当前位置:网站首页>The GNU Privacy Guard

The GNU Privacy Guard

2022-08-09 10:04:00 Shinohara 竼

Reference

Why Use GnuPG?

PGP is useful for two things:

  1. Privacy and Security
  2. Authenticity

对比《连城诀》,第一步是「Anthology of Tang Poems」(But with saliva decryption uncouth),第二部是「Tang poetry swordsmanship」(Can't do without a teacher certification was handed down fighting skill),Finally declassified out「Jiangling city by west tianning temple hall of Buddha to the religious worship of psychic ZhuGao Buddha bless to bliss」. Of course, there are similar to ling back as“Password dictionary brute force”的方法 :-) 所以我们的 GPG Some key length to set up the long, long, long.

Usage

Generate GPG Keys

$ gpg --gen-key

细节参考GPG入门教程,写的非常详细,这里不再赘述.

查看本机公钥(.gnupg/pubring.gpg): gpg --list-keysCheck the machine the private key(.gnupg/secring.gpg): gpg --list-secret-keys

This article assumes that the generated GPG Public Key ID 是 0x5655CA935F09337F. Generated after the public-private key,Can configure the following:

Set your key as the default key by entering this line in your ~/.bash_profile (along with any other environment variables to be exported):

 export GPGKEY=0x5655CA935F09337F

设置 shell 变量 $GPGKEY ,After that no longer need to remember Key ID :

 $ gpg --list-keys $GPGKEY
 $ gpg --list-secret-keys $GPGKEY

Now restart the gpg-agent and set the relevant environment variable:

 $ killall -q gpg-agent
 $ eval $(gpg-agent --daemon)
 $ export GPGKEY=0x5655CA935F09337F

启动gpg-agent(功能类似ssh-agent),输入一次 GPG After the private key password,gpg-agent The private key password will automatically copy into the memory for next time use,Next time don't have to enter a password. 注意:The need for trade-offs between security and convenience.gpg-agent / ssh-agent Is convenient to many,But also for his people's congress open.If others connection into the machine,Also need not enter the password and use GPG / SSH .

Export Public Key

$ gpg --armor --output key.pub.asc --export $GPGKEY
$ gpg --output key.pub --export $GPGKEY

Export the native public key,提供给他人.

  • --armor, create ASCII armored output; Export text version of the GPG 公钥,So use suffix .asc 表示,This format is more commonly used,Can be posted on the website page;
  • --armor参数,The export of binary format GPG 公钥;

Sends Public Key to Keyserver

In addition to direct export public key for others,Can also be released public key to the key server keyserver,Search for others to download:

$ gpg --keyserver hkp://keys.gnupg.net --send-keys $GPGKEY
gpg: sending key 5F09337F to hkp server keys.gnupg.net

服务 keys.gnupg.net Is a set of server behind,The information synchronization between them will take time,Just submit the public key may not be immediately search results,As long as over a period of time(The longest could be a few hours or a few days)就好了. Public key server will save release public key,until it expiresexpire为止.Recommended not to release never expire public key,毕竟 Shit happens .Save for a rainy day or advance,Generates a revoked certificate offline keep.

注意:Anyone can pretend to be you in the name of the upload the public key to GPG 服务器,So the other search issued in the name of your public key,Really are not released by you.为了避免这个问题,You need to release the main key fingerprint.GPG Import the public key need to manually after the trust.By this time the other party can be calculated by comparing the main key fingerprint and offer you the main key fingerprint,The legitimacy of the main key to determine the import.

$ gpg --fingerprint <key ID> | perl -nE '$.-2 or s/^\h+// and print' | tee fingerprint

Generate Revocation Key

A revocation certificate must be generated to revoke your public key if your private key has been compromised in any way. It is recommended to create a revocation certificate when you create your key. Keep your revocation certificate on a medium that you can safely secure, like a thumb drive in a locked box. Anybody having access to your revocation certificate can revoke your key, rendering it useless.For security purposes, there is no mechanism in place to revoke a key without a revocation certificate. As much as you might want to revoke a key, the revocation certificate prevents malicious revocations. Guard your revocation certificate with the same care you would use for your private key.

