********************
GNU PRIVACY HANDBOOK
********************
http://www.gnupg.org/documentation/howtos.html
http://www.gnupg.org/documentation/manuals.html
http://www.gnupg.org/documentation/guides.html
1. Generating a new keypair
2. Generating a revocation certificate
3. Exchangeing keys
4. Exporting a public key
5. Importing a public key
6. Encrypting and decrypting documents
7. Making and verifying signatures
8. Chearsigned documents
9. Detached signatures
++++++++++++++++++++++++++++
环境说明:
gnu@gnu ----- private/public 密钥创建 ----------- debian
root@BSD ----- public 密钥使用者 ----------- Ubuntu
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
1. Generating a new keypair
<<<<<<<<<<<<<<<<<<<<<<<<<<<<
gnu@gnu:~$ gpg --gen-key
gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: directory `/home/gnu/.gnupg' created
gpg: new configuration file `/home/gnu/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/gnu/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/gnu/.gnupg/secring.gpg' created
gpg: keyring `/home/gnu/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
gpg (GnuPG) 1.4.12 能够创建不同类型的密钥对, 核心钥匙必须能够用来进行数字签名.
上面提供了4个选项,
(1) 创建两个RSA密钥, 分别用于数字签名和加密
(2) 创建DSA和Elgamal这两个密钥, DSA密钥对是用于数字签名, Elgamal密钥对用于加密.
(3) 仅创造了一个DSA密钥队, 用于签名,
(4) 仅创造了一个RSA密钥, 用于签名,
对大多数用户来说, 默认选项已经不错.
生成密钥时, 需要指定一个密钥的大小值,
DSA key的大小应在 512 与 1024 bits间(新版本可能有变动, 一软件说明为准).
Elgamal 可以是任意大小. GnuPG 需要key文件不小于 768 bits.
如果你设置了一个大于 1024 bits的Key值,
Elgamal方案会要求重新给一个有效值.
而DSA会设定为1024 bits.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 2 <------------------------ 输入
DSA keys may be between 1024 and 3072 bits long.
What keysize do you want? (2048) 2048 <------------------------ 输入
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) <------------------------ 输入
密钥越长, 越能有效针对蛮力攻击, 默认情况下, 密钥够用, 它可采用最轻量的加密, 以避免被攻破.
密钥越长, 加密和解密就会越慢, 密钥较大会影响数字签名的长度. 一旦长度确定, 后期不能改变.
接着设定过期时间, 多数情况下, 不推荐永久密钥, 因此应当小心设定过期时间. 因为一旦密钥被生成,
虽然可以修改密钥时间, 但是会影响到那些使用公钥的用户.
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1y <------------------------ 输入 [设定软件有效值为1年]
Key expires at Fri 23 Jan 2015 10:39:59 PM EST
Is this correct? (y/N) y <------------------------ 输入
设定完过期时间, 现在需要设置用户ID这一类的信息,
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: GNU.FSF
Email address: gnu@fsf.org
Comment: The GNU privacy GUARD
You selected this USER-ID:
"GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O <------------------------ 输入
一旦指定 user ID, 对应的密钥就会被创建, 创建后, user ID不能被更改.
创建时, GnuPG 需要一个通用密码, 用来保护核心私钥. 输入密码后,完成密钥生成工作.
(密钥长度没有限制, 因当小心选择, 从安全角度考虑, 使用密码解锁密钥是GnuPG的薄弱点)
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: WARNING: some OpenPGP programs can't handle a DSA key with this digest size
+++++++++++++++.++++++++++..+++++++++++++++...++++++++++.++++++++++..+++++.+++++...+++++.++++++++++.+++++++++++++++.+++++..+++++.+++++++++++++++..++++++++++.>....+++++......................................................................+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++..++++++++++.+++++.++++++++++..+++++.+++++..++++++++++.+++++++++++++++++++++++++++++++++++.++++++++++>++++++++++>+++++..............................................................>+++++.................................+++++^^^
gpg: /home/gnu/.gnupg/trustdb.gpg: trustdb created
gpg: key 4613154C marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2015-01-24
pub 2048D/4613154C 2014-01-24 [expires: 2015-01-24]
Key fingerprint = 838F AD84 531C C076 6B45 A53B 2BC0 C1D2 4613 154C
uid GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>
sub 2048g/6CA2E038 2014-01-24 [expires: 2015-01-24]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2. Generating a revocation certificate
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
密钥对创建后, 你应该立即为核心公钥创建一个废弃证书.
