一、什么是 GPG

以下引自维基百科

GNU Privacy Guard(GnuPG或GPG)是一种加密软件,它是PGP加密软件的满足GPL的替代物。GnuPG依照由IETF订定的OpenPGP技术标准设计。GnuPG用于加密、数位签章及产生非对称钥匙对的软件。

简单来说,GPG 是商业加密软件 PGP 的开源替代方案。它是用来做个人数据认证和加密的。

二、测试环境

操作系统 ArchLinux
GnuPG 2.2.7

三、创建 GPG 证书

GPG 证书的创建方式有很多有,本文使用的方法自定义程度比较好,可以将同一个证书拆分成不同的子密钥,每个子密钥承担不同的用途。

1、创建主密钥

主密钥只负责对他人的证书进行确认以及生成/吊销子密钥,不作为日常用途使用。同时。建议将主密钥单独分离保存,尽量不要与子密钥在同一个存储介质上。

  1. # --expert 启用专家模式,可以更为细致的控制生成密钥的用途
  2. # --full-generate-key 使用全功能模式生成密钥
  3. [root@archlinux ~]# gpg --expert --full-generate-key
  4. gpg (GnuPG) 2.2.7; Copyright (C) 2018 Free Software Foundation, Inc.
  5. This is free software: you are free to change and redistribute it.
  6. There is NO WARRANTY, to the extent permitted by law.
  8. Please select what kind of key you want:
  9.    (1) RSA and RSA (default)
  10.    (2) DSA and Elgamal
  11.    (3) DSA (sign only)
  12.    (4) RSA (sign only)
  13.    (7) DSA (set your own capabilities)
  14.    (8) RSA (set your own capabilities)
  15.    (9) ECC and ECC
  16.   (10) ECC (sign only)
  17.   (11) ECC (set your own capabilities)
  18.   (13) Existing key
  19. Your selection? 8   # 此处选择 8,生成 RSA 密钥同时自定义生成密钥的功能
  21. # Certify 主密钥证书功能
  22. # Sign 签名证书功能
  23. # Encrypt 加密证书功能
  24. # Authenticate 认证证书功能
  25. Possible actions for a RSA key: Sign Certify Encrypt Authenticate
  26. Current allowed actions: Sign Certify Encrypt 
  28.    (S) Toggle the sign capability
  29.    (E) Toggle the encrypt capability
  30.    (A) Toggle the authenticate capability
  31.    (Q) Finished
  33. Your selection?
  34. # 此处依次输入 S 和 E(每次只输入一个)
  35. # 去掉 Current allowed actions 中的 Sign 和 Encrypt 功能
  36. # 只保留 Certify 功能作为主密钥的用途
  38. # 最终显示如下
  39. Possible actions for a RSA key: Sign Certify Encrypt Authenticate
  40. Current allowed actions: Certify 
  42.    (S) Toggle the sign capability
  43.    (E) Toggle the encrypt capability
  44.    (A) Toggle the authenticate capability
  45.    (Q) Finished
  47. Your selection? Q   # 输入 Q 完成证书功能选择
  48. RSA keys may be between 1024 and 4096 bits long.
  49. What keysize do you want? (2048) 4096   # 推荐 4096 bits 的长度,2048 bits 的证书目前已不是非常安全
  50. Requested keysize is 4096 bits
  51. Please specify how long the key should be valid.
  52.          0 = key does not expire
  53.       <n>  = key expires in n days
  54.       <n>w = key expires in n weeks
  55.       <n>m = key expires in n months
  56.       <n>y = key expires in n years
  57. Key is valid for? (0) 1y    # 1y 代表证书有效期为一年
  58. Key expires at Thu May 30 18:56:27 2019 CST
  59. Is this correct? (y/N) y    # 确认信息
  61. GnuPG needs to construct a user ID to identify your key.
  63. Real name: isprotect.org    # 证书使用人的名字
  64. Email address: example@isprotect.org    # 证书使用人的邮箱
  65. Comment: This is the gpg example for isprotect.org  # 备注信息
  66. You selected this USER-ID:
  67.     "isprotect.org (This is the gpg example for isprotect.org) <example@isprotect.org>"
  69. Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o   # 输入 O 确认信息
  70. We need to generate a lot of random bytes. It is a good idea to perform
  71. some other action (type on the keyboard, move the mouse, utilize the
  72. disks) during the prime generation; this gives the random number
  73. generator a better chance to gain enough entropy.
  74. # 此处提示需要收集计算机的随机数据
  75. # 以产生大量的熵来生成密钥
  76. # 为加快生成进度,建议在系统中新打开一个 shell 进行大文件(2GB 以上)拷贝
  77. # 加快生成进度的操作不影响证书的加密性能
  79. # 生成的证书信息和保存位置
  80. gpg: key 7D94098984B1C2E1 marked as ultimately trusted
  81. gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/167AA294FA8510F70F7049BA7D94098984B1C2E1.rev'
  82. public and secret key created and signed.
  84. pub   rsa4096 2018-05-30 [C] [expires: 2019-05-30]  # [C] 代表是确认证书,也就是主密钥的功能
  85.       167AA294FA8510F70F7049BA7D94098984B1C2E1
  86. uid                      isprotect.org (This is the gpg example for isprotect.org) <example@isprotect.org>