Shit happens,So to be protective measures.Set a revoked certificate for their own public key,Public key is used to is no longer safe to withdraw from the server. What circumstances the public key will become“不再安全”?Nature is the corresponding private key may have under the condition of leak,When someone with such a public key to send you an encrypted file,May is the private key stealer decryption(The private key to unlock password is the last line of defense). Generated by the revoked certificate is a text format similar public key string,Need to carefully saved.Because anyone can take the revoked certificate issued to the public key server to cancel your public key.However, even the revoked certificate,Still can be downloaded from the public key server.

To revoke your key you need to first create a revocation certificate.

 $ gpg --output revoke.asc --gen-revoke $GPGKEY

(第2步、第3Step is revoked certificates in the future need to be performed by the operator) Import your revocation certificate

 $ gpg --import revoke.asc

(不到万不得已,Under the condition of which determine the private key is no longer a safe,Don't do this) Upload the key to your keyserver of choice.

 $ gpg --keyserver hkp://pgp.mit.edu --send-key [key-ID]

Search Public Key

根据用户名(UID)用户邮箱(email),Can search it from a public key server release GPG Public Key. 注意:任何人都可以用 seanxp In the name of the public key to the server,So you must review the public key of the fingerprints are consistent.

$ gpg --keyserver hkp://pgp.mit.edu --search-keys seanxp
gpg: searching for "seanxp" from hkp server pgp.mit.edu
(1)     seanxp <seanxp.com>
          4096 bit RSA key 0x5655CA935F09337F, created: 2016-11-15, expires: 2026-11-13

Here to search a so-called「seanxp」People released public key(ID: 0x5655CA935F09337F),In order to confirm whether or not「真•SeanXP」,在 SeanXP.com/about Page to view its fingerprints as

 Key fingerprint = 429D 47BB BDB0 AA92 B8B6  28F7 5655 CA93 5F09 337F

其中公钥 ID Is the back of the fingerprint several digital,发现后16A 16 hexadecimal number is the same(5655 CA93 5F09 337F),Right and believe是「seanxp」的公钥. 为什么是Right and believe?Because today just after16位数字相同,Not the fingerprint match exactly.You need to import the search to the public,print its fingerprints,再进行匹配.After adding the public key to the host,Print this public key fingerprint:

$ gpg --fingerprint seanxp
pub   4096R/0x5655CA935F09337F 2016-11-15
      Key fingerprint = 429D 47BB BDB0 AA92 B8B6  28F7 5655 CA93 5F09 337F
uid                 [ultimate] seanxp <seanxp.com>
sub   4096R/0x406A8B31846FF748 2016-11-15 [expires: 2026-11-13]
      Key fingerprint = 9723 3991 6C7B E775 08C4  38D3 406A 8B31 846F F748

指纹匹配成功,States that this is the correct public key.

注:If, as the following examples(centOS),Can see fingerprint when search,Can match fingerprints first, then decide whether to download the public key,可以省去不少麻烦.

gpg: searching for "seanxp" from hkp server keys.gnupg.net
(1)     seanxp <seanxp.com>
          4096 bit RSA key 429D47BBBDB0AA92B8B628F75655CA935F09337F, created: 2016-11-15, expires: 2026-11-13

long-keyid collision

There is a match success,Nature has a matching not successful.Here is a public key after8Digit of the same attack case: GPG 默认显示 Key ID 的后8位数字(Namely after the fingerprint8位),Then there are some people with ulterior motives,Violence can be generated after8The same public key to attain the goal of cheating. 如下,搜索 Linus Torvalds 的 GPG 公钥,Now know the email is [email protected],进行搜索:

$ gpg --search-keys [email protected]
gpg: searching for "[email protected]" from hkps server hkps.pool.sks-keyservers.net
(1)     Linus Torvalds <[email protected]>
          2048 bit RSA key 00411886, created: 2014-07-21 (revoked)
(2)     Linus Torvalds <[email protected]>
          2048 bit RSA key 00411886, created: 2011-09-20
Keys 1-2 of 2 for "[email protected]".  Enter number(s), N)ext, or Q)uit >