如果你忘记了私钥的密码或者私钥丢失. 这个证书可以发布, 以便告知用户公钥已经不可用.
过去, 这个证书还可以用来确认签名, 但是不能用来加密信息.
如果你拥有私钥, 这个证书也不会干扰你解密信息.
gnu@gnu:~/.gnupg$ gpg -o revoke.asc --gen-revoke "GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>"
--gen-revoke 后面的参数必须是一个特定的值, 例如: 密钥ID 或者 user ID的任意部分.
这个证书应该放在其他人无法访问的地方, 一旦这个证书发布, 那就意味着公钥无效.
gnu@gnu:~/.gnupg$ gpg -o revoke.asc --gen-revoke "GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>"
sec 2048D/4613154C 2014-01-24 GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>
Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? 0
Enter an optional description; end it with an empty line:
> revocation certificate for GNU
>
Reason for revocation: No reason specified
revocation certificate for GNU
Is this okay? (y/N) y
You need a passphrase to unlock the secret key for
user: "GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>"
2048-bit DSA key, ID 4613154C, created 2014-01-24
Enter passphrase:
ASCII armored output forced.
Revocation certificate created.
Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable. But have some caution: The print system of
your machine might store the data and make it available to others!
gnu@gnu:~/.gnupg$ ls -l
total 36
-rw------- 1 gnu gnu 9188 Jan 23 20:19 gpg.conf
-rw------- 1 gnu gnu 1635 Jan 24 01:21 pubring.gpg
-rw------- 1 gnu gnu 1635 Jan 24 01:21 pubring.gpg~
-rw------- 1 gnu gnu 600 Jan 24 01:45 random_seed
-rw-r--r-- 1 gnu gnu 337 Jan 24 01:45 revoke.asc
-rw------- 1 gnu gnu 1796 Jan 24 01:21 secring.gpg
-rw------- 1 gnu gnu 1280 Jan 24 01:21 trustdb.gpg
密钥创建完成, 建议对其进行签名.
root@BSD:~# gpg --edit-key gnu
Command> sign
>>>>>>>>>>>>>>>>>>>
3. Exchanging keys
<<<<<<<<<<<<<<<<<<<
接下来, 就可以与其他用户交换公钥. 交换公钥前,
先使用 --list-keys 列举可用公钥.
gnu@gnu:~/.gnupg$ gpg --list-keys
/home/gnu/.gnupg/pubring.gpg
----------------------------
pub 2048D/4613154C 2014-01-24 [expires: 2015-01-24]
uid GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>
sub 2048g/6CA2E038 2014-01-24 [expires: 2015-01-24]
>>>>>>>>>>>>>>>>>>>>>>>>>>
4. Exporting a public key
<<<<<<<<<<<<<<<<<<<<<<<<<<
欲将公钥给通信者, 需要先将其导出.
