Generate Revocations for Only Specific Subkey(s)?

Daniel Kahn Gillmor dkg at
Tue May 31 17:18:59 CEST 2016

Hi Naftuli Tzvi--

On Sun 2016-05-29 12:18:47 -0400, Naftuli Tzvi Kay wrote:
> I have an offline master key setup with a daily driver hardware smart card
> with three subkeys on it (encryption, signature, authentication).
> I'd like to generate a revocation certificate that I can keep on hand
> somewhere in the event of loss of my hardware smart card. This revocation
> certificate should contain revocations for all three hardware
> keys.

What you're asking for is reasonable, but i don't think it's doable
directly from the command line.  as the man page says:

       --gen-revoke name
              Generate a revocation certificate for the complete key.  To only
              revoke a subkey or a key signature, use the --edit command.

So one workaround would be to make a new temporary working directory,
copy your secret key material and public keys into it, and then use "gpg
--edit" in that temporary working directory to revoke the subkeys in
question.  (within the gpg --edit subshell, mark the keys you want to
revoke with "key N", and then do "revkey", and then "save")

Then, from that temporary directory, export the public key (the full
OpenPGP certificate) to a separate file -- it will have the subkey
revocations in it.  Keep this file around as your "revocation
certificate", and import it into your main keyring when you want to use
it.  You can dispose of your temporary directory once you have the
exported file.



More information about the Gnupg-devel mailing list