2、创建子密钥

上面创建了主密钥,下面进行子密钥的创建操作。

  1. # 编辑刚刚生成的密钥
  2. [root@archlinux ~]# gpg --expert --edit-key isprotect.org
  3. gpg (GnuPG) 2.2.7; Copyright (C) 2018 Free Software Foundation, Inc.
  4. This is free software: you are free to change and redistribute it.
  5. There is NO WARRANTY, to the extent permitted by law.
  7. Secret key is available.
  9. # 密钥信息
  10. gpg: checking the trustdb
  11. gpg: marginals needed: 3  completes needed: 1  trust model: pgp
  12. gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
  13. gpg: next trustdb check due at 2019-05-30
  14. sec  rsa4096/7D94098984B1C2E1
  15.      created: 2018-05-30  expires: 2019-05-30  usage: C   # 主密钥功能
  16.      trust: ultimate      validity: ultimate
  17. [ultimate] (1). isprotect.org (This is the gpg example for isprotect.org) <example@isprotect.org>
  19. # 添加签名子密钥
  20. gpg> addkey
  21. Please select what kind of key you want:
  22.    (3) DSA (sign only)
  23.    (4) RSA (sign only)
  24.    (5) Elgamal (encrypt only)
  25.    (6) RSA (encrypt only)
  26.    (7) DSA (set your own capabilities)
  27.    (8) RSA (set your own capabilities)
  28.   (10) ECC (sign only)
  29.   (11) ECC (set your own capabilities)
  30.   (12) ECC (encrypt only)
  31.   (13) Existing key
  32. Your selection? 8
  34. Possible actions for a RSA key: Sign Encrypt Authenticate
  35. Current allowed actions: Sign Encrypt 
  37.    (S) Toggle the sign capability
  38.    (E) Toggle the encrypt capability
  39.    (A) Toggle the authenticate capability
  40.    (Q) Finished
  42. Your selection?     # 输入 E 去掉加密功能
  44. Possible actions for a RSA key: Sign Encrypt Authenticate
  45. Current allowed actions: Sign 
  47.    大专栏  创建 GPG 证书pan class="o">(S) Toggle the sign capability
  48.    (E) Toggle the encrypt capability
  49.    (A) Toggle the authenticate capability
  50.    (Q) Finished
  52. Your selection?     # 输入 Q 完成证书功能选择
  53. RSA keys may be between 1024 and 4096 bits long.
  54. What keysize do you want? (2048) 4096
  55. Requested keysize is 4096 bits
  56. Please specify how long the key should be valid.
  57.          0 = key does not expire
  58.       <n>  = key expires in n days
  59.       <n>w = key expires in n weeks
  60.       <n>m = key expires in n months
  61.       <n>y = key expires in n years
  62. Key is valid for? (0) 1y
  63. Key expires at Thu May 30 19:03:31 2019 CST
  64. Is this correct? (y/N) y
  65. Really create? (y/N) y
  66. We need to generate a lot of random bytes. It is a good idea to perform
  67. some other action (type on the keyboard, move the mouse, utilize the
  68. disks) during the prime generation; this gives the random number
  69. generator a better chance to gain enough entropy.
  71. sec  rsa4096/7D94098984B1C2E1
  72.      created: 2018-05-30  expires: 2019-05-30  usage: C
  73.      trust: ultimate      validity: ultimate
  74. ssb  rsa4096/A06E34D750CEE9FF
  75.      created: 2018-05-30  expires: 2019-05-30  usage: S     # 新生成的签名密钥
  76. [ultimate] (1). isprotect.org (This is the gpg example for isprotect.org) <example@isprotect.org>
  78. # 添加加密子密钥
  79. gpg> addkey
  80. Please select what kind of key you want:
  81.    (3) DSA (sign only)
  82.    (4) RSA (sign only)
  83.    (5) Elgamal (encrypt only)
  84.    (6) RSA (encrypt only)
  85.    (7) DSA (set your own capabilities)
  86.    (8) RSA (set your own capabilities)
  87.   (10) ECC (sign only)
  88.   (11) ECC (set your own capabilities)
  89.   (12) ECC (encrypt only)
  90.   (13) Existing key
  91. Your selection? 8
  93. Possible actions for a RSA key: Sign Encrypt Authenticate
  94. Current allowed actions: Sign Encrypt 
  96.    (S) Toggle the sign capability
  97.    (E) Toggle the encrypt capability
  98.    (A) Toggle the authenticate capability
  99.    (Q) Finished
  101. Your selection?     # 输入 S 去掉签名功能
  103. Possible actions for a RSA key: Sign Encrypt Authenticate
  104. Current allowed actions: Encrypt 
  106.    (S) Toggle the sign capability