--export 后面的参数, 可以是 密钥ID 或者 user ID的任意部分
gnu@gnu:~/.gnupg$ gpg -a -o someone.gpg --export gnu
gnu@gnu:~/.gnupg$ ls -l
total 40
-rw------- 1 gnu gnu 9188 Jan 23 20:19 gpg.conf
-rw------- 1 gnu gnu 1635 Jan 24 01:21 pubring.gpg
-rw------- 1 gnu gnu 1635 Jan 24 01:21 pubring.gpg~
-rw------- 1 gnu gnu 600 Jan 24 01:45 random_seed
-rw-r--r-- 1 gnu gnu 337 Jan 24 01:45 revoke.asc
-rw------- 1 gnu gnu 1796 Jan 24 01:21 secring.gpg
-rw-r--r-- 1 gnu gnu 2320 Jan 24 01:52 someone.gpg
-rw------- 1 gnu gnu 1280 Jan 24 01:21 trustdb.gpg
gnu@gnu:~/.gnupg$ cat someone.gpg
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.12 (GNU/Linux)
mQMuBFLiBjwRCADPmrI+cbVwJOeheeiRHOFoHXBzSvjbyaadaJdVZd0IYw8aSZdM
vV3eFGpDqhzw8orT+LauGjOqhFbZsXIpi04SqJyYnA6ssnw/Bj+rXZ1lANw0qdKc
AF0f9yPEBaDHHSbkoMnXjh+5Fl+OatuGjL5rrkP5rJi9ZF6I8wNLpYWQr5KFqwz6
tkaEzucI1cA/LFcdy95I2Q7qwQbOI7OBHHo47f6tlJKgNHAgXEmJmEuYCkxumX98
.........
.........
>>>>>>>>>>>>>>>>>>>>>>>>>>
5. Importing a public key
<<<<<<<<<<<<<<<<<<<<<<<<<<
root@BSD:~/Desktop# gpg --list-keys
root@BSD:~/Desktop# gpg --import someone.gpg
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: key 4613154C: public key "GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
root@BSD:~/Desktop# gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub 2048D/4613154C 2014-01-24 [expires: 2015-01-24]
uid GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>
sub 2048g/6CA2E038 2014-01-24 [expires: 2015-01-24]
密钥被导入后, 应该进行验证. GnuPG 使用了一个强大而灵活的信任模型, 不需要你自己验证每个导入的细节.
一个密钥是否有效, 可以使用密钥的指纹和签名进行验证. 密钥指纹可以通过 --fingerprint 查看, 或者如下:
root@BSD:~# gpg --edit-key gnu
gpg (GnuPG) 1.4.10; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub 2048D/4613154C created: 2014-01-24 expires: 2015-01-24 usage: SC
trust: unknown validity: unknown
sub 2048g/6CA2E038 created: 2014-01-24 expires: 2015-01-24 usage: E
[ unknown] (1). GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>
Command> fpr
pub 2048D/4613154C 2014-01-24 GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>
Primary key fingerprint: 838F AD84 531C C076 6B45 A53B 2BC0 C1D2 4613 154C
Command>
指纹可用来确认这个密钥的所有者. 你可以使用电话或者其他方式, 以确认你可以与密钥持有者通讯.
如果你的指纹, 与密钥持有者指纹相同, 说明你拥有一份正确的密钥拷贝.
指纹检查完成后, 你需要检查密钥签名. 公钥加密后的密钥验证, 一直是个薄弱点. 因此,
在签名认证前, 应该先检验指纹.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
6. Encrypting and decrypting documents
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
公钥和私钥, 在加密与解密文档时扮演着很重要的角色.
确认你使用的是一个安全的公钥, 通常我们会用公钥加密文档.
私钥则是用于解密, 查看这些被加密的文档.
如果你想给GNU发送一条加密的信息, 你可以使用 GNU 的公钥加密.
GNU 收到信息后, 就可以使用私钥解密. 如果你想GNU给你发送加密信息, 同样可让他使用你的公钥加密数据.
