mirror of
https://pagure.io/fedora-docs/quick-docs.git
synced 2024-11-30 23:38:18 +00:00
45 lines
1.9 KiB
Text
45 lines
1.9 KiB
Text
[[revoking-gpg-keys]]
|
|
= GPG Key Revocation
|
|
|
|
When you revoke a key, you withdraw it from public use.
|
|
_You should only have to do this if it is compromised or lost, or you forget the passphrase._
|
|
|
|
[[generating-a-revocation-certificate]]
|
|
== Generating a Revocation Certificate
|
|
|
|
When you create the key pair you should also create a key revocation certificate.
|
|
If you later issue the revocation certificate, it notifies others that the public key is not to be used.
|
|
Users may still use a revoked public key to verify old signatures, but not encrypt messages.
|
|
As long as you still have access to the private key, messages received previously may still be decrypted.
|
|
If you forget the passphrase, you will not be able to decrypt messages encrypted to that key.
|
|
|
|
----
|
|
gpg --output revoke.asc --gen-revoke KEYNAME
|
|
----
|
|
|
|
If you do not use the `--output` flag, the certificate will print to standard output.
|
|
|
|
For `KEYNAME`, substitute either the key ID of your primary keypair or any part of a user ID that identifies your keypair.
|
|
Once you create the certificate (the `revoke.asc` file), you should protect it.
|
|
If it is published by accident or through the malicious actions of others, the public key will become unusable.
|
|
It is a good idea to write the revocation certificate to secure removable media or print out a hard copy for secure storage to maintain secrecy.
|
|
|
|
[[revoking-a-key]]
|
|
== Revoking a key
|
|
|
|
. Revoke the key locally:
|
|
+
|
|
----
|
|
gpg --import revoke.asc
|
|
----
|
|
+
|
|
Once you locally revoke the key, you must send the revoked certificate to a keyserver, regardless of whether the key was originally issued in this way.
|
|
Distribution through a server helps other users to quickly become aware the key has been compromised.
|
|
|
|
. Export to a keyserver with the following command:
|
|
+
|
|
----
|
|
gpg --keyserver hkp://pgp.mit.edu --send-keys KEYNAME
|
|
----
|
|
+
|
|
For `KEYNAME`, substitute either the key ID of your primary keypair or any part of a user ID that identifies your keypair.
|