Search to the two have the same Key ID 的公钥!Here is to have their fingerprints match.在网上搜索,发现https://www.kernel.org/category/signatures.html提供有Linus Torvalds的公钥指纹

Developer         Fingerprint
Linus Torvalds    ABAF 11C6 5A29 70B1 30AB  E3C4 79BE 3E43 0041 1886

The following example shows long Key ID 的好处,更难进行long-keyid collision,后8An easy to collision is the same,后16A collision is more difficult.

gpg: searching for "[email protected]" from hkps server hkps.pool.sks-keyservers.net
(1)     Linus Torvalds <[email protected]>
          2048 bit RSA key 0x6211AA3B00411886, created: 2014-07-21 (revoked)
(2)     Linus Torvalds <[email protected]>
          2048 bit RSA key 0x79BE3E4300411886, created: 2011-09-20
Keys 1-2 of 2 for "[email protected]".  Enter number(s), N)ext, or Q)uit >

配置显示 long Key ID 是在 ~/.gnupg/gpg.conf 中进行配置:

~/.gnupg/gpg.conf

# short-keyids are trivially spoofed; it's easy to create a
# long-keyid collision; if you care about strong key
# identifiers, you always want to see the fingerprint.
# Display long key IDs
keyid-format 0xlong

# List all keys (or the specified ones) along with their fingerprints
with-fingerprint

Import Public Key

除了在 GPG Search each other outside the public key on the server,Without a search,直接获取指定 Key ID 的公钥:

$ gpg --recv-key 0x5F09337F
$ gpg --keyserver hkp://pgp.mit.edu --recv-key 0x5655CA935F09337F

Suggest all use long 16 位的 Key ID,Prevent after eight collision problem. Also can directly import the public key file of others,No longer through public key server access to,Especially the domestic line often cannot access to the public key server:

$ wget https://seanxp.com/about/0x5655CA935F09337F-public.key

$ file 0x5655CA935F09337F-public.key
0x5655CA935F09337F-public.key: PGP public key block Public-Key (old)

$ gpg --import 0x5655CA935F09337F-public.key

Here also need to check the fingerprint again,因为这里是通过 http 获取的公钥,可能出现中间人攻击.Since middlemen to alter what you get to the public,Tampering is also possible http Fingerprints on web pages,因此凡是 http A public key and a fingerprint on a web page,都要保持怀疑态度.Preferably in a reliable source of(https 或 email 联系)Confirm the legitimacy of the public key.而 https Also need to guard against man-in-the-middle attack,要确保本机的 SSL The reliability of the certificate chain.

Sign Key

To check the fingerprint and correct the public key,Can use the native private key to sign.Signed public key process:

Verify fingerprints(Only first to determine the source of the reliable fingerprint,To check the machine to obtain the reliability of the public key fingerprint,再次提醒 http The page is not reliable)

 $ gpg --fingerprint seanxp

指纹校验成功,With this machine the private key of the public key signature(Need the machine private key authorization,The need to enter the machine the private key password,Authorization can prevent others)

 $ gpg --sign-key seanxp
 $ gpg --local-user seanxp --sign-key [email protected]

校验失败,Remove the wrong public key.

 $ gpg --delete-keys seanxp

Why use the native public key private key to sign? To prevent others to tamper with the native reliable public key,If others want to replace with false public key and reliable public key,Next time you use the public key,The system will prompt the public key is not reliable(All unsigned public key will prompt unreliable information). 经过 gpg --sign-key 签名的公钥,成为了 trust: unknown validity: full,Is now confirmed that the public key is effective(validity),But still did not trust the public key.Trust the public key to use interactive command--edit-key.