  107.    (E) Toggle the encrypt capability
  108.    (A) Toggle the authenticate capability
  109.    (Q) Finished
  111. Your selection?     # 输入 Q 完成证书功能选择
  112. RSA keys may be between 1024 and 4096 bits long.
  113. What keysize do you want? (2048) 4096
  114. Requested keysize is 4096 bits
  115. Please specify how long the key should be valid.
  116.          0 = key does not expire
  117.       <n>  = key expires in n days
  118.       <n>w = key expires in n weeks
  119.       <n>m = key expires in n months
  120.       <n>y = key expires in n years
  121. Key is valid for? (0) 1y
  122. Key expires at Thu May 30 19:05:35 2019 CST
  123. Is this correct? (y/N) y
  124. Really create? (y/N) y
  125. We need to generate a lot of random bytes. It is a good idea to perform
  126. some other action (type on the keyboard, move the mouse, utilize the
  127. disks) during the prime generation; this gives the random number
  128. generator a better chance to gain enough entropy.
  130. sec  rsa4096/7D94098984B1C2E1
  131.      created: 2018-05-30  expires: 2019-05-30  usage: C
  132.      trust: ultimate      validity: ultimate
  133. ssb  rsa4096/A06E34D750CEE9FF
  134.      created: 2018-05-30  expires: 2019-05-30  usage: S
  135. ssb  rsa4096/8053318D031262E2
  136.      created: 2018-05-30  expires: 2019-05-30  usage: E     # 新生成的加密子密钥
  137. [ultimate] (1). isprotect.org (This is the gpg example for isprotect.org) <example@isprotect.org>
  139. # 添加认证子密钥
  140. gpg> addkey
  141. Please select what kind of key you want:
  142.    (3) DSA (sign only)
  143.    (4) RSA (sign only)
  144.    (5) Elgamal (encrypt only)
  145.    (6) RSA (encrypt only)
  146.    (7) DSA (set your own capabilities)
  147.    (8) RSA (set your own capabilities)
  148.   (10) ECC (sign only)
  149.   (11) ECC (set your own capabilities)
  150.   (12) ECC (encrypt only)
  151.   (13) Existing key
  152. Your selection? 8
  154. Possible actions for a RSA key: Sign Encrypt Authenticate
  155. Current allowed actions: Sign Encrypt 
  157.    (S) Toggle the sign capability
  158.    (E) Toggle the encrypt capability
  159.    (A) Toggle the authenticate capability
  160.    (Q) Finished
  162. Your selection?
  163. # 依次输入 S、E 和 A(每次输入一个)
  164. # 去掉签名和加密功能,添加认证功能
  166. Possible actions for a RSA key: Sign Encrypt Authenticate
  167. Current allowed actions: Authenticate 
  169.    (S) Toggle the sign capability
  170.    (E) Toggle the encrypt capability
  171.    (A) Toggle the authenticate capability
  172.    (Q) Finished
  174. Your selection?     # 输入 Q 完成证书功能选择
  175. RSA keys may be between 1024 and 4096 bits long.
  176. What keysize do you want? (2048) 4096
  177. Requested keysize is 4096 bits
  178. Please specify how long the key should be valid.
  179.          0 = key does not expire
  180.       <n>  = key expires in n days
  181.       <n>w = key expires in n weeks
  182.       <n>m = key expires in n months
  183.       <n>y = key expires in n years
  184. Key is valid for? (0) 1y
  185. Key expires at Thu May 30 19:08:37 2019 CST
  186. Is this correct? (y/N) y
  187. Really create? (y/N) y
  188. We need to generate a lot of random bytes. It is a good idea to perform
  189. some other action (type on the keyboard, move the mouse, utilize the
  190. disks) during the prime generation; this gives the random number
  191. generator a better chance to gain enough entropy.
  193. sec  rsa4096/7D94098984B1C2E1
  194.      created: 2018-05-30  expires: 2019-05-30  usage: C
  195.      trust: ultimate      validity: ultimate
  196. ssb  rsa4096/A06E34D750CEE9FF
  197.      created: 2018-05-30  expires: 2019-05-30  usage: S
  198. ssb  rsa4096/8053318D031262E2
  199.      created: 2018-05-30  expires: 2019-05-30  usage: E
  200. ssb  rsa4096/4D120399CB422D77
  201.      created: 2018-05-30  expires: 2019-05-30  usage: A     # 新生成的认证子密钥
  202. [ultimate] (1). isprotect.org (This is the gpg example for isprotect.org) <example@isprotect.org>
  204. # 保存密钥信息
  205. gpg> save

