GPG/PGP Keys-Part 5: Backing up, Restoring, Revoking and Deleting your GPG/PGP keys in Debian
Welcome to Part 5 of GPG/PGP Key series.
What we will learn: This is one of the most important part of the entire series. We will learn how to manage our GPG keys – Backing it up, Restoring and Revoking (if need arises). Essentially this part should have come way before any other part of the series. For some reasons, I completely lost sight of it.
Step 1: Backing up your private/public keys
One of the first step to do once we generate your private/public keypair (as we saw in Part 1) is to back them up. So that we can restore the keys if our machines crashes or we change our computers. One example would be that you buy a new laptop and in future you are going to use that laptop for all your work. Then you need to transfer those keys to your new computer.
List your keys first.
# gpg --list-keys
/root/.gnupg/pubring.gpg
————————
pub 1024D/EE6E8046 2009-02-20
uid Bill Till (My GPG key) <test@abc.com>
sub 2048g/AE3B1BD4 2009-02-20pub 1024D/E4635BBE 2009-03-16
uid John Doe (My first key) <gpg@abc.com>
sub 2048g/0AC353C2 2009-03-16
Select the KeyID which belogs to you. In this case it is EE6E8046.
To backup your Public key give the following command:
# gpg -ao mypub.key --export EE6E8046
This will create a file called “mypub.key”
To backup your Private key give the following command:
# gpg -ao myprivate.key--export-secret-keys EE6E8046
This will create a file called “mypub.key”
Now store these two files (mypub.key and mypub.key) on a floppy disk, CD or USB drive and put it away to some secure and safe place.
Generate a revocation key
I will explain later (step 3) why we need to do this step. For now simply give the following command:
# gpg --output myrevoke.key --gen-revoke EE6E8046
and answer the few questions that will be presented to you. You will be ask for your passphrase also. Once done you should store “myrevoke.key” file to a safe place preferably on a floppy or a CD and store them away.
Step 2: Restoring your GPG key
Now a time comes where you lost your GPG keys and you should like to restore it on another or same machine. To restore the keys give the following commands:
# gpg --import myprivate.key
gpg: key EE6E8046: secret key imported
gpg: key EE6E8046: public key “Bill Till (My GPG key) <test@abc.com>” imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1
# gpg --import mypub.key
gpg: key EE6E8046: “Bill Till (My GPG key) <test@abc.com>” not changed
gpg: Total number processed: 1
gpg: unchanged: 1
# gpg --list-keys
/root/.gnupg/pubring.gpg
————————
pub 1024D/EE6E8046 2009-02-20
uid Bill Till (My GPG key) <test@abc.com>
sub 2048g/AE3B1BD4 2009-02-20
Congratulations! Your keys have been successfully restored and you can continue to use them as you use to do before. Thank for our Step 1 of backing up the keys
Step 3: Revoking the GPG keys
Just pray that you don’t have to do this step ever because doing this step usually means that:
a) Your private key has been compromised
b) You lost your backup keys
c) You forgot your passphrase (password)
Now suppose you wan’t to revoke your key which basically means that you are not longer going to be using this key in future and would like to inform people on the Internet also.
First we need to revoke the key locally on your machine:
# gpg --import myrevoke.key
The “myrevoke.key” file is from Step 1.
Now we need to inform everybody on the Internet that we are revoking this key and people should not use this key to send you messages. this can be done by informing the keyservers just like when we informed about your newly created public key. To send the revoking information to the keyserver give the following command:
# gpg ---send-keys --keyserver hkp://subkeys.pgp.net EE6E8046
Now anyone who tries to send you a message using your key which has NOW been revoked will get a message. However one needs to refresh their GPG keyring database to get the latest information on the keys. Also it is a good idea to refresh your keys on a regular basis so that you have up-to-date information. You can refresh your keys by following command:
# gpg --refresh-keys --keyserver hkp://subkeys.pgp.net
Step 4: Deleting a key
Suppose you created too many keys while experimenting with GPG and now you are confused with all the keys around. You would like to delete all but one key. Here is how you can delete the extra keys:
# gpg --list-keys
/root/.gnupg/pubring.gpg
————————
pub 1024D/EE6E8046 2009-02-20
uid Bill Till (My GPG key) <test@abc.com>
sub 2048g/AE3B1BD4 2009-02-20pub 1024D/E4635BBE 2009-03-16
uid John Doe (My first key) <gpg@abc.com>
sub 2048g/0AC353C2 2009-03-16
Select the KeyID which you would like to delete. In this case it is E4635BBE.
# gpg –delete-secret-and-public-key E4635BBE
The above command removes the key from the private and public keyring. Verify if the key was really deleted:
# gpg --list-keys
/root/.gnupg/pubring.gpg
————————
pub 1024D/EE6E8046 2009-02-20
uid Bill Till (My GPG key) <test@abc.com>
sub 2048g/AE3B1BD4 2009-02-20
From the above output we see that the key for “John Doe” is no longer there.
That it! I hope that now you feel that you are in control of your GPG keys and can manage them nicely and in a secure manner.
Free Email Subscription
Loading ...
April 1st, 2009 at 1:28 pm
[...] Part 5: Backing up, Restoring, Revoking and Deleting your GPG/PGP keys in Debian [...]
January 5th, 2010 at 5:09 am
[...] per la rete ho trovato un post molto interessante che ho deciso di tradurvi effettuando qualche integrazione, ritenendo possa [...]