home of the madduck/ blog/
The need for a GPG revocation certificate

Do you use GPG or PGP to sign or encrypt your emails and/or files?

This is a reminder to those who answered yes: make sure you have a revocation certificate, as well as backups of your private/public key pair, ideally in multiple safe locations.

It's always a good idea to keep backups. But what is more important with GPG is the revocation certificate. That's your emergency brake. If someone ever gains control over your key, this is the only way for you to minimise (further) abuse of your key and your identity.

However, even a revocation certificate won't be able to prevent all abuse, by nature of the design of the GPG Web of Trust. You also need to exercise utmost care in protecting your key and making sure third parties cannot gain control over it. Do not keep it on machines you don't trust, and make sure to use a safe, non-guessable passphrase!

With GnuPG, generating a revocation certificate is as easy as this; replace $KEYID with your 8 or 16 digit hexadecimal key ID:

gpg --gen-revoke $KEYID > $KEYID.revoke.asc

and store it away. Do not import it until you need to revoke your key!

In my case, the process was this; lines requiring my input are prefixed with an arrow ('→'):

  sec  1024D/330C4A75 2001-06-20 Martin F. Krafft <mail@martin-krafft.net>

→ Create a revocation certificate for this key? (y/N) y
  Please select the reason for the revocation:
    0 = No reason specified
    1 = Key has been compromised
    2 = Key is superseded
    3 = Key is no longer used
    Q = Cancel
  (Probably you want to select 1 here)
→ Your decision? 1
  Enter an optional description; end it with an empty line:
→ > 
  Reason for revocation: Key has been compromised
  (No description given)
→ Is this okay? (y/N) y

  You need a passphrase to unlock the secret key for
  user: "Martin F. Krafft <mail@martin-krafft.net>"
  1024-bit DSA key, ID 330C4A75, created 2001-06-20

  ASCII armored output forced.
  Revocation certificate created.

  Please move it to a medium which you can hide away; if Mallory gets
  access to this certificate he can use it to make your key unusable.
  It is smart to print this certificate and store it away, just in case
  your media become unreadable.  But have some caution:  The print system of
  your machine might store the data and make it available to others!

I then printed the file, put it in the safe, stored it on a removable disk and hid it away. Even though I exercise great care over my key material, I can now sleep better at night, knowing that I can at least minimise any damage done by an attacker who compromises my key.

Also, that way I can make sure to declare unused keys as such, since there is no other way to revoke a published key for which you've lost the private key or forgotten its passphrase. I've left such traces in my past and wish I had known what I was doing at the time: A8FA196E, C22D1C01, 1EF0975C.

This is your chance to do it right. Make yourself a revocation certificate now (along with backups)! And always exercise care and keep your key secure.

NP: Mono: One More Step and You Die