最后的密钥信息如上面显示,每个密钥只有单一的功能。

四、总结

本文中一共创建了一个主密钥和三个子密钥,分别用于确认证书、签名、加密和认证。这么创建证书的目的是为了方便对密钥进行管理以及降低密钥丢失的风险。当某一密钥丢失的时候,只需要通过主密钥来生成丢失子密钥的吊销证书就可以了,不必将整个密钥丢弃,否则就会丢失密钥的人际关系。当然,千万要保存好主密钥!!!

创建 GPG 证书的更多相关文章

  1. IOS开发创建开发证书及发布App应用(二)——创建证书

    2. 创建证书 证书分为两种,一种是开发者证书,主要是用来真机调试的 另一种就是发布证书,就是用来发布应用的, 最好是两种都要下载,不然编译时候可能报错,我猜想可能苹果怕你没用真机调试 创建证书分为两 ...

  2. Mac 创建证书(以 创建gdb证书 为例 )

    open /Applications/Utilities/Keychain\ Access.app/ 打开 钥匙串访问 继续继续 创建完毕. Now that we have a certificat ...

  3. 创建https证书

    第一个里程碑:创建https证书 创建文件认证目录 mkdir /application/nginx/key/ -p 在认证目录下创建认证文件 openssl req -new -x509 -node ...

  4. 基于CFSSL工具创建CA证书,服务端证书,客户端证书

    背景描述 在局域网中部署组件时,想要通过证书来实现身份的认证,确保通信的安全性,可以通过cfssl工具来进行CA证书,服务端证书,客户端证书的创建. 目录 背景描述 部署cfssl工具 下载,上传cf ...

  5. suse 12 二进制部署 Kubernetets 1.19.7 - 第01章 - 创建CA证书和kubectl集群管理命令

    文章目录 1.kubernetes集群部署 1.0.创建CA证书和秘钥 1.0.0.安装cfssl工具 1.0.1.创建根证书 1.0.2.创建证书签名请求文件 1.0.3.生成CA证书和秘钥 1.0 ...

