Now time to learn the bare necessities of MANAGING YOUR KEYS. OK, so there are mainly 2 sets of commands that allow you to see what PGP-keys you have imported in your system [AKA GPG-KeyRing].
One of them shows the list of PUBLIC-KEYS:gpg --list-keys
OR
gpg -kThe other shows the list of PRIVATE/SECRET-KEYS:
gpg --list-secret-keys
OR
gpg -KSo, let's say you want to clean up your GPG-KeyRing by deleting unecessary/unwanted/unused keys, well you can do that :-)
- You can specifically delete the PUBLIC-KEYS only. REMINDER = If you delete the PUBLIC-KEY then you will have to delete it's PRIVATE-KEY seperately as well.
- You can specifically delete the PRIVATE/SECRET-KEYS only. REMEMBER = if you delete the PRIVATE-KEY then you will have to delete it's PUBLIC-KEY seperately as well.
- or if you wish, you can delete Both the PRIVATE-KEY/SECRET-KEY & it's associated PUBLIC-KEY simultaneously
gpg --delete-key KEY_ID --> Deletes PUBLIC-KEY only
OR
gpg --delete-secret-key KEY_ID --> Deletes SECRET/PRIVATE-KEY only
OR
gpg --delete-secret-and-public-key KEY_ID --> Deletes PRIVATE/SECRET-KEY & it's associated PUBLIC-KEYTHE GNUPG "EDIT-KEY" FEATURE ↴↴↴
This is basically an "EDIT-MENU" that GnuPG launches for the PGP-Key that you specified. Now you can specify it via the EMAIL_ID or the "IDENTIFIER/FINGERPRINT" belonging to that specific PGP-Key.
gpg --edit-key KEY_ID
OR
gpg --edit-key EMAIL_IDSo what can you do with this said "EDIT-MENU", well... a lot actually. Here are some of the things you can do:-
- fpr = shows the FINGERPRINT of the PGP-Key
- list = shows a list of Sub-Keys & User-IDs
- uid USER_ID = selects the specified User-ID
- key SUBKEY_ID = selects the specified Sub-Key
- check = shows the signatures contained in the PGP-Key & the User-IDs of those who signed the PGP-key that you are editing
- adduid = allows you to ADD a new User-ID
- addkey = allows you to ADD a new Sub-Key
- deluid = allows you to DELETE a specific User-ID
- delkey = allows you to DELETE a specific Sub-Key
- addrevoker = allows you to ADD a Revoke-Key
- sign = allows you to sign the selected PGP-Key/SubKeyvia the User-ID or FINGERPRINT
- delsig = allows you to delete signatures from the selected USER-IDs
- revsig = allows you to revoke signatures on the selected user IDs
- revkey = allows you to revoke a Key or selected Sub-Keys
- passwd = enables you to change the passphrase/password for the Key
- expire = Update or Change the expiration date for the key or selected Sub-Keys
You can also reset your password for your PGP-keys as well. To do that just type passwd [Yet again; you can use the "TAB-Key" to Auto-Complete the word] in that "EDIT-MENU" & then set your new password/passphrase. ALSO; if you want any help regarding what you can do in that "EDIT-MENU", just type help & to save & quit the "EDIT-MENU", type save.
Now finally to sign someone else's PGP-key you can use the following command:-
gpg --sign-key KEY_ID
OR
gpg --sign-key -u YOUR_EMAIL_ID OTHER_KEY_IDAs you can see that you can also select what SECRET/PRIVATE-KEY you want to sign that other key with via the "-u" or "--local-user" option. [This is a shortcut to the "sign" sub-command in the --edit-key EDIT-MENU for that other person's PGP-key that you want to sign]
REVOKING PGP-KEYS ↴↴↴
Well now it is time to learn about REVOKING YOUR PGP-KEYS. Now why is this necessary ???
Well let's say if ever in a "worst-case scenario" where your PRIVATE-KEYS are compromised or you lose your PRIVATE-KEYS [ESPECIALLY PROBLEMATIC, if your PGP-keys have no expiry date]; you will need to INVALIDATE your PGP-keys via revoking it so that your keys do not misused by any malicious actor.Now in order to do just that; you will need to generate a "REVOCATION-CERTIFICATE"↴
Now usually from GnuPG-version-2.1 and later, GnuPG automatically generates a "REVOCATION-CERTIFICATE" where the file-name will be the FINGERPRINT of the PGP-key & it will have the file extension ".rev", whenever you GENERATE a new PGP-key nowadays.
The Auto-Generated REVOCATION-CERTIFICATE will be located in the "openpgp-revocs.d/" [which is in-turn located in the ".gnupg" HIDDEN-directory] in case of linux. Now take the following example:
Let's say your key has the FINGERPRINT of "1234 ABCD 5678 EFGH 9101 1IJK 1213 LMNO 1415 PQRS" then the ".rev" REVOCATION-CERTIFICATE will be:
1234ABCD5678EFGH91011IJK1213LMNO1415PQRS.rev
LOCATED IN
.gnupg/openpgp-revocs.d in your HOME-DIRECTORY in linuxNow to avoid an accidental use of this file, a colon has been inserted before the 5 dashes below:
You will have to remove this colon with a text editor before importing as it allows the key to be revoked even if the PRIVATE-KEY is lost or inaccessible & of course this file is intended to be stored securely in a seperate physical location if possible as a backup in case the private key is lost or compromised in the future.
But let's say that, the SECRET/PRIVATE-KEY is still accessible, it is better to generate a new revocation certificate & give a reason for the revocation. To do just that you need to type out this command:
gpg --output revoke.asc --gen-revoke KEY_IDObviously, this file is created on demand/manually. EXCEPT here; you will have to go through a process of specifying the reason behind revoking the PGP-key & the file will be named as "revoke.asc".
Both files contain the same type of data, the only difference is in the filename. To use either file, it must be imported into the GPG-Keying & After the import, the PGP-key is marked as revoked locally & If the key was previously uploaded to a PGP-Keyserver then the revoked-key can then be sent to a keyserver in order to inform others of the revocation:
gpg --import revoke.asc OR gpg --import FINGERPRINT.rev
THEN SEND THE KEY TO THE KEYSERVER
gpg --keyserver KEYSERVER_URL --send-keys KEY_IDREMEMBER; once the specific PGP-Key gets revoked then there is no going back. There is no way that I know personally that will UN-REVOKE your revoked-key, so BE VERY CAREFUL & keep that REVOCATION-CERTIFICATE safe.