Edit Key

$ gpg --edit-key seanxp

编辑公钥,有很多功能:

  • fpr, show key fingerprint
  • sign, sign selected user IDs
  • trust, change the ownertrust
  • enable, enable key
  • disable, disable key
  • passwd, change the passphrase

To check the fingerprint is correct,and has passed gpg --sign-key 签名的公钥,Can set its credibility under edit public key:

$ gpg --edit-key [email protected]
...
gpg> trust
pub  2048R/0x79BE3E4300411886  created: 2011-09-20  expires: never       usage: SC
                               trust: unknown       validity: full
sub  2048R/0x88BCE80F012F54CA  created: 2011-09-20  expires: never       usage: E
[  full  ] (1). Linus Torvalds <[email protected]>

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 4

pub  2048R/0x79BE3E4300411886  created: 2011-09-20  expires: never       usage: SC
                               trust: full          validity: full
sub  2048R/0x88BCE80F012F54CA  created: 2011-09-20  expires: never       usage: E
[  full  ] (1). Linus Torvalds <[email protected]>
Please note that the shown key validity is not necessarily correct
unless you restart the program.

gpg> quit

About trust Settings,参考Reddit - Question: clarification about trust/validity

If you want to privately mark a key as valid, you should use the --lsign-key command.

 --lsign-key name
 Signs a public key with your secret key but marks it as non-exportable. This is a shortcut  version  of the subcommand "lsign" from --edit-key.

If you want to publicly attest that a key is valid, you should use the --sign-key command.

 --sign-key name
 Signs  a  public  key  with  your  secret key. This is a shortcut version of the subcommand "sign" from --edit.

Use gpg --edit-key <keyid>, then enter the command “trust” then select the level of trust you have in the key’s owner.

  • “Marginal” means that key is trusted to be part of a group of introducers.
  • “fully” means a signature from that key is all it needs to make another key valid. (Typically, signatures from three marginal sources are needed to mark a key as valid.)
  • “ultimately” means the key is your key.

You can also change the native private key password:

$ gpg --edit-key $GPGKEY
...
gpg> passwd
...
gpg> save

Encrypt

GPG of great use,Is to use other people's public key to encrypt files,Through unreliable network transmission in the past,By other's private key to decrypt the,Complete communication tasks. With its own public key encryption in here,模拟练习(自娱自乐),With his own private key to decrypt the.

$ echo "Hello world" > hello.txt
$ cat -A hello.txt
Hello world$
$ md5 hello.txt
f0ef7081e1539ac00ef5b761b4fb01b3 hello.txt

usage: gpg [options] --encrypt [filename]
$ gpg --armor --recipient seanxp --output He110.txt --encrypt hello.txt
$ file He110.txt
He110.txt: PGP message Public-Key Encrypted Session Key (old)
  • --armor,Said the output text file format.If you want to encrypt the binary file,则忽略此参数;
  • --recipient,Specify the information of the receiver(recipient)公钥的uid,Can be a name can also beemail地址;
  • --output,指定输出(i.e. after encryption)的文件名;
  • --encrypt,执行加密(encrypt)操作;

In addition to the long option,There are also simple options,对应的命令为:

usage: gpg [options] --encrypt [filename]
$ gpg -a -r seanxp -o He110.txt -e hello.txt

This generates a with seanxp The public key encryption file,GPG Algorithm to ensure that only seanxp The private key can decrypt the right data. In addition to encrypt a single file,Can also to compressed folder encryption:

$ tar -cvz backup/ | gpg -e -r [key-ID] -o backup.tgz.gpg
$ tar -cvj backup/ | gpg -e -r [key-ID] -o backup.tar.bz2.gpg
$ file backup.tgz.gpg
backup.tgz.gpg: PGP RSA encrypted session key - keyid: 318B6A40 48F76F84 RSA (Encrypt or Sign) 4096b .

keyid: 318B6A40 48F76F84 RSA (Encrypt or Sign) 4096b,Said the file is to use the public key0x406A8B31846FF748(与keyidThe byte order instead,But it is the same public key)加密的. The public key is seanxp 公钥0x5655CA935F09337FFrom the public keys.

