8/22/2008

GnuPG用多个sub keys保护primary key

首先创建primary key. 原则上, 作为自己身份的证明, 应该是永远不过期的. passphrase则应足够保险, 自己好记的, 别人不容易猜出的, 允许空格, 最好有数字符号, 不少于20个字符.

C:\Documents and Settings\user>gpg --gen-key
gpg (GnuPG) 1.4.7; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) "

Real name: Pcxingxing Admin
Email address: [email protected]
Comment: pcxingxing
You selected this USER-ID:
"Pcxingxing Admin (pcxingxing) "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.++++++++++.++++++++++++++++++++++++++++++.+++++++++++++++++++++++++++++++++++.+
++++.+++++.++++++++++++++++++++.++++++++++..++++++++++.++++++++++>+++++..>+++++< +++++.+++++ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ++++++++++++++++++++.++++++++++++++++++++++++++++++.++++++++++.+++++.+++++..++++ +..++++++++++++++++++++.+++++++++++++++.++++++++++...+++++.++++++++++.++++++++++ >..++++++++++>+++++>+++++.......................................................
..................................<+++++............+++++^^^^^^^^^^^ gpg: key 195BF502 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 1024D/195BF502 2008-08-22 Key fingerprint = 3710 1AF5 31D5 1C71 B594 74E7 9646 85D1 195B F502 uid Pcxingxing Admin (pcxingxing)
sub 2048g/02630FCE 2008-08-22
============================================================
别忘了生成一个密钥撤销证书. 这个一定要妥善保管, 不能泄露
C:\Documents and Settings\user>gpg --output revokecert.txt --gen-revok
ng pcxingxing

sec 1024D/195BF502 2008-08-22 Pcxingxing Admin (pcxingxing)

Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? 1
Enter an optional description; end it with an empty line:
>
Reason for revocation: Key has been compromised
(No description given)
Is this okay? (y/N) y

You need a passphrase to unlock the secret key for
user: "Pcxingxing Admin (pcxingxing) "
1024-bit DSA key, ID 195BF502, created 2008-08-22

ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable. But have some caution: The print syste
your machine might store the data and make it available to others!
============================================================


下面为各种用途创建sub keys. 比如, 在家里, 工作场所和便携电脑上的, 用于签名和加密的不同密钥. 这些sub keys可以适当设置有效期限.更新一下公钥

C:\Documents and Settings\user>gpg --edit pcxingxing
gpg (GnuPG) 1.4.7; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Secret key is available.

pub 1024D/195BF502 created: 2008-08-22 expires: never usage: SC
trust: ultimate validity: ultimate
sub 2048g/02630FCE created: 2008-08-22 expires: never usage: E
[ultimate] (1). Pcxingxing Admin (pcxingxing)

Command> addkey
Key is protected.

You need a passphrase to unlock the secret key for
user: "Pcxingxing Admin (pcxingxing) "
1024-bit DSA key, ID 195BF502, created 2008-08-22

Please select what kind of key you want:
(2) DSA (sign only)
(4) Elgamal (encrypt only)
(5) RSA (sign only)
(6) RSA (encrypt only)
Your selection? 2
DSA keypair will have 1024 bits.
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.+++++.+++++.++++++++++.+++++++++++++++...+++++++++++++++++++++++++.+++++.+++++.
+++++++++++++++...++++++++++.++++++++++.++++++++++++++++++++++++++++++.......+++
++

pub 1024D/195BF502 created: 2008-08-22 expires: never usage: SC
trust: ultimate validity: ultimate
sub 2048g/02630FCE created: 2008-08-22 expires: never usage: E
sub 1024D/B9F75C53 created: 2008-08-22 expires: never usage: S
[ultimate] (1). Pcxingxing Admin (pcxingxing)

Command> addkey
Key is protected.

You need a passphrase to unlock the secret key for
user: "Pcxingxing Admin (pcxingxing) "
1024-bit DSA key, ID 195BF502, created 2008-08-22

Please select what kind of key you want:
(2) DSA (sign only)
(4) Elgamal (encrypt only)
(5) RSA (sign only)
(6) RSA (encrypt only)
Your selection? 4
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 0
ELG-E keysizes must be in the range 1024-4096
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
...+++++.+++++++++++++++.+++++.++++++++++.+++++..++++++++++.+++++.++++++++++...+
++++...+++++.+++++++++++++++.+++++++++++++++..+++++.++++++++++....+++++.+++++.++
++++++++...+++++>...+++++..+++++>+++++........+++++^^^

pub 1024D/195BF502 created: 2008-08-22 expires: never usage: SC
trust: ultimate validity: ultimate
sub 2048g/02630FCE created: 2008-08-22 expires: never usage: E
sub 1024D/B9F75C53 created: 2008-08-22 expires: never usage: S
sub 2048g/136191CB created: 2008-08-22 expires: never usage: E
[ultimate] (1). Pcxingxing Admin (pcxingxing)

Command> quit
Save changes? (y/N) y

============================================================

然后 就可以为各种用途导出钥匙链了. 用--export-secret-subkeys选项导出的私钥钥匙链里的primary key是无效的, 从而保证了它的安全. 在修改不同用途的钥匙链时, 可以用passwd命令设置不同的passphrase, 然后去掉多余的 sub keys.

