Revoking a subkey
If you only want to revoke one subkey, you need to follow a slightly different procedure. Start by making a backup of your keys in a secure place (this is your secret key of course).
$ gpg -a --export-secret-keys bepstein@ias.edu > bepstein_secret.asc $ gpg -a --export bepstein@ias.edu > bepstein.asc
Next, edit your key and revoke the subkey you desire.
$ gpg --edit-key bepstein@ias.edu
[ultimate] (1). Brian Epstein <bepstein@ias.edu>
[ultimate] (2) Brian Epstein <ep@epiary.org>
Command> 1
[ultimate] (1)* Brian Epstein <bepstein@ias.edu>
[ultimate] (2) Brian Epstein <ep@epiary.org>
Command> revuid
Really revoke this user ID? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
4 = User ID is no longer valid
Q = Cancel
(Probably you want to select 4 here)
Your decision? 4
Enter an optional description; end it with an empty line:
> bepstein@ias.edu is no longer a valid email address
>
Reason for revocation: User ID is no longer valid
bepstein@ias.edu is no longer a valid email address
Is this okay? (y/N) y
You need a passphrase to unlock the secret key for
user: "Brian Epstein <bepstein@ias.edu>"
1024-bit DSA key, ID 0371C12A, created 2006-09-22
pub 1024D/0371C12A created: 2006-09-22 expires: never usage: SC
trust: ultimate validity: ultimate
sub 2048g/4E7A0E4E created: 2006-09-22 expires: never usage: E
[ revoked] (1). Brian Epstein <bepstein@ias.edu>
[ultimate] (2) Brian Epstein <ep@epiary.org>
Command> save
[2]ep:~$ gpg --export -a bepstein@ias.edu > bepstein_rev.asc
Now, you have your revoked subkey in a file. Now, you need to remove and re-import your keys. After all, you don't want to revoke your key now. Make sure not to send your key to the keyserver now or you will revoke your key.
[2]ep:~$ gpg --delete-secret-keys bepstein@ias.edu [2]ep:~$ gpg --delete-keys bepstein@ias.edu [2]ep:~$ gpg --import bepstein_secret_key.asc [2]ep:~$ gpg --import bepstein.asc
Next you'll have to re-trust your keys.
[2]ep:~$ gpg --edit-key bepstein@ias.edu
Secret key is available.
pub 1024D/0371C12A created: 2006-09-22 expires: never usage: SC
trust: unknown validity: unknown
sub 2048g/4E7A0E4E created: 2006-09-22 expires: never usage: E
[ unknown] (1). Brian Epstein <bepstein@ias.edu>
[ unknown] (2) Brian Epstein <ep@epiary.org>
Command> 1
pub 1024D/0371C12A created: 2006-09-22 expires: never usage: SC
trust: unknown validity: unknown
sub 2048g/4E7A0E4E created: 2006-09-22 expires: never usage: E
[ unknown] (1)* Brian Epstein <bepstein@ias.edu>
[ unknown] (2) Brian Epstein <ep@epiary.org>
Command> 2
pub 1024D/0371C12A created: 2006-09-22 expires: never usage: SC
trust: unknown validity: unknown
sub 2048g/4E7A0E4E created: 2006-09-22 expires: never usage: E
[ unknown] (1)* Brian Epstein <bepstein@ias.edu>
[ unknown] (2)* Brian Epstein <ep@epiary.org>
Command> trust
pub 1024D/0371C12A created: 2006-09-22 expires: never usage: SC
trust: unknown validity: unknown
sub 2048g/4E7A0E4E created: 2006-09-22 expires: never usage: E
[ unknown] (1)* Brian Epstein <bepstein@ias.edu>
[ unknown] (2)* Brian Epstein <ep@epiary.org>
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
pub 1024D/0371C12A created: 2006-09-22 expires: never usage: SC
trust: ultimate validity: unknown
sub 2048g/4E7A0E4E created: 2006-09-22 expires: never usage: E
[ unknown] (1)* Brian Epstein <bepstein@ias.edu>
[ unknown] (2)* Brian Epstein <ep@epiary.org>
Please note that the shown key validity is not necessarily correct
unless you restart the program.
Command> Now you can send along your revocation key. Make sure to encrypt the email you send as your revocation key can be easily used to revoke your key. Also, take this opporunity to backup your secret key and revocation key in a secure place. Then securely wipe it from your harddrive.