Wednesday, July 9, 2014

GNUPG revocation certificate

As explained in PGP & GPG - Email for the practical paranoid it's highly recommended to create a Revocation Certificate to a keypair as soon as the keypair gets created; it's a best practice. The purpose of a Revocation Certificate is to provide a way to state that the respective keypair is no longer valid. Typically, it must be used when the private key is lost, stolen, compromised or even when the passphrase is  forgotten.

Following the previous post on GNUPG keypair creation I'll now create a Revocation Certificate for the fictitious user John Smith keypair to attending the aforementioned best practice recommendation.

An SSH session is a must in order to successfully complete the operation.
An ordinary GNOME session won't do (and again don't ask me why).
Note that this time the SSH session can be remote as usual.
This is to contrast with the keypair creation tricks.

Assume that the private and public keys have been successfully created.
They are as follows:
 
$ gpg --list-secret-key
/home/.../.gnupg/secring.gpg
------------------------------
sec   4096R/F50D9DFD 2014-07-08 [expires: 2015-07-08]
uid                  John Smith (Business Corp. HR Manager)

                    
ssb   4096R/6CB8D3D2 2014-07-08


$ gpg --list-key
/home/.../.gnupg/pubring.gpg
------------------------------
pub   4096R/F50D9DFD 2014-07-08 [expires: 2015-07-08]
uid                  John Smith (Business Corp. HR Manager)

                    
sub   4096R/6CB8D3D2 2014-07-08 [expires: 2015-07-08]


The following is the GPG revoke command.
It will generate an output file in ASCII format (--armor).

$ gpg --output revoke.jsmith@business.corp.gpg.asc --armor 
      --gen-revoke jsmith@business.corp

sec  4096R/F50D9DFD 2014-07-08 John Smith 

                               (Business Corp. HR Manager)
                               <jsmith@business.corp>

Create a revocation certificate for this key? (y/N) y
 

Please select the reason for the revocation:
  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  Q = Cancel
(Probably you want to select 1 here)
Your decision?
0
 

Enter an optional description; end it with an empty line:
>
Revocation certificate generated when key created
>
 

Reason for revocation: No reason specified
Revocation certificate generated when key created
Is this okay? (y/N)
y

You need a passphrase to unlock the secret key for user: 

"John Smith (Business Corp. HR Manager) <jsmith@business.corp>"
4096-bit RSA key, ID F50D9DFD, created 2014-07-08

Warning: using insecure memory!


Consistent text-mode input-box for entering the passphrase.
Unfortunately, still triggers the annoying warning message. 

Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets access to this certificate he can use it to make your key unusable. It is smart to print this certificate and store it away, just in case your media become unreadable.  But have some caution:  The print system of your machine might store the data and make it available to others!


Here's the contents of the generated output file:

$ cat revoke.jsmith@business.corp.gpg.asc
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.17 (SunOS)
Comment: A revocation certificate should follow

iQJQBCABCgA6BQJTvTEXMx0AUmV2b2NhdGlvbiBjZXJ0aWZpY2F0ZSBnZW5lcmF0
ZWQgd2hlbiBrZXkgY3JlYXRlZAAKCRBMIrYE9Q2d/acoD/9UewkWtxEP4dt8uAwp
aD7bxo2aWfWc09YyFC3yoLrp6gZO7Nd4mfR8rIbl5aeTS/Z9mAdmVDfSNrGXr0tx
CfHESBkLZCpSNX9nu/L33v/1w9PytIe4R14Ckx+2KNso8g3R2xIZ7vW0HlLxwosk
6rrp9NRvfOob0iYG9qOTbJsu7ViP7d5fLY51s0qGAEnsERbYxJvPqP7LvZlAnypY
3W6PZzc3h05grhHRMoPxMAliLUymh1v2dI2R9IxVCSLQobqIZmbOaQLx9eXxdaBA
W7+pVnvVwfyx4iNU6IGZL6IehGmen8OE/l58iUDK8BOVKkB7xiyN0G61Xd6vDDPA
FFjJNCqKyUbdOsz2y/DIZ8j7eYPoMMFoUXD/Gb/LKJ0nc5MYgFQEu/VdUzBpDQOZ
Nrz6SI9EG6nXwTDkht4MLs2CSQelbxPm3+jjWV0tKMa7vruuQuOQC4LHfgtNn5o9
Vu36bI2L/7HDpT/HC4I2vymsIscnj63MeonDWDpvFDcTxJ1C7rshctrDbekybAmC
UKJxdpcBdGNXQmGgJCZUbO2pbo64VsvENJLc5jzw+1976BrBMWwlRCGECppfdDhm
oxAMV8F5ngcsbG2Mi90fv90ahkgxbxUAiRfcTArRe18xf4FlwQVlAC18ekAMs3Rr
FoyfnDmJSeaBX0yYl4yJoVdFOA==
=NllB
-----END PGP PUBLIC KEY BLOCK-----


The next step is to export the public key.
I'm done here.