本文只是對GnuPG最基本最簡單最初級的介紹。
這篇文章從(作者自己瞎折騰的)問題 ------ 如何安全地分發私鑰入手,簡單全面地介紹了GnuPG的常規操作。
GnuPG還有很多其他功能,作者並沒有全部掌握,比如證書、密鑰的撤銷、管理等。
還有一個很重要的問題,pub與sub和sec與ssb的關系,待作者搞清楚后,再寫文介紹吧。
本文的章節:
(1) GnuPG的用法
(2) 公鑰的導出和傳播
(3) 私鑰的導出和傳播
(4) 加密分發“我的私鑰”
(5) 解密並簽名分發“我的私鑰”
(6) 在其他電腦上啟用“我的密鑰”
1 k與K
可以參考man gpg里的說明:
-k
--list-public-keys
List all keys from the public keyrings, or just the keys given
on the command line.
Avoid using the output of this command in scripts or other pro-
grams as it is likely to change as GnuPG changes. See --with-
colons for a machine-parseable key listing command that is
appropriate for use in scripts and other programs.
--list-secret-keys
-K List all keys from the secret keyrings, or just the ones given
on the command line. A # after the letters sec means that the
secret key is not usable (for example, if it was created via
--export-secret-subkeys).
2 生成密鑰
opensuse13:~ #
opensuse13:~ # gpg -K
opensuse13:~ # gpg -k
opensuse13:~ # gpg --gen-key
gpg (GnuPG) 2.0.26; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 5m
Key expires at Mon Apr 24 21:17:17 2017 CST
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: FranklinYang
Email address: andypeker@163.com
Comment: Encrypt RSA 4096
You selected this USER-ID:
"FranklinYang (Encrypt RSA 4096) <andypeker@163.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key F55B4065 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2017-04-24
pub 4096R/276856F7 2016-11-25 [expires: 2017-04-24]
Key fingerprint = 13A2 DD5C 4BB1 13DA 9665 D49B 2055 C017 F55B 4065
uid [ultimate] FranklinYang (Encrypt RSA 4096) <andypeker@163.com>
sub 4096R/0A09DAC9 2016-11-25 [expires: 2017-04-24]
opensuse13:~ #
opensuse13:~ #
opensuse13:~ #
opensuse13:~ # gpg -k
/root/.gnupg/pubring.gpg
------------------------
pub 4096R/276856F7 2016-11-25 [expires: 2017-04-24]
uid [ultimate] FranklinYang (Encrypt RSA 4096) <andypeker@163.com>
sub 4096R/0A09DAC9 2016-11-25 [expires: 2017-04-24]
opensuse13:~ # gpg -K
/root/.gnupg/secring.gpg
------------------------
sec 4096R/276856F7 2016-11-25 [expires: 2017-04-24]
uid FranklinYang (Encrypt RSA 4096) <andypeker@163.com>
ssb 4096R/0A09DAC9 2016-11-25
opensuse13:~ #
opensuse13:~ #
3 公鑰和私鑰的區別
注意下面這個幾個key:
pub sub sec ssb
各有用途!
比如下面:
opensuse13b:~ #
opensuse13b:~ # gpg -K
/root/.gnupg/secring.gpg
------------------------
sec 4096R/9DDE7116 2016-11-24 [expires: 2017-05-24]
uid suse13b RSA encrypt
ssb 4096R/EC3B4291 2016-11-24
sec# 2048R/6EB6C991 2016-11-24 [expires: 2017-02-22]
uid virtual RSA Encrypt <164820658@qq.com>
ssb 2048g/E423A188 2016-11-28
sec 2048R/EBD97E5C 2016-11-28
uid macOSwhyang
ssb 2048R/8EDFDBEC 2016-11-28
ssb 2048g/45FFDAC5 2016-11-28
ssb 2048D/C1CAA280 2016-11-28
opensuse13b:~ #
opensuse13b:~ #