All Articles

Revoking a PGP Key from MIT's Key Server

I haven’t used my PGP key in years (although I did actually use it, so that’s cool :)). Since I never set an expiry date on the key, I figured it would be a good idea to revoke it. I didn’t find clear instructions on how to do this, so I wrote down my own instructions here on how to revoke a public key from MIT’s key server.

Procedure

You can identify the key you want to revoke with gpg --list-keys. Here is what it looked like for me before I revoked my key.

$ gpg --list-keys
/home/tethik/.gnupg/pubring.kbx
-------------------------------
pub   rsa2048 2013-06-30 [SCE]
      F6FA724CA0197D7388C0221154E3CB53BD1A5FAE
uid           [marginal] Joakim Uddholm <joakim@uddholm.com>

If you don’t have one already, generate a revocation certificate using the key id.

gpg --output revoke.asc --gen-revoke F6FA724CA0197D7388C0221154E3CB53BD1A5FAE

Import the revocation certificate to your own keychain

gpg --import revoke.asc

If you check gpg --list-keys again, you should now see that the key is marked as revoked:

$ gpg --list-keys
/home/tethik/.gnupg/pubring.kbx
-------------------------------
pub   rsa2048 2013-06-30 [SCE] [revoked: 2021-01-05]
      F6FA724CA0197D7388C0221154E3CB53BD1A5FAE
uid           [ revoked] Joakim Uddholm <joakim@uddholm.com>

Now when you export the public key it should contain revocation information.

gpg -a --export F6FA724CA0197D7388C0221154E3CB53BD1A5FAE

Take the output and go to http://pgp.mit.edu/ and submit this there in the Submit a key field.

For reference, this is what my revoked key looks like.

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBFHP/SQBCAC3tROcqshyA4JRPRjoVe2VYnsQx1wQig+Uusiugu1oJ0LeazQC
b10wov/lBwwFl0N4ptCfLk/fPiTwkCLiDCyTrlDjQyrpVEL3o1f5kJja9oY81uyJ
s8nRnPxqms4e3Lb8XdvFDcmk7gdtSymPdcV9Uk8j36xjaawW/EQABFkn1yWte1p5
A9uy9V1801V2obiDtgKFtzQrhT2cVN3O0Ctc7EW9OZ3nj1aKelqpnoQC2ZMTus6C
dKbenJ7Jfl9wtxoYWeSRvP9nVjlkIUCrxKwFa2CKwSTCpRYLSaOIz8f5eulo80Ul
2h2Mg328cHrXj9ie/R74YxFvkYloSMZI6CwxABEBAAGJAWYEIAEKAFAWIQT2+nJM
oBl9c4jAIhFU48tTvRpfrgUCX/RU1DIdA0tleSBpcyBubyBsb25nZXIgdXNlZC4g
PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0PgAKCRBU48tTvRpfrpd2CACjBNzaA2uj
pBrNQcB1yCAHaw5IPMns3ws40tnwC+gorBHfoV4eyzIRks7wTTjajne2eByPrinV
0y+mDoGLVLbHtyReLEoHAQjKj4NW71d3PlAesnEiXIyXHnxBA71Q7a9w26sLav6I
xAn9HZxf6YWWfmbTSbcDXbW9OK/BhbFKtCcw8qnCa7plq0NHIDeu954HBF3PRuct
1aP7r9jpax7cyMDY6A1n1iJn4Cjk3/sZu1pnrjw/LbCV/K3PhbTkve6NafqKtUR2
n15akO3Wcy/sEhjCKxj691UNUCBPYo2aUDw6fbJnbnA4Dp3gndjXSTiQql/r5ziH
Ldwni9h1TJtmtCNKb2FraW0gVWRkaG9sbSA8am9ha2ltQHVkZGhvbG0uY29tPokB
OQQTAQIAIwUCUc/9JAIbDwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEFTj
y1O9Gl+udOMH/0KrKj9osolKyaBafCnCnlN7Yju1Pln8gCEdejgckZe6hsJilBuA
I/ss0SJIV+ebGgtGPY0aWN6Gt5C7jEFpWWWzYnYsyZRqcfr7geX03nDzTqgfjNAN
BRvMdJ6ETiGn7wSMLdQ6NVf+pmyf/Sesmqz4kaIgvZEKOtI3NwYVC+fGrm33Rkc/
5+zfr8tUKs/PZAP5IqAOym84vmBYcPFNW9Gb8OTt54qNGHhmkFyHz0+pdYxYMLsR
AQHPLbjaBr6izl6r5jziA9tONKxtbWbGKM9BjenvCBFbiFFTOaLaudgaKZlDSscq
3HoJb8f/oa9MvWttXHhLsH0iHsJnY9DMV30=
=dr5L
-----END PGP PUBLIC KEY BLOCK-----

Once submitted you can confirm your is revoked by looking it up. You should see an output something like this:

pub  2048R/BD1A5FAE 2013-06-30 *** KEY REVOKED *** [not verified]
                               Joakim Uddholm <joakim@uddholm.com>

Troubleshooting

Add failed: This is a stand-alone revocation certificate. A revocation certificates should be imported to the respective public key before being published to a keyserver

I got this error when I tried submitting just the revocation certificate. You have to submit the output of your newly exported public key after having imported the revocation certificate into your local gpg keychain.

Timeouts and Proxy Errors from the MIT Key Server

It seems the MIT Key Server is either running on some old toaster or abused by botnets (I think I read something about the latter). Try again. What might help when searching for a key is to use the Only return exact matches option as this limits the possible results.