1 為什么要導出分發私鑰
友情提示:分發私鑰,是危險的!
我有好幾個電腦,只想用一對密鑰;也就是說我需要把我的私鑰,放到那幾個電腦上。這樣,我就就可以在任意電腦上,解密和簽名以及其他。
1 怎么做
使用(臨時)公鑰把私鑰加密,然后傳到我的其他某個電腦,再解密。
3 我的debian8,生成(臨時)密鑰
root@debian8:~# gpg -K
root@debian8:~# gpg -k
/root/.gnupg/pubring.gpg
------------------------
pub 4096R/276856F7 2016-11-25 [expires: 2017-04-24]
uid FranklinYang (Encrypt RSA 4096) <andypeker@163.com>
sub 4096R/0A09DAC9 2016-11-25 [expires: 2017-04-24]
root@debian8:~#
root@debian8:~#
(編輯這個key,並且修改trust)
root@debian8:~# gpg -K
/root/.gnupg/secring.gpg
------------------------
sec 1024D/D04D1A0B 2016-11-25 [expires: 2016-12-09]
uid debian8
ssb 2048g/C1845DA4 2016-11-25
root@debian8:~# gpg -k
/root/.gnupg/pubring.gpg
------------------------
pub 4096R/276856F7 2016-11-25 [expires: 2017-04-24]
uid FranklinYang (Encrypt RSA 4096) <andypeker@163.com>
sub 4096R/0A09DAC9 2016-11-25 [expires: 2017-04-24]
pub 1024D/D04D1A0B 2016-11-25 [expires: 2016-12-09]
uid debian8
sub 2048g/C1845DA4 2016-11-25 [expires: 2016-12-09]
root@debian8:~#
4 我的Centos7,生成(臨時)密鑰
[root@centos7 ~]# gpg -K
[root@centos7 ~]#
[root@centos7 ~]#
[root@centos7 ~]# gpg -k
/root/.gnupg/pubring.gpg
------------------------
pub 4096R/276856F7 2016-11-25 [expires: 2017-04-24]
uid FranklinYang (Encrypt RSA 4096) <andypeker@163.com>
sub 4096R/0A09DAC9 2016-11-25 [expires: 2017-04-24]
[root@centos7 ~]#
[root@centos7 ~]#
(編輯這個key,並且修改trust)
[root@centos7 ~]# gpg -K
/root/.gnupg/secring.gpg
------------------------
sec 1024D/28D414A1 2016-11-25 [expires: 2016-12-09]
uid centos7
ssb 2048g/CDA873F4 2016-11-25
[root@centos7 ~]# gpg -k
/root/.gnupg/pubring.gpg
------------------------
pub 4096R/276856F7 2016-11-25 [expires: 2017-04-24]
uid FranklinYang (Encrypt RSA 4096) <andypeker@163.com>
sub 4096R/0A09DAC9 2016-11-25 [expires: 2017-04-24]
pub 1024D/28D414A1 2016-11-25 [expires: 2016-12-09]
uid centos7
sub 2048g/CDA873F4 2016-11-25 [expires: 2016-12-09]
[root@centos7 ~]#
5 導出2個(臨時)公鑰給我的(opensuse13)電腦
root@debian8:~# gpg -a -o debian8.pub.key --export D04D1A0B
root@debian8:~#
root@debian8:~#
root@debian8:~# l debian8.pub.key
-rw-r--r-- 1 root root 1645 Nov 25 23:16 debian8.pub.key
root@debian8:~#
root@debian8:~# scp debian8.pub.key root@192.168.19.147:/root/
Password:
debian8.pub.key 100% 1645 1.6KB/s 00:00
root@debian8:~#
root@debian8:~#
[root@centos7 ~]# gpg -a -o centos7.pub.key --export 28D414A1
[root@centos7 ~]# ls -l centos7.pub.key
-rw-r--r--. 1 root root 1662 Nov 25 23:15 centos7.pub.key
[root@centos7 ~]#
[root@centos7 ~]# scp centos7.pub.key root@192.168.19.147:/root/
Password:
centos7.pub.key 100% 1662 1.6KB/s 00:00
[root@centos7 ~]#
5 我的(opensuse13)電腦導入2個(臨時)公鑰
opensuse13:~ # gpg --import debian8.pub.key
gpg: key D04D1A0B: public key "debian8" imported
gpg: Total number processed: 1
gpg: imported: 1
opensuse13:~ # gpg --import centos7.pub.key
gpg: key 28D414A1: public key "centos7" imported
gpg: Total number processed: 1
gpg: imported: 1
opensuse13:~ #
(編輯這二個key,並且修改trust)
opensuse13:~ # gpg -k
/root/.gnupg/pubring.gpg
------------------------
pub 4096R/276856F7 2016-11-25 [expires: 2017-04-24]
uid [ultimate] FranklinYang (Encrypt RSA 4096) <andypeker@163.com>
sub 4096R/0A09DAC9 2016-11-25 [expires: 2017-04-24]
pub 1024D/D04D1A0B 2016-11-25 [expires: 2016-12-09]
uid [unknown] debian8
sub 2048g/C1845DA4 2016-11-25 [expires: 2016-12-09]
pub 1024D/28D414A1 2016-11-25 [expires: 2016-12-09]
uid [unknown] centos7
sub 2048g/CDA873F4 2016-11-25 [expires: 2016-12-09]
opensuse13:~ #
整個過程的唯一不安全的地方就在這里,通過scp分發2個“臨時”公鑰;沒有涉及認證,也沒有簽名!其實可以簽名一下,或者對比指紋fingerprint,達到認證這2個公鑰的效果。
6 我的(opensuse13)導出我的私鑰
opensuse13:~ # gpg -K
/root/.gnupg/secring.gpg
------------------------
sec 4096R/276856F7 2016-11-25 [expires: 2017-04-24]
uid FranklinYang (Encrypt RSA 4096) <andypeker@163.com>
ssb 4096R/0A09DAC9 2016-11-25
opensuse13:~ # gpg -a -o FranklinYang.rsa.sec.key --export-secret-keys 276856F7
opensuse13:~ # l FranklinYang.rsa.sec.key
-rw-r--r-- 1 root root 3132 Nov 25 21:19 FranklinYang.rsa.sec.key
opensuse13:~ #
或者:
opensuse13:~ #
opensuse13:~ # gpg -o FranklinYang.sec.key --export-secret-keys FranklinYang
opensuse13:~ #
opensuse13:~ #