使用参数 --encrypt 指定开始加密操作, --recipient 指定加密所需的公钥和文件.
root@BSD:~/Desktop# gpg -a --output src_encrypt --encrypt --recipient gnu@fsf.org source.rar
gpg: 6CA2E038: There is no assurance this key belongs to the named user
pub 2048g/6CA2E038 2014-01-24 GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>
Primary key fingerprint: 838F AD84 531C C076 6B45 A53B 2BC0 C1D2 4613 154C
Subkey fingerprint: CCCD 9ECB 8FC5 8673 64B6 33D3 E356 609B 6CA2 E038
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
root@BSD:~/Desktop# head -8 src_encrypt
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.10 (GNU/Linux)
hQIOA+NWYJtsouA4EAgAyRl0JREkGxZqNzKEpVCLcLFKMjl2eWdxTrOKYBQ3xZ/U
M89EWcZ7QnpMUsNdASeemQV+86l4uoqqUqXZzG32kyfhxkS2xjwCKKqTiWcjgAHZ
Wh9yDyYDJpaJ09ylvy/gaFpdvZpuwnzQjTEWd+1Y02jasdGno/rnIY10d28mpn28
zu23WNNNvVTv9reDiKXYwy0e49mwupQbKwvOOOOuydFUdwyRWa485eJ0C+L1DFtW
w95sieHIb+qH4R0KBNTD+6noCfoyDOSL/qjK+vuqwFsD+qayBolYJXzxqs+dtXR5
接到加密后的文件, 可利用自己的私钥解密.
gnu@gnu:~/Desktop$ gpg --output src_decrypt.rar --decrypt src_encrypt.gpg
You need a passphrase to unlock the secret key for
user: "GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>"
2048-bit ELG-E key, ID 6CA2E038, created 2014-01-24 (main key ID 4613154C)
gpg: encrypted with 2048-bit ELG-E key, ID 6CA2E038, created 2014-01-24
"GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
7. Making and Verfying signatures
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
数字签名和时间戳常用于检验文件有效性. 如果文档被修改, 数字签名就会失效.
数字签名, 就像手写签名一样, 可以用于防篡改.
创建和验证数字签名, 不同于密钥对的加密和解密操作. 使用签名者的私钥创建一个数字签名.
这个签名可用于检验公钥的有效性.
gnu@gnu:~/Desktop$ gpg -a -o src_encrypt.sig --sign source.rar
You need a passphrase to unlock the secret key for
user: "GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>"
2048-bit DSA key, ID 4613154C, created 2014-01-24
文档在被签名之前会被先压缩, 默认输出二进制格式。
签名后产生的src_encrypt.sig, 直接可以用公钥解密.
root@BSD:~/Desktop# gpg -o src.rar --decrypt src_encrypt.sig
gpg: Signature made Fri 24 Jan 2014 03:58:19 PM CST using DSA key ID 4613154C
gpg: Good signature from "GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 838F AD84 531C C076 6B45 A53B 2BC0 C1D2 4613 154C
>>>>>>>>>>>>>>>>>>>>>>>>>
8. Chearsigned documents
<<<<<<<<<<<<<<<<<<<<<<<<<
使用参数 --clearsign 可以将文档内容变为标记明文.
gnu@gnu:~/Desktop$ gpg --clearsign source.rar
You need a passphrase to unlock the secret key for
user: "GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>"
2048-bit DSA key, ID 4613154C, created 2014-01-24
>>>>>>>>>>>>>>>>>>>>>>>>
9. Detached signatures
<<<<<<<<<<<<<<<<<<<<<<<<
被标记的文档, 在使用时很多限制. 用户可以使用下面命令, 将文档与签名分离.