C:\Documents and Settings\user>gpg --edit pcxingxing
gpg (GnuPG) 1.4.7; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Secret key is available.

pub 1024D/195BF502 created: 2008-08-22 expires: never usage: SC
trust: ultimate validity: ultimate
sub 2048g/02630FCE created: 2008-08-22 expires: never usage: E
sub 1024D/B9F75C53 created: 2008-08-22 expires: never usage: S
sub 2048g/136191CB created: 2008-08-22 expires: never usage: E
[ultimate] (1). Pcxingxing Admin (pcxingxing)

Command> passwd
Key is protected.

You need a passphrase to unlock the secret key for
user: "Pcxingxing Admin (pcxingxing) 1024-bit DSA key, ID 195BF502, created 2008-08-22

Enter the new passphrase for this secret key.

别忘了发布公钥.
C:\Documents and Settings\user>gpg --keyserver keyserver.ubuntu.com --send-keys
195BF502
gpg: sending key 195BF502 to hkp server keyserver.ubuntu.com
更新一下公钥

gpg --keyserver keyserver.ubuntu.com --refresh-keys
如果还没信任过这个key, 现在可以设置信任
gpg --edit-key pcxingxing
Command> trust
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
pub 1024D/195BF502 created: 2008-08-22 expires: never usage: SC
trust: ultimate validity: ultimate
sub 2048g/02630FCE created: 2008-08-22 expires: never usage: E
sub 1024D/B9F75C53 created: 2008-08-22 expires: never usage: S
sub 2048g/136191CB created: 2008-08-22 expires: never usage: E
[ultimate] (1). Pcxingxing Admin (pcxingxing)
Command> quit


0 评论:

免责声明

1、本人是文盲,以上内容文字均不认识,也看不懂是什么意思(包括但不限于对所以上之内容的识别、阅读、理解、分析、记忆等);

2、本人过去、现在以及将来都不认识本文中提及当事人,且自古以来与该相对人无利益关系;

3、本人昨天、今天以及明天都没有或者不准备去本文所述地点。本文表述之事与本人无关。

4、本人在此发文(包括但不限于汉字、拼音、拉丁字母、斯拉夫字母、日语假名、阿拉伯字母、单词、句子、图片、影像、录音、以及前述之各种任意组合等等)均为随意敲击键盘所出,用于检验本人电脑键盘录入、屏幕显示的机械、光电性能,并不代表本人局部或全部同意、支持或者反对文中观点。如需要详查请直接与键盘发明者及生产厂商法人代表联系;

5、人生有风险,上网需谨慎。本文不暗示、鼓励、支持或映射读者作出生活方式、工作态度、婚姻交友、股票债券买卖、子女教育的积极或消极判断。未成年人请在监护人陪同下阅读本文。无完全民事行为能力者,请立即关闭网页,并用20%高锰酸钾+75%乙醇对键盘、硬盘、电压插座、显示器、鼠标、cpu进行灌溉消毒;

6、如本人留言违反国家有关法律,请网络管理员及时删除本文,本人保留继续发文的权利;

7、因删贴不及时所产生的任何法律(包括宪法、加法、减法、乘法、除法、剑法、拳法、脚法、指法、民法、刑法、书法、公检法、基本法、劳动法、婚姻法、输入法、没办法、国际法、今日说法、吸星大法及文中涉及或可能涉及以及未涉及之法,各地治安管理条例)纠纷或责任本人概不负责;

8、本人谢绝任何跨省(包括但不限于跨国、跨洲、跨星球、跨星系)追捕行为。确因不抓不足以平民愤,或不抓就领不到薪水养家户口的公职人员,建议携带工作证、身份证、结婚证/离婚证、独生子女证、健康证、暂住证、毕业证、边防证、县以上政府机关出具的介绍信温情操作。抓捕按照以下排序倒序:作者、原作者以及网络管理员以及网络运行商、电信运营商、电力供应商、电脑生产销售商.