$ gpg --list-public-keys seanxp
pub   4096R/0x5655CA935F09337F 2016-11-15
      Key fingerprint = 429D 47BB BDB0 AA92 B8B6  28F7 5655 CA93 5F09 337F
uid                 [ultimate] seanxp <seanxp.com>
sub   4096R/0x406A8B31846FF748 2016-11-15 [expires: 2026-11-13]

生成 GPG 钥匙,Generates two pairs of public and private keys,That is four keys,用处不同,稍后详解.

Decrypt

用公钥加密的数据,Can use the corresponding private key to decrypt the:

$ rm hello.txt
$ gpg --output hello.txt --decrypt He110.txt

You need a passphrase to unlock the secret key for
user: "seanxp <seanxp.com>"
4096-bit RSA key, ID 0x406A8B31846FF748, created 2016-11-15
         (subkey on main key ID 0x5655CA935F09337F)

gpg: encrypted with 4096-bit RSA key, ID 0x406A8B31846FF748, created 2016-11-15
      "seanxp <seanxp.com>"

$ file hello.txt
hello.txt: ASCII text
$ cat -A hello.txt
Hello world$
$ md5 hello.txt
f0ef7081e1539ac00ef5b761b4fb01b3 hello.txt

He110.txt is to use the child public key 0x406A8B31846FF748 加密,Also with the private key to decrypt the. For compressed folder encryption decryption method:

$ gpg --decrypt backup.tgz.gpg | tar -xz
$ gpg --decrypt backup.bz2.gpg | tar -xj

signature

Since the file is through不可靠The network transmission of,Most of the time may have been tampered with replacement,So you need to use a digital signature. For example, on the Internet to download linux kernel Need to verify the digital signature is valid.

Note the difference between encryption and signature:

  • Encryption is the file encrypted operation,This is with the public key0x406A8B31846FF748进行 RSA 加密,Ensure that only the corresponding private key can decrypt the son;
  • The encrypted data without signature,Because if the encrypted data during transmission tampered with,You will be prompted when decryptinggpg: CRC error;校验错误;
  • 对文件签名,Not to make any processing the original file,Only on the original files are generated Numbers in this paper, and used to generate a digital signature private key encryption;
  • If only the signature is not encrypted,The original files in the process of transmission will be others see,But can ensure that the documents in the case of modified through digital signature check;
  • Encryption guaranteedOnly you can see the file,签名确保Only I can write this file.

detached signature

For scattered in multiple channels available to download resources(Without encryption transmission of large files),The best way is to generate a digital signature is independent of the download file file download check for others.A lot of software developers in the software's official website provide signature file for checking. 例如对 hello.txt Generate separate signature file:

$ gpg --armor --detach-sign hello.txt

You need a passphrase to unlock the secret key for
user: "seanxp <seanxp.com>"
4096-bit RSA key, ID 0x5655CA935F09337F, created 2016-11-15

$ file hello.txt.asc
hello.txt.asc: PGP signature Signature (old)

Independent generated a hello.txt.asc 的签名文件,后缀名 asc 表示该文件是 ASCII 码形式的. Because is the signature of the separation,Need the original information file hello.txt together with the signature file hello.txt.asc Send others together,Test available to others.

clear text signature

For simple text,可以使用clearsign的独立(不修改原文件)不分离(The original text and digital signature is written in the same file)digital signature:

$ gpg --clearsign hello.txt

$ cat hello.txt.asc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hello world
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJYlVHxAAoJEFZVypNfCTN/wMEP/1HNhw7YUAIGEjkLXlALgCRj
QLiBxQtzNszmGtzsIaPXRTt4aOxmicmNyLQ7JHImN372LnvYkYDV2PY/ZIfujGpb
qpTE3kCTEgS55SK/zfLEA+njq1LzCsSuPUUEoIO8DXhg1L+Ktf4GhlupSWI3X/iS
JzEszetFJ/u2650JQPofY2cWeetrY9j7UdnjqtSJQCrA9be9hcBDoepCzfZg62Ae
hnuw8sUayE6kwoJKA5aMNcrbN5qxhvUVULJKxhK2cCzi3vatBzjnnqKeFBfz64V8
LiM3Qk3AbKeE+2P3ZorbXgD265dYDcHTMBCzMgjKoFUvoOlrF+ZeMv7HYcQNOHx7
dEmx2VEhInwdB9snhBokH8KsFlWsPIpLbbarwDL56jUjC4jrDW8EF05dJLXCfALV
8M2MVD513tVSx/ktSYyY2h+mBbrfAo5J54+KZN/NJpan/woP0ooWNTyey3T/y/sv
OZZuyg7w0Hl3j4bVnji++DcJhkwbfq32yvzDi0BLcEATNQRO5h5FifUSg3eV8W0f
U8p1NUrd5W7in1ne1x9EMZkrFfzkLP7rYxHkmZ+KMW4fNGMFjQGi1YAQN+S0mNCM
AGuZpLRb0MgudFzotPuyWH5D9hHyWpjF2qHrK7an9jTgtE/eemU4l00frwnBc9a1
bl9M0p7XCJsh2xOHx72I
=5P7S
-----END PGP SIGNATURE-----

根据 hello.txt 生成 hello.txt.asc 文件,This file already contains a signature hello.txt 的数据. You just need to send the signature file to others.Others check digital signature can be isolated from the original data file at the same time.

binary signature

使用--sign选项,The simplest can generate a digital signature:

$ gpg --sign hello.txt
$ file hello.txt.gpg
hello.txt.gpg: data

$ gpg helle.txt.gpg
  • Independent of the signature file hello.txt.gpg
  • The file data is not encrypted(可以在hello.txt.gpg文件中看到Hello world
  • Binary digital signature

summary

  • 使用--detach-sign选项,Generate separate signature file;
  • 使用--sign选项,Generation are not isolated signature file,与--detach-sign选项相反;
    • 加上--armor选项,则生成 ASCII 格式的数字签名(hello.txt.asc: PGP message Compressed Data),Can't see the original file of data,But after decryption can get the original file data;
    • 不加--armor选项,Digital signature is generated in the binary form(hello.txt.gpg: data),You can see the original file data;
  • 使用--armor选项,生成 ASCII 格式的签名;
  • 使用--clearsign选项,可以省略--armor选项,Generates separate separate text signature;

另外,If the machine is used for signing in to the private key when more than one,You need to specify the signature private key used in the:

--local-user,-u: Use name as the key to sign with. Note that this option overrides --default-key.
$ gpg -u $GPGKEY --sign hello.txt

verify

Get someone else's digital signature file,Need to use the public key to verify(Others use the private key generated signature file,Then use the public key corresponding to check the signature file). 对于 .gpg 后缀的签名文件,直接使用gpg xxx.gpgAfter check the digital signature,And to separate out the original file.

$ gpg -u $GPGKEY --sign hello.txt
$ file hello.txt.gpg
hello.txt.gpg: data

$ rm hello.txt
$ gpg hello.txt.gpg
gpg: Signature made Sat Feb  4 12:34:13 2017 CST
gpg:                using RSA key 0x5655CA935F09337F
gpg: Good signature from "seanxp <seanxp.com>" [ultimate]
Primary key fingerprint: 429D 47BB BDB0 AA92 B8B6  28F7 5655 CA93 5F09 337F
$ cat -A hello.txt
Hello world$

对于使用 --detach-sign Signature of the signature file,使用 gpg --verify 命令进行校验.Because the separation is digital signature file,Therefore the original file must also exist,gpg To the original file hash 处理,And decrypt the digital signature in the file hash 进行对比.

$ gpg -u $GPGKEY --armor --detach-sign hello.txt
$ file hello.txt.asc
hello.txt.asc: PGP signature Signature (old)

$ rm hello.txt
$ gpg --verify hello.txt.asc
gpg: no signed data
gpg: can't hash datafile: No data

$ echo "Hello world" > hello.txt
$ gpg --verify hello.txt.asc
gpg: assuming signed data in 'hello.txt'
gpg: Signature made Sat Feb  4 12:36:14 2017 CST
gpg:                using RSA key 0x5655CA935F09337F
gpg: Good signature from "seanxp <seanxp.com>" [ultimate]
Primary key fingerprint: 429D 47BB BDB0 AA92 B8B6  28F7 5655 CA93 5F09 337F

In digital signature file is not separation --clearsign,Don't need the original file,Because the signature file is included in the signature file data,可以使用gpg --verify直接校验.