gnu@gnu:~/Desktop$ gpg -o src_encrypt_s.sig --detach-sig src_encrypt.sig
You need a passphrase to unlock the secret key for
user: "GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>"
2048-bit DSA key, ID 4613154C, created 2014-01-24
检验数据有效新, 使用下面选项 --verify
gnu@gnu:~/Desktop$ gpg --verify src_encrypt_s.sig src_encrypt.sig
gpg: Signature made Fri 24 Jan 2014 03:22:30 AM EST using DSA key ID 4613154C
gpg: Good signature from "GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>"
GNU PRIVACY HANDBOOK
********************
http://www.gnupg.org/documentation/howtos.html
http://www.gnupg.org/documentation/manuals.html
http://www.gnupg.org/documentation/guides.html
1. Generating a new keypair
2. Generating a revocation certificate
3. Exchangeing keys
4. Exporting a public key
5. Importing a public key
6. Encrypting and decrypting documents
7. Making and verifying signatures
8. Chearsigned documents
9. Detached signatures
++++++++++++++++++++++++++++
环境说明:
gnu@gnu ----- private/public 密钥创建 ----------- debian
root@BSD ----- public 密钥使用者 ----------- Ubuntu
>>>>>>>>>>>>>>>>>>>>>>>>>>>>
1. Generating a new keypair
<<<<<<<<<<<<<<<<<<<<<<<<<<<<
gnu@gnu:~$ gpg --gen-key
gpg (GnuPG) 1.4.12; Copyright (C) 2012 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: directory `/home/gnu/.gnupg' created
gpg: new configuration file `/home/gnu/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/gnu/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/gnu/.gnupg/secring.gpg' created
gpg: keyring `/home/gnu/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
gpg (GnuPG) 1.4.12 能够创建不同类型的密钥对, 核心钥匙必须能够用来进行数字签名.
上面提供了4个选项,
(1) 创建两个RSA密钥, 分别用于数字签名和加密
(2) 创建DSA和Elgamal这两个密钥, DSA密钥对是用于数字签名, Elgamal密钥对用于加密.
(3) 仅创造了一个DSA密钥队, 用于签名,
(4) 仅创造了一个RSA密钥, 用于签名,
对大多数用户来说, 默认选项已经不错.
生成密钥时, 需要指定一个密钥的大小值,
DSA key的大小应在 512 与 1024 bits间(新版本可能有变动, 一软件说明为准).
Elgamal 可以是任意大小. GnuPG 需要key文件不小于 768 bits.
如果你设置了一个大于 1024 bits的Key值,
Elgamal方案会要求重新给一个有效值.
而DSA会设定为1024 bits.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 2 <------------------------ 输入
DSA keys may be between 1024 and 3072 bits long.
What keysize do you want? (2048) 2048 <------------------------ 输入
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) <------------------------ 输入
密钥越长, 越能有效针对蛮力攻击, 默认情况下, 密钥够用, 它可采用最轻量的加密, 以避免被攻破.
密钥越长, 加密和解密就会越慢, 密钥较大会影响数字签名的长度. 一旦长度确定, 后期不能改变.
接着设定过期时间, 多数情况下, 不推荐永久密钥, 因此应当小心设定过期时间. 因为一旦密钥被生成,
虽然可以修改密钥时间, 但是会影响到那些使用公钥的用户.
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1y <------------------------ 输入 [设定软件有效值为1年]
Key expires at Fri 23 Jan 2015 10:39:59 PM EST
Is this correct? (y/N) y <------------------------ 输入
设定完过期时间, 现在需要设置用户ID这一类的信息,
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: GNU.FSF
Email address: gnu@fsf.org
Comment: The GNU privacy GUARD
You selected this USER-ID:
"GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O <------------------------ 输入
一旦指定 user ID, 对应的密钥就会被创建, 创建后, user ID不能被更改.
创建时, GnuPG 需要一个通用密码, 用来保护核心私钥. 输入密码后,完成密钥生成工作.
(密钥长度没有限制, 因当小心选择, 从安全角度考虑, 使用密码解锁密钥是GnuPG的薄弱点)
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: WARNING: some OpenPGP programs can't handle a DSA key with this digest size
+++++++++++++++.++++++++++..+++++++++++++++...++++++++++.++++++++++..+++++.+++++...+++++.++++++++++.+++++++++++++++.+++++..+++++.+++++++++++++++..++++++++++.>....+++++......................................................................+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++..++++++++++.+++++.++++++++++..+++++.+++++..++++++++++.+++++++++++++++++++++++++++++++++++.++++++++++>++++++++++>+++++..............................................................>+++++.................................+++++^^^
gpg: /home/gnu/.gnupg/trustdb.gpg: trustdb created
gpg: key 4613154C marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2015-01-24
pub 2048D/4613154C 2014-01-24 [expires: 2015-01-24]
Key fingerprint = 838F AD84 531C C076 6B45 A53B 2BC0 C1D2 4613 154C
uid GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>
sub 2048g/6CA2E038 2014-01-24 [expires: 2015-01-24]
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
2. Generating a revocation certificate
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
密钥对创建后, 你应该立即为核心公钥创建一个废弃证书.
