一、什么是 GPG

以下引自维基百科

GNU Privacy Guard(GnuPG或GPG)是一种加密软件,它是PGP加密软件的满足GPL的替代物。GnuPG依照由IETF订定的OpenPGP技术标准设计。GnuPG用于加密、数位签章及产生非对称钥匙对的软件。

简单来说,GPG 是商业加密软件 PGP 的开源替代方案。它是用来做个人数据认证和加密的。

二、测试环境

操作系统 ArchLinux
GnuPG 2.2.7

三、创建 GPG 证书

GPG 证书的创建方式有很多有,本文使用的方法自定义程度比较好,可以将同一个证书拆分成不同的子密钥,每个子密钥承担不同的用途。

1、创建主密钥

主密钥只负责对他人的证书进行确认以及生成/吊销子密钥,不作为日常用途使用。同时。建议将主密钥单独分离保存,尽量不要与子密钥在同一个存储介质上。

# --expert 启用专家模式,可以更为细致的控制生成密钥的用途

# --full-generate-key 使用全功能模式生成密钥

[root@archlinux ~]# gpg --expert --full-generate-key

gpg (GnuPG) 2.2.7; Copyright (C) 2018 Free Software Foundation, Inc.

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:

   (1) RSA and RSA (default)

   (2) DSA and Elgamal

   (3) DSA (sign only)

   (4) RSA (sign only)

   (7) DSA (set your own capabilities)

   (8) RSA (set your own capabilities)

   (9) ECC and ECC

  (10) ECC (sign only)

  (11) ECC (set your own capabilities)

  (13) Existing key

Your selection? 8   # 此处选择 8,生成 RSA 密钥同时自定义生成密钥的功能

# Certify 主密钥证书功能

# Sign 签名证书功能

# Encrypt 加密证书功能

# Authenticate 认证证书功能

Possible actions for a RSA key: Sign Certify Encrypt Authenticate

Current allowed actions: Sign Certify Encrypt 

   (S) Toggle the sign capability

   (E) Toggle the encrypt capability

   (A) Toggle the authenticate capability

   (Q) Finished

Your selection?

# 此处依次输入 S 和 E(每次只输入一个)

# 去掉 Current allowed actions 中的 Sign 和 Encrypt 功能

# 只保留 Certify 功能作为主密钥的用途

# 最终显示如下

Possible actions for a RSA key: Sign Certify Encrypt Authenticate

Current allowed actions: Certify 

   (S) Toggle the sign capability

   (E) Toggle the encrypt capability

   (A) Toggle the authenticate capability

   (Q) Finished

Your selection? Q   # 输入 Q 完成证书功能选择

RSA keys may be between 1024 and 4096 bits long.

What keysize do you want? (2048) 4096   # 推荐 4096 bits 的长度,2048 bits 的证书目前已不是非常安全

Requested keysize is 4096 bits

Please specify how long the key should be valid.

         0 = key does not expire

      <n>  = key expires in n days

      <n>w = key expires in n weeks

      <n>m = key expires in n months

      <n>y = key expires in n years

Key is valid for? (0) 1y    # 1y 代表证书有效期为一年

Key expires at Thu May 30 18:56:27 2019 CST

Is this correct? (y/N) y    # 确认信息

GnuPG needs to construct a user ID to identify your key.

Real name: isprotect.org    # 证书使用人的名字

Email address: example@isprotect.org    # 证书使用人的邮箱

Comment: This is the gpg example for isprotect.org  # 备注信息

You selected this USER-ID:

    "isprotect.org (This is the gpg example for isprotect.org) <example@isprotect.org>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o   # 输入 O 确认信息

We need to generate a lot of random bytes. It is a good idea to perform

some other action (type on the keyboard, move the mouse, utilize the

disks) during the prime generation; this gives the random number

generator a better chance to gain enough entropy.

# 此处提示需要收集计算机的随机数据

# 以产生大量的熵来生成密钥

# 为加快生成进度,建议在系统中新打开一个 shell 进行大文件(2GB 以上)拷贝

# 加快生成进度的操作不影响证书的加密性能

# 生成的证书信息和保存位置

gpg: key 7D94098984B1C2E1 marked as ultimately trusted

gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/167AA294FA8510F70F7049BA7D94098984B1C2E1.rev'

public and secret key created and signed.

pub   rsa4096 2018-05-30 [C] [expires: 2019-05-30]  # [C] 代表是确认证书,也就是主密钥的功能

      167AA294FA8510F70F7049BA7D94098984B1C2E1

uid                      isprotect.org (This is the gpg example for isprotect.org) <example@isprotect.org>

2、创建子密钥

上面创建了主密钥,下面进行子密钥的创建操作。

# 编辑刚刚生成的密钥

[root@archlinux ~]# gpg --expert --edit-key isprotect.org

gpg (GnuPG) 2.2.7; Copyright (C) 2018 Free Software Foundation, Inc.

