GnuPG如何安全地分发私钥（1）GnuPG的用法

时间 2019-11-06

标签 gnupg 如何安全分发用法栏目系统安全繁體版

原文原文链接

本文只是对GnuPG最基本最简单最初级的介绍。redis

这篇文章从（做者本身瞎折腾的）问题 ------ 如何安全地分发私钥入手，简单全面地介绍了GnuPG的常规操做。c#

GnuPG还有不少其余功能，做者并无所有掌握，好比证书、密钥的撤销、管理等。安全

还有一个很重要的问题，pub与sub和sec与ssb的关系，待做者搞清楚后，再写文介绍吧。app

1 k与K

能够参考man gpg里的说明:dom

-kide

--list-public-keysui

List all keys from the public keyrings, or just the keys giventhis

on the command line.idea

Avoid using the output of this command in scripts or other pro-spa

grams as it is likely to change as GnuPG changes. See --with-

colons for a machine-parseable key listing command that is

appropriate for use in scripts and other programs.

--list-secret-keys

-K List all keys from the secret keyrings, or just the ones given

on the command line. A # after the letters sec means that the

secret key is not usable (for example, if it was created via

--export-secret-subkeys).

2 生成密钥

opensuse13:~ #

opensuse13:~ # gpg -K

opensuse13:~ # gpg -k

opensuse13:~ # gpg --gen-key

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:

(1) RSA and RSA (default)

(2) DSA and Elgamal

(3) DSA (sign only)

(4) RSA (sign only)

Your selection?

RSA keys may be between 1024 and 4096 bits long.

What keysize do you want? (2048) 4096

Requested keysize is 4096 bits

Please specify how long the key should be valid.

0 = key does not expire

<n> = key expires in n days

<n>w = key expires in n weeks

<n>m = key expires in n months

<n>y = key expires in n years

Key is valid for? (0) 5m

Key expires at Mon Apr 24 21:17:17 2017 CST

Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: FranklinYang

Email address: andypeker@163.com

Comment: Encrypt RSA 4096

You selected this USER-ID:

"FranklinYang (Encrypt RSA 4096) <andypeker@163.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform

some other action (type on the keyboard, move the mouse, utilize the

disks) during the prime generation; this gives the random number

generator a better chance to gain enough entropy.

We need to generate a lot of random bytes. It is a good idea to perform

some other action (type on the keyboard, move the mouse, utilize the

disks) during the prime generation; this gives the random number

generator a better chance to gain enough entropy.

gpg: key F55B4065 marked as ultimately trusted

public and secret key created and signed.

gpg: checking the trustdb

gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model

gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u

gpg: next trustdb check due at 2017-04-24

pub 4096R/276856F7 2016-11-25 [expires: 2017-04-24]

Key fingerprint = 13A2 DD5C 4BB1 13DA 9665 D49B 2055 C017 F55B 4065

uid [ultimate] FranklinYang (Encrypt RSA 4096) <andypeker@163.com>

sub 4096R/0A09DAC9 2016-11-25 [expires: 2017-04-24]

opensuse13:~ #

opensuse13:~ # gpg -k

/root/.gnupg/pubring.gpg

------------------------

pub 4096R/276856F7 2016-11-25 [expires: 2017-04-24]

uid [ultimate] FranklinYang (Encrypt RSA 4096) <andypeker@163.com>

sub 4096R/0A09DAC9 2016-11-25 [expires: 2017-04-24]

opensuse13:~ # gpg -K

/root/.gnupg/secring.gpg

------------------------

sec 4096R/276856F7 2016-11-25 [expires: 2017-04-24]

uid FranklinYang (Encrypt RSA 4096) <andypeker@163.com>

ssb 4096R/0A09DAC9 2016-11-25

opensuse13:~ #

3 公钥和私钥的区别

注意下面这个几个key：

pub sub sec ssb

各有用途！

好比下面：

opensuse13b:~ #

opensuse13b:~ # gpg -K

/root/.gnupg/secring.gpg

------------------------

sec 4096R/9DDE7116 2016-11-24 [expires: 2017-05-24]

uid suse13b RSA encrypt

ssb 4096R/EC3B4291 2016-11-24

sec# 2048R/6EB6C991 2016-11-24 [expires: 2017-02-22]

uid virtual RSA Encrypt <164820658@qq.com>

ssb 2048g/E423A188 2016-11-28

sec 2048R/EBD97E5C 2016-11-28

uid macOSwhyang

ssb 2048R/8EDFDBEC 2016-11-28

ssb 2048g/45FFDAC5 2016-11-28

ssb 2048D/C1CAA280 2016-11-28

opensuse13b:~ #