Encrypt & Signature

At the same time for encryption and signature operation:

$ gpg --local-user [发信者ID] --recipient [接收者ID] --armor --sign --encrypt hello.txt

$ gpg --local-user $GPGKEY --recipient [email protected] --armor --sign --encrypt hello.txt
$ file hello.txt.asc
hello.txt.asc: PGP message Public-Key Encrypted Session Key (old)

GPG Subkeys

GPG Key ring is not only a pair of public and private keys,If say the public key and its corresponding private key is a key to,那么一个 GPG Key ring can have a number of key pair,Each key pair consists of a key number(key ID)标识,called the key.One of the keys have other key signature function(Can create a key in the key ring),The key was said to give priority to key,Other keys are called from the key. GPG Each of the listed key ring first line must be the main key,The rest is from the key. 一个GPG Key ring has a total of four types of key:

属性

代表

含义

sec

SECret key

The private key of the master key

pub

PUBlic key

The public key of the master key

ssb

Secret SuBkey

The private key of the slave key

sub

public SUBkey

The public key of the slave key

As for the key role to view their function,There are three kinds of commonly used functions:

功能

代表

含义

S

Signing

Signature and validation signature

E

Encryption

加密和解密信息

C

Certification

认证钥匙

  • E = encrypt/decrypt (decrypt with your private key of a message you received)
  • S = sign (sign data. For example a file or to send signed e-mail)
  • C = certify (sign another key, establishing a trust-relation)
  • A = authentication (log in to SSH with a PGP key; this is relatively new usage)

最后一项功能 authentication ,可以将 GPG 生成 SSH The corresponding private key,并用于 SSH 登录. Pay attention to the function is for a pair of keys for,By the public and private keys do together.The encryption and decryption, respectively made by public and private keys in a key,Signature and verification respectively performed by private and public keys. 一般地,GPG Key ring in key public key needs to be announced on the network,也就意味着:

  • Encryption,Everyone can use you released public-key encryption information,The encrypted information only holds the private key can decrypt you.
  • Signing,You can use its private key signature information,Everyone can be released with your public key to verify the legitimacy of the signature.
  • Certification,You can use its private key authentication the public key of others,To establish trust.

默认情况下,GPG Master key generated key ring(master key)和子密钥(sub key)放在一起,Master key used for signing and verifying(usage: SC),From the key used for encryption(usage: E).The example given earlier,Is used to encrypt the key sub key,The signing key is master key.

pub  4096R/0x5655CA935F09337F  created: 2016-11-15  expires: never       usage: SC
sub  4096R/0x406A8B31846FF748  created: 2016-11-15  expires: 2026-11-13  usage: E

The advantage of using sub key can replace signatures or encryption keys,And does not destroy the relationship between the master key network andKey ID.In addition to the default generated keys used to encrypt the son,You can also add more sub-key,To sign or used to encrypt.Their public key is available as the master key public key,Convenient others authentication or encryption. 为保证 master private key 的安全,Drop it on other offline media(比如U盘),And is removed from the key ring.At the same time for the convenience of daily use,Need to create a respectively responsible for encrypted subkey(默认已有)And a responsible for signature subkey. Daily encryption and signature operations through subkeys 进行,需要使用 master private key 时(吊销/添加 subkeys,Sign for other people's public key),挂载UPlate and then perform the following operations can see master private key. In fact this purpose,Safer way is to use a piece of VeraCrypt Full disk encryption U 盘.每次需要使用 master private key 时,插入 U 盘,VeraCrypt Full decryption,之后使用 gpg --homedir Select the specified path,Execution of the command after unloading U 盘.