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

# 密钥信息

gpg: checking the trustdb

gpg: marginals needed: 3  completes needed: 1  trust model: pgp

gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u

gpg: next trustdb check due at 2019-05-30

sec  rsa4096/7D94098984B1C2E1

     created: 2018-05-30  expires: 2019-05-30  usage: C   # 主密钥功能

     trust: ultimate      validity: ultimate

[ultimate] (1). isprotect.org (This is the gpg example for isprotect.org) <example@isprotect.org>

# 添加签名子密钥

gpg> addkey

Please select what kind of key you want:

   (3) DSA (sign only)

   (4) RSA (sign only)

   (5) Elgamal (encrypt only)

   (6) RSA (encrypt only)

   (7) DSA (set your own capabilities)

   (8) RSA (set your own capabilities)

  (10) ECC (sign only)

  (11) ECC (set your own capabilities)

  (12) ECC (encrypt only)

  (13) Existing key

Your selection? 8

Possible actions for a RSA key: Sign Encrypt Authenticate

Current allowed actions: Sign Encrypt 

   (S) Toggle the sign capability

   (E) Toggle the encrypt capability

   (A) Toggle the authenticate capability

   (Q) Finished

Your selection?     # 输入 E 去掉加密功能

Possible actions for a RSA key: Sign Encrypt Authenticate

Current allowed actions: Sign 

   大专栏  创建 GPG 证书pan class="o">(S) Toggle the sign capability

   (E) Toggle the encrypt capability

   (A) Toggle the authenticate capability

   (Q) Finished

Your selection?     # 输入 Q 完成证书功能选择

RSA keys may be between 1024 and 4096 bits long.

What keysize do you want? (2048) 4096

Requested keysize is 4096 bits

Please specify how long the key should be valid.

         0 = key does not expire

      <n>  = key expires in n days

      <n>w = key expires in n weeks

      <n>m = key expires in n months

      <n>y = key expires in n years

Key is valid for? (0) 1y

Key expires at Thu May 30 19:03:31 2019 CST

Is this correct? (y/N) y

Really create? (y/N) y

We need to generate a lot of random bytes. It is a good idea to perform

some other action (type on the keyboard, move the mouse, utilize the

disks) during the prime generation; this gives the random number

generator a better chance to gain enough entropy.

sec  rsa4096/7D94098984B1C2E1

     created: 2018-05-30  expires: 2019-05-30  usage: C

     trust: ultimate      validity: ultimate

ssb  rsa4096/A06E34D750CEE9FF

     created: 2018-05-30  expires: 2019-05-30  usage: S     # 新生成的签名密钥

[ultimate] (1). isprotect.org (This is the gpg example for isprotect.org) <example@isprotect.org>

# 添加加密子密钥

gpg> addkey

Please select what kind of key you want:

   (3) DSA (sign only)

   (4) RSA (sign only)

   (5) Elgamal (encrypt only)

   (6) RSA (encrypt only)

   (7) DSA (set your own capabilities)

   (8) RSA (set your own capabilities)

  (10) ECC (sign only)

  (11) ECC (set your own capabilities)

  (12) ECC (encrypt only)

  (13) Existing key

Your selection? 8

Possible actions for a RSA key: Sign Encrypt Authenticate

Current allowed actions: Sign Encrypt 

   (S) Toggle the sign capability

   (E) Toggle the encrypt capability

   (A) Toggle the authenticate capability

   (Q) Finished

Your selection?     # 输入 S 去掉签名功能

Possible actions for a RSA key: Sign Encrypt Authenticate

Current allowed actions: Encrypt 

   (S) Toggle the sign capability

   (E) Toggle the encrypt capability

   (A) Toggle the authenticate capability

   (Q) Finished

Your selection?     # 输入 Q 完成证书功能选择

RSA keys may be between 1024 and 4096 bits long.

What keysize do you want? (2048) 4096

Requested keysize is 4096 bits

Please specify how long the key should be valid.

         0 = key does not expire

      <n>  = key expires in n days

      <n>w = key expires in n weeks

      <n>m = key expires in n months

      <n>y = key expires in n years

Key is valid for? (0) 1y

Key expires at Thu May 30 19:05:35 2019 CST

Is this correct? (y/N) y

Really create? (y/N) y

We need to generate a lot of random bytes. It is a good idea to perform

some other action (type on the keyboard, move the mouse, utilize the

disks) during the prime generation; this gives the random number

generator a better chance to gain enough entropy.

sec  rsa4096/7D94098984B1C2E1

     created: 2018-05-30  expires: 2019-05-30  usage: C

     trust: ultimate      validity: ultimate

ssb  rsa4096/A06E34D750CEE9FF

     created: 2018-05-30  expires: 2019-05-30  usage: S

ssb  rsa4096/8053318D031262E2

     created: 2018-05-30  expires: 2019-05-30  usage: E     # 新生成的加密子密钥

[ultimate] (1). isprotect.org (This is the gpg example for isprotect.org) <example@isprotect.org>

