1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
|
---
title: Key Revocation
sidebar:
label: Key Revocation
order: 5
---
import { Steps } from "@astrojs/starlight/components";
import { Aside } from '@astrojs/starlight/components';
Public key cryptography relies on the long-term security and trustworthiness of
private keys. However, situations may arise where a key can no longer be
trusted, such as when it is lost, compromised, or no longer needed. In these
cases, it is essential to inform others that the key should no longer be used.
A key revocation certificate serves this purpose. It allows the owner (or anyone
with the certificate) to mark a public key as revoked—meaning the key is no
longer valid for signing or encryption. Publishing a revocation certificate
ensures that anyone retrieving the key from a public server or receiving it
directly will know that the key is no longer trustworthy.
## When to Use Key Revocation
1. Key compromise: If you suspect your private key has been stolen or copied by
an unauthorized party.
2. Key loss: If you permanently lose access to your private key and can no
longer control its use.
3. Change of ownership or retirement: If you no longer wish to use the key for
any reason (e.g., moving to a new key).
4. Administrative/security policy: To comply with organization or security
policies requiring regular key turnover.
By preparing a revocation certificate in advance, you can quickly react to these
situations and help prevent unauthorized or accidental use of outdated or
compromised keys.
<Aside type="caution" title="Revocation Has No Effect If Not Published">
Merely generating or importing a revocation certificate is not enough. If you do
not publish the revoked key to a public key server or actively notify your
contacts, others will still see your key as valid and may continue to use it.
Always publish your revoked key and inform peers as soon as possible to ensure
the revocation is recognized by others.
</Aside>
## Generating a Key Revocation Certificate
<Steps>
1. Open the Key Details Window: open Key Details Dialog, then switch to the
Operations tab.
2. Select `Generate Revocation Certificate`: At the bottom dropdown labeled
`Revoke Certificate Operation`, choose Generate Revocation Certificate.
3. Specify the Revocation Reason: Choose one reason code from the dropdown.
Optionally provide free-form text for a more detailed explanation (e.g., lost,
compromised).
4. Confirm and Save: Click OK, then in the file-save dialog, you can choose a
secure local or private location to store the .rev file.
5. Backup and Store: Backup: Keep the .rev file in a secure offline or encrypted
location.
</Steps>
## Importing a Key Revocation Certificate
<Steps>
1. Open the Key Details Dialog: Navigate again to `Key Details → Operations`.
2. Select "Import Revocation Certificate": From the Revoke Certificate Operation
dropdown, choose Import Revocation Certificate.
3. Import the `.rev` File: In the file-selection dialog, locate and open the
previously saved `.rev` file.
4. Verify Revocation: After import, the local key interface will mark the key as
revoked. It can no longer be used for signing or decryption.
5. Publish to a Public Key Server
```shell
gpg --keyserver hkps://keyserver.ubuntu.com --send-keys <YOUR_KEY_ID>
```
</Steps>
## Best Practices
- Prepare in Advance: Generate and back up the revocation certificate before any
key may be lost or compromised.
- Secure Storage: Keep the revocation `.rev` file offline or in encrypted media
to prevent unauthorized revocation.
- Notify & Synchronize: After publishing revocation, inform peers or document
the change so everyone refreshes the key status promptly.
|
