Contact

Subscribe via Email

Subscribe via RSS

Categories

Creative Commons Attribution 4.0 International License
© Rakhesh Sasidharan

Elsewhere

New GPG key, revoking old keys, etc

I decided to create a new GPG key for myself. My first key (created using PGP) is from 1999 while at University. This key (ID 15E7AC77) is associated with one of my older email accounts rakhesh.sasi@bigfoot.com. I don’t have that key any more, nor did I set an expiry on it or create a revocation certificate, so the key is still active but not used by me. I don’t use that email address either.

My next key (again created using PGP) is from 2001 while at my first job. This key (ID 12D101F1) is associated with my work email from that time. Again, I don’t have that key any more, nor did I set an expiry on it or create a revocation certificate, so the key is still active but not used by me. I don’t have access to that work email address either.

My third key (created using GPG) is from 2007. This key (ID C7A2DC31) is active, but I don’t use it much. Thankfully I had a copy of the key with me and I remember its password (a good thing since I was dumb enough not to create a revocation certificate again), so I created a revocation certificate for it today and revoked it.

Today I made my fourth key (using GPG). This key (ID 2673D9BF) is what I plan on using going forward. I have added all my usual email addresses to it and also uploaded it to keys.gnupg.net from where it should replicate to other servers.

It’s been a while since I used GPG so here are some notes to myself on how to get things done with it. Most of these can be accomplished using the Kleopatra GUI that’s bundled with GPG.

Sending keys to the public key servers

The keys.gnupg.net is actually just an endpoint for a collection of servers.

Refreshing keys from the public key servers

Editing a key

At this prompt I can type a ? to get a list of sub-commands. For instance:

  • list – list all the IDs in the key,
  • adduid – add a new ID,
  • uid – select an ID (useful to perform an operation on the ID),
  • deluid – delete the selected ID,
  • revuid – revoke the selected ID (do this instead of deleting when it’s one of your own keys/ IDs),
  • primary – mark the selected ID as primary (useful when you have many IDs and you want to mark one as primary), and
  • addrevoker – add a revocation key.

Creating a revocation certificate

This creates a revocation certificate. Without the --output switch the certificate is output to the screen (ASCII armored). With the switch and the file name following it, the certificate is output to that file.

Note: If you want to revoke an individual ID in your key, there’s no need to do the above. Use the revuid command as in the previous section. It is, however, a good idea to create a revocation certificate for each of your keys and store it someplace safe. This way if you lose the private key or forget the password, you can always use the revocation certificate to revoke that key. The revocation certificate is like your fail-safe switch in case the private key is lost.

To actually revoke a key, import the revocation certificate as in the next section. And then send the key to the public key servers as in the first section.

Importing a key

You can skip the file name, in which case you will be prompted to copy-paste the key.

That’s more or less the basic stuff. Most of these can be done via the Kleopatra GUI. Stuff you can’t do via the GUI include creating a revocation certificate or revoking a particular ID.