An option to generate revocation cert for subkey(s)?

Michał Górny mgorny at
Sat Feb 16 19:25:38 CET 2019


I'd like to ask whether it'd be feasible to have an option to generate
revocation certificate that revokes one (or more?) subkeys rather than
the whole key.

Our use case involves signing key kept on a server for the purpose of
automated signatures.  We'd like to keep the secret portion
of the primary key offline and use a dedicated signing subkey
on the server.  At the same time, we'd like to be able to quickly revoke
the subkey if need arises without having to reach for the primary key.

I know that currently with a bit of hacking we can store an export
of the key with subkey revoked, and use that for the purpose.  However,
I think it would be much more convenient if had an option to generate
the revocation signature separately.

Best regards,
Michał Górny
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the Gnupg-users mailing list