Generate Revocations for Only Specific Subkey(s)?

Naftuli Tzvi Kay rfkrocktk at
Sun May 29 18:18:47 CEST 2016

I have an offline master key setup with a daily driver hardware smart card
with three subkeys on it (encryption, signature, authentication).

I'd like to generate a revocation certificate that I can keep on hand
somewhere in the event of loss of my hardware smart card. This revocation
certificate should contain revocations for all three hardware
keys. It should be simply possible to upload these three revocation
certificates to a key server to revoke these keys.

However, what I'm finding is that on GnuPG 2.1.11 (libgcrypt 1.6.4)
revocations can only be generated for the master key. If I run the

     gpg2 --gen-revoke $SUBKEY_ID\!

A revocation for the master key is generated instead. At the very least,
it'd be nice if the CLI client would send me an error message that it is
unable to generate a revocation for the subkey directly and that I should
use "gpg2 --edit-key" and the "revkey" command to revoke subkeys.

What would be even better would be a way to execute "--gen-subkey-revoke"
ala "--export-secret-subkeys" which would allow me to generate at least one
external subkey revocation to a file. Then, when revocation needs to
happen, I could just import the revocation for the given subkey(s) and
publish to a key server.

Has such a solution or use-case been proposed or considered?

 - Naftuli Tzvi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20160529/33cab4ab/attachment.html>

More information about the Gnupg-devel mailing list