New GPG key, revoking old keys, etc

I decided to create a new GPG key for myself. My first key (created using PGP) is from 1999 while at University. This key (ID 15E7AC77) is associated with one of my older email accounts rakhesh.sasi@bigfoot.com. I don’t have that key any more, nor did I set an expiry on it or create a revocation certificate, so the key is still active but not used by me. I don’t use that email address either.

My next key (again created using PGP) is from 2001 while at my first job. This key (ID 12D101F1) is associated with my work email from that time. Again, I don’t have that key any more, nor did I set an expiry on it or create a revocation certificate, so the key is still active but not used by me. I don’t have access to that work email address either.

My third key (created using GPG) is from 2007. This key (ID C7A2DC31) is active, but I don’t use it much. Thankfully I had a copy of the key with me and I remember its password (a good thing since I was dumb enough not to create a revocation certificate again), so I created a revocation certificate for it today and revoked it.

Today I made my fourth key (using GPG). This key (ID 2673D9BF) is what I plan on using going forward. I have added all my usual email addresses to it and also uploaded it to keys.gnupg.net from where it should replicate to other servers.

It’s been a while since I used GPG so here are some notes to myself on how to get things done with it. Most of these can be accomplished using the Kleopatra GUI that’s bundled with GPG.

Sending keys to the public key servers

C:\Users\rakhesh>gpg --send-keys 2673D9BF
gpg: sending key 2673D9BF to hkp server keys.gnupg.net

1 2	C:\Users\rakhesh>gpg --send-keys 2673D9BF gpg: sending key 2673D9BF to hkp server keys.gnupg.net

The keys.gnupg.net is actually just an endpoint for a collection of servers.

Refreshing keys from the public key servers

C:\Users\rakhesh>gpg --refresh-keys
gpg: refreshing 2 keys from hkp://keys.gnupg.net
...

C:\Users\rakhesh>gpg --refresh-keys

gpg: refreshing 2 keys from hkp://keys.gnupg.net

...

Editing a key

C:\Users\rakhesh>gpg --edit-key 2673D9BF
gpg (GnuPG) 2.0.26; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  4096R/2673D9BF  created: 2014-11-03  expires: 2016-11-03  usage: SCEA
                     trust: ultimate      validity: ultimate
[ultimate] (1). Rakhesh Sasidharan <------->
[ultimate] (2)  Rakhesh Sasidharan <------->
[ultimate] (3)  Rakhesh Sasidharan <------->
[ultimate] (4)  Rakhesh Sasidharan <------->

gpg>

C:\Users\rakhesh>gpg --edit-key 2673D9BF

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub 4096R/2673D9BF created: 2014-11-03 expires: 2016-11-03 usage: SCEA

trust: ultimate validity: ultimate

[ultimate] (1). Rakhesh Sasidharan <------->

[ultimate] (2) Rakhesh Sasidharan <------->

[ultimate] (3) Rakhesh Sasidharan <------->

[ultimate] (4) Rakhesh Sasidharan <------->

gpg>

At this prompt I can type a ? to get a list of sub-commands. For instance:

list – list all the IDs in the key,
adduid – add a new ID,
uid – select an ID (useful to perform an operation on the ID),
deluid – delete the selected ID,
revuid – revoke the selected ID (do this instead of deleting when it’s one of your own keys/ IDs),
primary – mark the selected ID as primary (useful when you have many IDs and you want to mark one as primary), and
addrevoker – add a revocation key.

Creating a revocation certificate

C:\Users\rakhesh\>gpg --output C7A2DC31-revoke.asc --gen-revoke C7A2DC31

1	C:\Users\rakhesh\>gpg --output C7A2DC31-revoke.asc --gen-revoke C7A2DC31

This creates a revocation certificate. Without the --output switch the certificate is output to the screen (ASCII armored). With the switch and the file name following it, the certificate is output to that file.

Note: If you want to revoke an individual ID in your key, there’s no need to do the above. Use the revuid command as in the previous section. It is, however, a good idea to create a revocation certificate for each of your keys and store it someplace safe. This way if you lose the private key or forget the password, you can always use the revocation certificate to revoke that key. The revocation certificate is like your fail-safe switch in case the private key is lost.

To actually revoke a key, import the revocation certificate as in the next section. And then send the key to the public key servers as in the first section.

Importing a key

C:\Users\rakhesh\>gpg --import C7A2DC31-revoke.asc

1	C:\Users\rakhesh\>gpg --import C7A2DC31-revoke.asc

You can skip the file name, in which case you will be prompted to copy-paste the key.

That’s more or less the basic stuff. Most of these can be done via the Kleopatra GUI. Stuff you can’t do via the GUI include creating a revocation certificate or revoking a particular ID.