Protect your privacy with GnuPG
Thursday, November 5th, 2009 @ 12:04 pm
众所周知,GnuPG是一个强大的,提供加密解密、签名认证服务的开源软件。网上有关它的介绍很多,本文主要说明如何在debian lenny上使用GnuPG。
更新gnupg配置
Debian lenny默认会安装GnuPG,首先修改gnupg的配置文件
$ vi ~/.gnupg/gpg.conf
文件最后加上下面内容:
personal-digest-preferences SHA256 cert-digest-algo SHA256 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
personal-digest-preferences: 消息摘要 算法优先顺序, debian-admin 推荐用 SHA-256
cert-digest-algo: 签名key 时使用的消息摘要算法
default-preference-list: 以后创建新key时的默认算法顺序,可以通过”setpref“修改
创建 Key
这里创建的是primary key,默认的DSA在新版本的GnuPG (1.4.10+) 已经不被推荐了,还是遵循某Debian大拿的指示(参考文档[6]),采用RSA。
$ gpg --gen-key gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) DSA and Elgamal (default) (2) DSA (sign only) (5) RSA (sign only) Your selection? 5 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" Real name: Tommy Wang Email address: x@a.org Comment: You selected this USER-ID: "Tommy Wang <x@a.org>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key A565F2C2 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 4096R/A565F2C2 2009-11-05 Key fingerprint = 573F C15E B6A4 8432 EA49 FA77 E05C CC56 A565 F2C2 uid Tommy Wang <x@a.org> Note that this key cannot be used for encryption. You may want to use the command "--edit-key" to generate a subkey for this purpose.
Passphrase一定要牢记,否则key也就无效了。
生成Key的随机字节需要通过一些I/O操作(如移动鼠标,键盘输入等)来收集,随机字节不够会提示继续操作。
增加其他 UID
不同的场合的签名可能需要显示不同的UID。
$ gpg --edit-key 0xA565F2C2 gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. pub 4096R/A565F2C2 created: 2009-11-05 expires: never usage: SC trust: ultimate validity: ultimate [ultimate] (1). Tommy Wang<x@a.org> Command> adduid Real name: Tommy Wang Email address: x@b.org Comment: You selected this USER-ID: "Tommy Wang<x@b.org>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a passphrase to unlock the secret key for user: "Tommy Wang<x@a.org>" 4096-bit RSA key, ID A565F2C2, created 2009-11-05 pub 4096R/A565F2C2 created: 2009-11-05 expires: never usage: SC trust: ultimate validity: ultimate [ultimate] (1) Tommy Wang<x@a.org> [ unknown] (2). Tommy Wang<x@b.org> Command> save
设置主 UID
如果没有增加多个UID,跳过此步骤。
$ gpg --edit-key 0xA565F2C2 gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. pub 4096R/A565F2C2 created: 2009-11-05 expires: never usage: SC trust: ultimate validity: ultimate [ultimate] (1). Tommy Wang <x@b.org> [ultimate] (2) Tommy Wang <x@a.org> Command> uid 2 pub 4096R/A565F2C2 created: 2009-11-05 expires: never usage: SC trust: ultimate validity: ultimate [ultimate] (1). Tommy Wang <x@b.org> [ultimate] (2)* Tommy Wang <x@a.org> Command> primary You need a passphrase to unlock the secret key for user: "Tommy Wang <x@b.org>" 4096-bit RSA key, ID A565F2C2, created 2009-11-05 pub 4096R/A565F2C2 created: 2009-11-05 expires: never usage: SC trust: ultimate validity: ultimate [ultimate] (1) Tommy Wang <x@b.org> [ultimate] (2)* Tommy Wang <x@a.org> Command> save
增加用来加密的 subkey
主key用来签名,如果需要加密,需要增加一个subkey
$ gpg --edit-key 0xA565F2C2 gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. pub 4096R/A565F2C2 created: 2009-11-05 expires: never usage: SC trust: ultimate validity: ultimate [ultimate] (1). Tommy Wang <x@a.org> [ultimate] (2) Tommy Wang <x@b.org> Command> addkey Key is protected. You need a passphrase to unlock the secret key for user: "Tommy Wang <x@a.org>" 4096-bit RSA key, ID A565F2C2, created 2009-11-05 Please select what kind of key you want: (2) DSA (sign only) (4) Elgamal (encrypt only) (5) RSA (sign only) (6) RSA (encrypt only) Your selection? 6 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y Really create? (y/N) y We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. pub 4096R/A565F2C2 created: 2009-11-05 expires: never usage: SC trust: ultimate validity: ultimate sub 4096R/8F0048F3 created: 2009-11-05 expires: never usage: E [ultimate] (1). Tommy Wang <x@a.org> [ultimate] (2) Tommy Wang <x@b.org> Command> save
为key生成注销证书
密钥生成以后,作一个注销证书,避免一旦密钥失效(被窃取、忘记 passphrase),可以使用此证书注销密钥。如果你revoke密钥,仍然可以使用私钥进行解密(会有提示说key已经revoke),但是不能加密(会提示无可用的public key)。
证书一定要保存好它,最好和私钥分开保存。将指定key的注销证书以ASCII格式输出到一个文件filename
$ gpg --output filename.revoke --gen-revoke A565F2C2
将key发送至 key server
只有发送到key server,刚才创建的key才能生效,否则别人无法获得你的public key
$ gpg --keyserver pgp.mit.edu --send-key A565F2C2
从pgp.mit.edu上查询你的key是否发布成功
使用key进行加密与签名
bitorb使用tommy的公钥加密hello.pl文件,将由tommy解密。
$ gpg -r tommy -o hello.pl.enc -e hello.pl
tommy使用自己的私钥解密hello.pl.enc文件
$ gpg -o hello.pl -d hello.pl.enc
bitorb使用自己的私钥签名hello.pl文件,tommy持有bitorb公钥,所以可以验证。
$ gpg -o hello.pl.sig -s hello.pl
tommy使用bitorb的公钥验证hello.pl.sig文件。
$ gpg --verify hello.pl.sigbitorb同时使用tommy的公钥和自己的私钥对hello.pl进行加密和签名
$ gpg -o hello.pl.sig -ser tommy hello.pl
tommy使用自己的私钥和bitorb公钥同时对hello.pl.enc文件进行解密和验证签名。
$ gpg -o hello.pl -d hello.pl.sig
参考文档
[1] Build a web of trust using open source programs, GNU Privacy Guard
[2] Creating a new GPG key
[3] Gnu 隐私卫士 (GnuPG) 袖珍 HOWTO (中文版)
[4] http://keyring.debian.org/creating-key.html
[5] http://www.gnupg.org/documentation/manuals/gnupg-devel/GPG-Esoteric-Options.html
[6] HOWTO prep for migration off of SHA-1 in OpenPGP
[7] Revoking a GPG key
[8] OpenPGP Key Backup
Tags: gpg
Posted in Technology | No Comments »