如果你忘记了私钥的密码或者私钥丢失. 这个证书可以发布, 以便告知用户公钥已经不可用.
过去, 这个证书还可以用来确认签名, 但是不能用来加密信息.
如果你拥有私钥, 这个证书也不会干扰你解密信息.
gnu@gnu:~/.gnupg$ gpg -o revoke.asc --gen-revoke "GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>"
--gen-revoke 后面的参数必须是一个特定的值, 例如: 密钥ID 或者 user ID的任意部分.
这个证书应该放在其他人无法访问的地方, 一旦这个证书发布, 那就意味着公钥无效.
gnu@gnu:~/.gnupg$ gpg -o revoke.asc --gen-revoke "GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>"
sec 2048D/4613154C 2014-01-24 GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>
Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? 0
Enter an optional description; end it with an empty line:
> revocation certificate for GNU
>
Reason for revocation: No reason specified
revocation certificate for GNU
Is this okay? (y/N) y
You need a passphrase to unlock the secret key for
user: "GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>"
2048-bit DSA key, ID 4613154C, created 2014-01-24
Enter passphrase:
ASCII armored output forced.
Revocation certificate created.
Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable. But have some caution: The print system of
your machine might store the data and make it available to others!
gnu@gnu:~/.gnupg$ ls -l
total 36
-rw------- 1 gnu gnu 9188 Jan 23 20:19 gpg.conf
-rw------- 1 gnu gnu 1635 Jan 24 01:21 pubring.gpg
-rw------- 1 gnu gnu 1635 Jan 24 01:21 pubring.gpg~
-rw------- 1 gnu gnu 600 Jan 24 01:45 random_seed
-rw-r--r-- 1 gnu gnu 337 Jan 24 01:45 revoke.asc
-rw------- 1 gnu gnu 1796 Jan 24 01:21 secring.gpg
-rw------- 1 gnu gnu 1280 Jan 24 01:21 trustdb.gpg
密钥创建完成, 建议对其进行签名.
root@BSD:~# gpg --edit-key gnu
Command> sign
>>>>>>>>>>>>>>>>>>>
3. Exchanging keys
<<<<<<<<<<<<<<<<<<<
接下来, 就可以与其他用户交换公钥. 交换公钥前,
先使用 --list-keys 列举可用公钥.
gnu@gnu:~/.gnupg$ gpg --list-keys
/home/gnu/.gnupg/pubring.gpg
----------------------------
pub 2048D/4613154C 2014-01-24 [expires: 2015-01-24]
uid GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>
sub 2048g/6CA2E038 2014-01-24 [expires: 2015-01-24]
>>>>>>>>>>>>>>>>>>>>>>>>>>
4. Exporting a public key
<<<<<<<<<<<<<<<<<<<<<<<<<<
欲将公钥给通信者, 需要先将其导出.
