sudo -k vs. sudo -K

sudo -K and sudo -k, without a command, do the same thing: they invalidate the user's cached credentials.

sudo -k command ... is different: it ignores the user's cached credentials for the current command, but doesn't invalidate them.

Use -k with a command when you want to run a single command without either using or clobbering your cached credentials. (I'm actually not sure why you'd want to do that, but the capability is there.)

Use either sudo -k or sudo -K if you want to clobber your cached credentials.

Summary:

sudo -k           # clobbers cached credentials
sudo -K           # clobbers cached credentials
sudo -k command   # ignores cached credentials
sudo -K command   # invalid

---

UPDATE :

Revisiting this answer, it looks like the only difference between -k and -K is that -k accepts a command and -K does not. I'm not convinced having two separate options is useful, since -K doesn't really add any functionality that -k doesn't provide. There is a subtle difference in wording in the man page; -k "invalidates the user's cached credentials", while -K "removes the user's cached credentials entirely". I don't think that indicates a real difference in the way it affects the credentials.

sudo -K will invalidate your cached credentials across all terminal sessions. This can be useful to run prior to locking your DE.

sudo -k will only invalidate your cached credentials for the current terminal session.