Revoked and Replaced OpenPGP Key

I uploaded a GPG key to back in 2005. It’s well past time for me to replace it. I covered creating your revocation certificate back in PGP & GPG, but didn’t actually write about using that revocation certificate. Nine years later… yeah, I better figure this out.

So Io to the machine with my keypair, and create my revocation certificate.

# gpg --output oldgpg.revoke.asc --gen-revoke E68C49BC

sec 1024D/E68C49BC 2005-02-21 Michael Warren Lucas Jr (Author, consultant, sysadmin)

Yep, that’s my old key.

Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? 2

Why is this key being revoked? Because it’s nine years old. I’ve generated a new key,

Enter an optional description; end it with an empty line:
Reason for revocation: Key is superseded
(No description given)
Is this okay? (y/N) y

Nobody cares about the details, so I don’t enter any.

You need a passphrase to unlock the secret key for
user: "Michael Warren Lucas Jr (Author, consultant, sysadmin) "
1024-bit DSA key, ID E68C49BC, created 2005-02-21

I enter my passphrase.

ASCII armored output forced.
Revocation certificate created.

I now have a revocation certificate, oldgpg.revoke.asc. To activate it, I import it into my keyring.

# gpg --import oldgpg.revoke.asc
gpg: key E68C49BC: "Michael Warren Lucas Jr (Author, consultant, sysadmin) " revocation certificate imported
gpg: Total number processed: 1
gpg: new key revocations: 1
gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
gpg: depth: 0 valid: 2 signed: 14 trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: depth: 1 valid: 14 signed: 1 trust: 14-, 0q, 0n, 0m, 0f, 0u
gpg: next trustdb check due at 2020-10-13

No passphrase needed–it just happens.

Now: sleep tight, sweet prince.

# gpg --send-keys E68C49BC
gpg: sending key E68C49BC to hkp server

My old key is dead.

For the record, my new key is 1F2E54A8, for mwlucas at michaelwlucas dot com.

Now if I could only kill 4EBA9723…

2 Replies to “Revoked and Replaced OpenPGP Key”

  1. Why would you create a new key? Isn’t that about as inconvenient as making a new email address?

  2. Inconvenient? Yes. But the more you use a key, the more attack surface you expose. It’s the same reason you rotate DNSSEC ZSKs. Plus, there’s always the chance you were compromised at some point and never realized it. Most intrusions are never noticed until it’s too late.

Comments are closed.