Revocation certificate for sub key?

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sat Dec 14 19:28:25 CET 2013


On 12/14/2013 12:01 PM, adrelanos wrote:
> [hauke wrote:]
>> Am Fr 13.12.2013, 22:56:07 schrieb adrelanos:
>>> Hi,
>>>
>>> Is it possible to create a revocation certificate just for sub keys and
>>> not the master key?
>>
>> --edit-key 0x12345678
>> key 1
>> revkey
> 
> That's doesn't create a revocation certificate, that revokes the key.

If you are comfortable with either the GNUPGHOME environment variable or
gpg's --homedir option, you should be able to make what you're looking for:

Make a new temporary gnupg homedir.  import your primary secret key and
your subkey into that homedir.  from that homedir, take Hauke's advice
and then export the key to a text file someplace safe.  this text file
will contain the revocation for the subkey.  delete/purge/get rid of the
temporary homedir.

if/when you need to revoke your subkey, you can just gpg --import the
stored text file, and then --send-key to push it to the public keyservers.

does this make sense?

	--dkg

PS your e-mail client appears to be breaking message threading (no
In-Reply-To: or References: headers), and fails to provide attribution
for your quoted text (i had to re-insert that hauke was the source of
the good advice above).  This makes it more difficult for people to
carry on a conversation with you over e-mail.  Please consider fixing
your client or choosing a different one that supports proper message
threading and attribution.  thanks!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20131214/ac3470ba/attachment.sig>


More information about the Gnupg-users mailing list