, it is essential to inform others that the key should no longer be used.
A key revocation certificate serves this purpose. It allows the owner (or anyone with the certificate) to mark a public key as revoked—meaning the key is no longer valid for signing or encryption. Publishing a revocation certificate ensures that anyone retrieving the key from a public server or receiving it directly will know that the key is no longer trustworthy.
When to Use Key Revocation
Section titled “When to Use Key Revocation”- Key compromise: If you suspect your private key has been stolen or copied by an unauthorized party.
- Key loss: If you permanently lose access to your private key and can no longer control its use.
- Change of ownership or retirement: If you no longer wish to use the key for any reason (e.g., moving to a new key).
- Administrative/security policy: To comply with organization or security policies requiring regular key turnover.
By preparing a revocation certificate in advance, you can quickly react to these situations and help prevent unauthorized or accidental use of outdated or compromised keys.
Generating a Key Revocation Certificate
Section titled “Generating a Key Revocation Certificate”-
Open the Key Details Window: open Key Details Dialog, then switch to the Operations tab.
-
Select
Generate Revocation Certificate
: At the bottom dropdown labeledRevoke Certificate Operation
, choose Generate Revocation Certificate. -
Specify the Revocation Reason: Choose one reason code from the dropdown. Optionally provide free-form text for a more detailed explanation (e.g., lost, compromised).
-
Confirm and Save: Click OK, then in the file-save dialog, you can choose a secure local or private location to store the .rev file.
-
Backup and Store: Backup: Keep the .rev file in a secure offline or encrypted location.
Importing a Key Revocation Certificate
Section titled “Importing a Key Revocation Certificate”-
Open the Key Details Dialog: Navigate again to
Key Details → Operations
. -
Select “Import Revocation Certificate”: From the Revoke Certificate Operation dropdown, choose Import Revocation Certificate.
-
Import the
.rev
File: In the file-selection dialog, locate and open the previously saved.rev
file. -
Verify Revocation: After import, the local key interface will mark the key as revoked. It can no longer be used for signing or decryption.
-
Publish to a Public Key Server
gpg --keyserver hkps://keyserver.ubuntu.com --send-keys <YOUR_KEY_ID>
Best Practices
Section titled “Best Practices”- Prepare in Advance: Generate and back up the revocation certificate before any key may be lost or compromised.
- Secure Storage: Keep the revocation
.rev
file offline or in encrypted media to prevent unauthorized revocation. - Notify & Synchronize: After publishing revocation, inform peers or document the change so everyone refreshes the key status promptly.