--export 后面的参数, 可以是 密钥ID 或者 user ID的任意部分
gnu@gnu:~/.gnupg$ gpg -a -o someone.gpg --export gnu
gnu@gnu:~/.gnupg$ ls -l
total 40
-rw------- 1 gnu gnu 9188 Jan 23 20:19 gpg.conf
-rw------- 1 gnu gnu 1635 Jan 24 01:21 pubring.gpg
-rw------- 1 gnu gnu 1635 Jan 24 01:21 pubring.gpg~
-rw------- 1 gnu gnu 600 Jan 24 01:45 random_seed
-rw-r--r-- 1 gnu gnu 337 Jan 24 01:45 revoke.asc
-rw------- 1 gnu gnu 1796 Jan 24 01:21 secring.gpg
-rw-r--r-- 1 gnu gnu 2320 Jan 24 01:52 someone.gpg
-rw------- 1 gnu gnu 1280 Jan 24 01:21 trustdb.gpg
gnu@gnu:~/.gnupg$ cat someone.gpg
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.12 (GNU/Linux)
mQMuBFLiBjwRCADPmrI+cbVwJOeheeiRHOFoHXBzSvjbyaadaJdVZd0IYw8aSZdM
vV3eFGpDqhzw8orT+LauGjOqhFbZsXIpi04SqJyYnA6ssnw/Bj+rXZ1lANw0qdKc
AF0f9yPEBaDHHSbkoMnXjh+5Fl+OatuGjL5rrkP5rJi9ZF6I8wNLpYWQr5KFqwz6
tkaEzucI1cA/LFcdy95I2Q7qwQbOI7OBHHo47f6tlJKgNHAgXEmJmEuYCkxumX98
.........
.........
>>>>>>>>>>>>>>>>>>>>>>>>>>
5. Importing a public key
<<<<<<<<<<<<<<<<<<<<<<<<<<
root@BSD:~/Desktop# gpg --list-keys
root@BSD:~/Desktop# gpg --import someone.gpg
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: key 4613154C: public key "GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
root@BSD:~/Desktop# gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub 2048D/4613154C 2014-01-24 [expires: 2015-01-24]
uid GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>
sub 2048g/6CA2E038 2014-01-24 [expires: 2015-01-24]
密钥被导入后, 应该进行验证. GnuPG 使用了一个强大而灵活的信任模型, 不需要你自己验证每个导入的细节.
一个密钥是否有效, 可以使用密钥的指纹和签名进行验证. 密钥指纹可以通过 --fingerprint 查看, 或者如下:
root@BSD:~# gpg --edit-key gnu
gpg (GnuPG) 1.4.10; Copyright (C) 2008 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub 2048D/4613154C created: 2014-01-24 expires: 2015-01-24 usage: SC
trust: unknown validity: unknown
sub 2048g/6CA2E038 created: 2014-01-24 expires: 2015-01-24 usage: E
[ unknown] (1). GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>
Command> fpr
pub 2048D/4613154C 2014-01-24 GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>
Primary key fingerprint: 838F AD84 531C C076 6B45 A53B 2BC0 C1D2 4613 154C
Command>
指纹可用来确认这个密钥的所有者. 你可以使用电话或者其他方式, 以确认你可以与密钥持有者通讯.
如果你的指纹, 与密钥持有者指纹相同, 说明你拥有一份正确的密钥拷贝.
指纹检查完成后, 你需要检查密钥签名. 公钥加密后的密钥验证, 一直是个薄弱点. 因此,
在签名认证前, 应该先检验指纹.
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
6. Encrypting and decrypting documents
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
公钥和私钥, 在加密与解密文档时扮演着很重要的角色.
确认你使用的是一个安全的公钥, 通常我们会用公钥加密文档.
私钥则是用于解密, 查看这些被加密的文档.
如果你想给GNU发送一条加密的信息, 你可以使用 GNU 的公钥加密.
GNU 收到信息后, 就可以使用私钥解密. 如果你想GNU给你发送加密信息, 同样可让他使用你的公钥加密数据.