  6. 使用Let's Encrypt手动创建https证书

    Let's Encrypt是一个开源免费的SSL证书项目,是由 Mozilla.思科.Akamai.IdenTrust 和 EFF 等组织发起的,现由Linux基金会托管. 这篇博文分享的是使用let ...

  7. iOS 创建上线证书

    1.制作上线证书需要准备一个付费的账号(99$),登陆https://developer.apple.com在最上方的位置点击Member Center进入登陆界面,在登陆界面输入付费的账号和密码进入 ...

  8. IOS开发创建开发证书及发布App应用(四)——创建配置概要文件

    4.创建配置概要文件 继续上一篇所讲,今天写的这个是创建配置概要文件 依然在个人中心创建证书这里, 如果不知道的,可以查看以前写的 配置概要文件也分为两种 1)创建开发配置概要文件 2)创建发布配置概 ...

  9. IOS开发创建开发证书及发布App应用(三)——创建App ID

    3.创建App ID 继续上一篇所讲,今天写的这个是创建App ID 依然在个人中心创建证书这里, 如果不知道的,可以查看以前写的 点击左边的 Identifiers  下面的App IDs,如下图 ...

随机推荐

  1. 【python】两行代码实现近百年的正反日期查询--20200202

    到2020年了.有个日期也火了,记得上一次还是2011年11月2日.为啥捏,因为日期写成数字形式 正反是一样的. 2020年也有一个这样的日期.20200202:2020年2月2日. 于是乎想写一段代 ...

  2. IDEA中的常用插件安装以及使用的介绍

    IDEA中的lombok插件安装以及各注解的详细介绍 Grep Console 当你密密麻麻一大片的日志,去查看起来,很容易看花眼:这个工具正好解决了这个痛点,可以说它就是 IDEA 自带 Conso ...

  3. MySQL获取或者查询数据库某个字段的特定几位(substring)

    一.获取特定的几位: date字段值为(2019-12-13) 1.取date的后5位 select SUBSTRING(date,-5)from letter 结果为12-13 2从左开始第6位取( ...

  4. linux下特殊命令集锦

    1.ifconfig -a | grep enp0 | cut -d : -f 1   //按照:进行切割网络文件名 如:ifconfig `ifconfig -a | grep enp0 | cut ...

  5. Mysql_常规操作

    001.数据库 全局操作 # 连接数据库: # mysql -h主机地址 -u用户名 -p(登陆用户密码)     ​# 修改用户密码 mysqladmin # mysqladmin -u root ...

  6. python3.7解释器安装及配置虚拟环境

    目录 环境准备 一.开始安装解释器(安装很简单,直接上图) 二.配置pip工具下载源 安装虚拟环境 环境准备 1.Windows系统,本人是 Windows10专业版 2.python解释器安装包,本 ...

  7. DFS-BFS(深搜广搜)原理及C++代码实现

    深搜和广搜是图很多算法的基础,很多图的算法都是从这两个算法中启发而来. 深搜简单地说就是直接一搜到底,然后再回溯,再一搜到底,一直如此循环到没有新的结点. 广搜简单地说就是一层一层的搜,像水的波纹一样 ...

  8. linux_cat命令

    cat 命令可以用来显示文本文件的内容(类似于 DOS 下的 type 命令),也可以把几个文件内容附加到另一个文件中,即连接合并文件. 关于此命令,有人认为写 cat 命令的人是因为喜欢猫,因此给此 ...

  9. F. Maximum Weight Subset(贪心or树形dp解法)

    题:https://codeforces.com/contest/1249/problem/F 题意:给一颗树,边权为1,节点有点权,问取到一个点集,俩俩之间路径超过k,是点权和最大 思路:贪心地取点 ...

  10. single-value grouping |limit grouping|cutpoint grouping|Lower class limit|Upper class limit|Class width|Class mark|rounding error or roundoff error|Histograms|Dotplots|Stem-and-Leaf

    2.3 Organizing Quantitative Data group quantitative data: To organize quantitative data, we first gr ...