$ gpg --homedir /path/to/your/usb-drive/_gnupg --list-secret-keys

Backup Keys

View and export the private key:

$ gpg --list-keys
$ gpg -ao 0x5655CA935F09337F-public.key -export 0x5655CA935F09337F

$ gpg --list-secret-keys
$ gpg -ao 0x5655CA935F09337F-private.key --export-secret-keys 0x5655CA935F09337F

Public and private key file to import the machine:

$ gpg --import _something_-public.key
$ gpg --import _something_-private.key

gpg.conf

my gpg.conf in github

使用 SSL 连接 keyserver:

  1. 下载所需的 SSL 证书数字签名
  2. To verify the digital signature of the certificate,Need to import the public key in advance 0x250B7AFED6379D85
  3. 拷贝 .pem Certificate to the corresponding directory,并在 gpg.conf 中注明
  4. 配置默认 keyserver

gpg.conf 相关配置:

# Default key server
keyserver hkps://hkps.pool.sks-keyservers.net
# Provide a certificate store to override the system default
# Get this from https://sks-keyservers.net/sks-keyservers.netCA.pem
#keyserver-options ca-cert-file=/path/to/hkps.pool.sks-keyservers.net.pem
keyserver-options ca-cert-file=~/.gnupg/sks-keyservers.netCA.pem

Other

RSA

PGP(Pretty Good Privacy)

良好隐私密码法(英语:Pretty Good Privacy,缩写为PGP),一套用于讯息加密、验证的应用程序,采用IDEAThe hash algorithm for the use of encryption and authentication. PGPThe main developers is that phil·齐默尔曼(Phil Zimmermann).Zimmerman in1991年将PGPOn the Internet for free.PGPItself is a business application;Open source and has the similar function tool calledGPG(GnuPG).PGPAnd similar products comply withOpenPGPData encryption standard(RFC 4880).

  • PGP加密由一系列散列、数据压缩、对称密钥加密,以及公钥加密的算法组合而成.每个步骤支持几种算法,可以选择一个使用.每个公钥均绑定唯一的用户名和/或者E-mail地址.
  • 消息采用对称加密算法加密,采用一组对称密钥.每个对称密钥只使用一次,所以也叫做会话密钥.会话密钥通过接收方的公钥来加密保护,因此只需确保仅接收方能解密会话密钥即可.加密的消息和加密的会话密钥一起发送给接收方.
  • 完整性检测被用来检查消息在传输过程中是否变更过(即验证消息完整性),而消息认证则是被用来决定消息是否确由某特定的人或实体发出(即数字签名验证).
  • 不管是在加密消息时还是在验证签名时,都需要注意用来发送消息的公钥是否确实属于期望的接收者.简单的从某个位置下载一个公钥是没有保障的.蓄意的或意外冒名顶替是可能的.

Web of Trust

Web of trust - Wikipedia PGP The trust network structure(Web Of Trust)The distributed key management,The key management system of no certificate management organ(CA),User identity authentication problem is through introducer between(introducer)来解决的.All of the users to produce and distribute their own public key,By the user to create a public key signature contains each other for all PGP The trust of the user network(Web Of Trust).简单地说就是,in the web of trust,Not everyone trust center authority,User centered on their,Mutual authentication public key,Mutual signed public key certificate.These signatures allow user's public key is connected to each other,The network structure of natural,The so-called trust net.

Macbook GPG issue

Macbook 下,出现下面问题:

gpg-agent[30845]: command get_passphrase failed: No such file or directory
gpg: problem with the agent: No such file or directory
gpg: decryption failed: No secret key

即需要输入 GPG The private key password,No pop-up box,Instead of the default input failed. 解决方案,可以通过 GPGTools 的 pinentry-mac (pinentry for GPG on Mac) 解决:

brew install pinentry-mac
echo "pinentry-program /usr/local/bin/pinentry-mac" >> ~/.gnupg/gpg-agent.conf
原网站

版权声明
本文为[Shinohara 竼]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/221/202208090943258772.html

边栏推荐

猜你喜欢

随机推荐