# 添加认证子密钥

gpg> addkey

Please select what kind of key you want:

   (3) DSA (sign only)

   (4) RSA (sign only)

   (5) Elgamal (encrypt only)

   (6) RSA (encrypt only)

   (7) DSA (set your own capabilities)

   (8) RSA (set your own capabilities)

  (10) ECC (sign only)

  (11) ECC (set your own capabilities)

  (12) ECC (encrypt only)

  (13) Existing key

Your selection? 8

Possible actions for a RSA key: Sign Encrypt Authenticate

Current allowed actions: Sign Encrypt 

   (S) Toggle the sign capability

   (E) Toggle the encrypt capability

   (A) Toggle the authenticate capability

   (Q) Finished

Your selection?

# 依次输入 S、E 和 A(每次输入一个)

# 去掉签名和加密功能,添加认证功能

Possible actions for a RSA key: Sign Encrypt Authenticate

Current allowed actions: Authenticate 

   (S) Toggle the sign capability

   (E) Toggle the encrypt capability

   (A) Toggle the authenticate capability

   (Q) Finished

Your selection?     # 输入 Q 完成证书功能选择

RSA keys may be between 1024 and 4096 bits long.

What keysize do you want? (2048) 4096

Requested keysize is 4096 bits

Please specify how long the key should be valid.

         0 = key does not expire

      <n>  = key expires in n days

      <n>w = key expires in n weeks

      <n>m = key expires in n months

      <n>y = key expires in n years

Key is valid for? (0) 1y

Key expires at Thu May 30 19:08:37 2019 CST

Is this correct? (y/N) y

Really create? (y/N) y

We need to generate a lot of random bytes. It is a good idea to perform

some other action (type on the keyboard, move the mouse, utilize the

disks) during the prime generation; this gives the random number

generator a better chance to gain enough entropy.

sec  rsa4096/7D94098984B1C2E1

     created: 2018-05-30  expires: 2019-05-30  usage: C

     trust: ultimate      validity: ultimate

ssb  rsa4096/A06E34D750CEE9FF

     created: 2018-05-30  expires: 2019-05-30  usage: S

ssb  rsa4096/8053318D031262E2

     created: 2018-05-30  expires: 2019-05-30  usage: E

ssb  rsa4096/4D120399CB422D77

     created: 2018-05-30  expires: 2019-05-30  usage: A     # 新生成的认证子密钥

[ultimate] (1). isprotect.org (This is the gpg example for isprotect.org) <example@isprotect.org>

# 保存密钥信息

gpg> save

最后的密钥信息如上面显示,每个密钥只有单一的功能。

四、总结

本文中一共创建了一个主密钥和三个子密钥,分别用于确认证书、签名、加密和认证。这么创建证书的目的是为了方便对密钥进行管理以及降低密钥丢失的风险。当某一密钥丢失的时候,只需要通过主密钥来生成丢失子密钥的吊销证书就可以了,不必将整个密钥丢弃,否则就会丢失密钥的人际关系。当然,千万要保存好主密钥!!!

最新文章

  1. wireshark 实用过滤表达式(针对ip、协议、端口、长度和内容)
  2. [Linux] - CentOS IP设置方法
  3. printf()输出
  4. 在easyui中如何修改combobox的下拉框的高度为自适应高度
  5. MySQL数据库学习笔记(二)----MySQL数据类型
  6. CF#310 d2
  7. HTML&amp;CSS基础学习笔记1.29-灵活地使用样式
  8. springboot+多数据源配置
  9. Java引用变量的类型
  10. 8.1 Socket编程
  11. Android 内存管理中的 Shallow heap Retained heap
  12. Oracle记录表删除操作简单方法
  13. sqlserver 书查询 之二
  14. underscore.js源码解析【集合】
  15. Codeforces Round #516 (Div. 2) (A~E)
  16. InstallShield:卸载时文字叠加,文字乱码
  17. ERROR: unable to bind listening socket for address &#39;127.0.0.1:9000&#39;: Address already in use (98) [30-Jan-2018 16:12:27] ERROR: FPM initialization failed解决方法
  18. spring boot热启动
  19. 剑指offer例题——裴波那契数列
  20. 紧急救援 L2-001 dijkstra 打印路径 最短路条数 权值

热门文章

  1. 小程序外链跳转web-view系列问题
  2. 三、NOSQL之Memcached缓存服务实战精讲第二部
  3. 线程池-进程池-io模型
  4. 【转】修改Ubuntu系统的登陆信息的简单方法
  5. js中使用EL表达式总结
  6. Java/Oracle/mySQL 日期格式
  7. MySQL修改最大连接数的两个方法,偏爱第一种
  8. python3.7解释器安装及配置虚拟环境
  9. WxProperties WxConfig
  10. linux系统用户管理(一)