使用参数 --encrypt 指定开始加密操作, --recipient 指定加密所需的公钥和文件.
root@BSD:~/Desktop# gpg -a --output src_encrypt --encrypt --recipient gnu@fsf.org source.rar
gpg: 6CA2E038: There is no assurance this key belongs to the named user
pub 2048g/6CA2E038 2014-01-24 GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>
Primary key fingerprint: 838F AD84 531C C076 6B45 A53B 2BC0 C1D2 4613 154C
Subkey fingerprint: CCCD 9ECB 8FC5 8673 64B6 33D3 E356 609B 6CA2 E038
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
root@BSD:~/Desktop# head -8 src_encrypt
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.10 (GNU/Linux)
hQIOA+NWYJtsouA4EAgAyRl0JREkGxZqNzKEpVCLcLFKMjl2eWdxTrOKYBQ3xZ/U
M89EWcZ7QnpMUsNdASeemQV+86l4uoqqUqXZzG32kyfhxkS2xjwCKKqTiWcjgAHZ
Wh9yDyYDJpaJ09ylvy/gaFpdvZpuwnzQjTEWd+1Y02jasdGno/rnIY10d28mpn28
zu23WNNNvVTv9reDiKXYwy0e49mwupQbKwvOOOOuydFUdwyRWa485eJ0C+L1DFtW
w95sieHIb+qH4R0KBNTD+6noCfoyDOSL/qjK+vuqwFsD+qayBolYJXzxqs+dtXR5
接到加密后的文件, 可利用自己的私钥解密.
gnu@gnu:~/Desktop$ gpg --output src_decrypt.rar --decrypt src_encrypt.gpg
You need a passphrase to unlock the secret key for
user: "GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>"
2048-bit ELG-E key, ID 6CA2E038, created 2014-01-24 (main key ID 4613154C)
gpg: encrypted with 2048-bit ELG-E key, ID 6CA2E038, created 2014-01-24
"GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>"
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
7. Making and Verfying signatures
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
数字签名和时间戳常用于检验文件有效性. 如果文档被修改, 数字签名就会失效.
数字签名, 就像手写签名一样, 可以用于防篡改.
创建和验证数字签名, 不同于密钥对的加密和解密操作. 使用签名者的私钥创建一个数字签名.
这个签名可用于检验公钥的有效性.
gnu@gnu:~/Desktop$ gpg -a -o src_encrypt.sig --sign source.rar
You need a passphrase to unlock the secret key for
user: "GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>"
2048-bit DSA key, ID 4613154C, created 2014-01-24
文档在被签名之前会被先压缩, 默认输出二进制格式。
签名后产生的src_encrypt.sig, 直接可以用公钥解密.
root@BSD:~/Desktop# gpg -o src.rar --decrypt src_encrypt.sig
gpg: Signature made Fri 24 Jan 2014 03:58:19 PM CST using DSA key ID 4613154C
gpg: Good signature from "GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 838F AD84 531C C076 6B45 A53B 2BC0 C1D2 4613 154C
>>>>>>>>>>>>>>>>>>>>>>>>>
8. Chearsigned documents
<<<<<<<<<<<<<<<<<<<<<<<<<
使用参数 --clearsign 可以将文档内容变为标记明文.
gnu@gnu:~/Desktop$ gpg --clearsign source.rar
You need a passphrase to unlock the secret key for
user: "GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>"
2048-bit DSA key, ID 4613154C, created 2014-01-24
>>>>>>>>>>>>>>>>>>>>>>>>
9. Detached signatures
<<<<<<<<<<<<<<<<<<<<<<<<
被标记的文档, 在使用时很多限制. 用户可以使用下面命令, 将文档与签名分离.
gnu@gnu:~/Desktop$ gpg -o src_encrypt_s.sig --detach-sig src_encrypt.sig
You need a passphrase to unlock the secret key for
user: "GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>"
2048-bit DSA key, ID 4613154C, created 2014-01-24
检验数据有效新, 使用下面选项 --verify
gnu@gnu:~/Desktop$ gpg --verify src_encrypt_s.sig src_encrypt.sig
gpg: Signature made Fri 24 Jan 2014 03:22:30 AM EST using DSA key ID 4613154C
gpg: Good signature from "GNU.FSF (The GNU privacy GUARD) <gnu@fsf.org>"
扫一扫
8372
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
