GPG 密钥创建(+替代SSH使用)
中英对照:
英文 | 中文 |
---|---|
Key | 密钥 |
Capability | 能力 |
Certify | 认证 |
Sign | 签名 |
Encrypt | 加密 |
Authenticate | 鉴权 |
其实我对于 Certify 和 Authenticate 的翻译有点不满意,但又不知道怎么翻译好
如果你有相关的问题/意见,欢迎留言。
但我不常看论坛,你也可以选择给我发邮件就是了:learnku@sunxyw.xyz
创建主密钥
主密钥是一个只用于创建子密钥的密钥,换言之,它只需要认证 Certify
能力,而其他能力:签名 Sign
/ 加密 Encrypt
/ 鉴权 Authenticate
则会分配给子密钥。
开始生成密钥,并选择自定能力:
$ gpg --full-generate-key --expert gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. . Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (9) ECC and ECC (10) ECC (sign only) (11) ECC (set your own capabilities) (13) Existing key (14) Existing key from card Your selection? 8
依次输入
S
和E
禁用对应的能力,仅保留Certify
能力,最后输入Q
退出:Possible actions for a RSA key: Sign Certify Encrypt Authenticate Current allowed actions: Sign Certify Encrypt . (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished . Your selection? S . Possible actions for a RSA key: Sign Certify Encrypt Authenticate Current allowed actions: Certify Encrypt . (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished . Your selection? E . Possible actions for a RSA key: Sign Certify Encrypt Authenticate Current allowed actions: Certify . (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished . Your selection? Q
输入密钥长度(可自行选择,越高越安全):
RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (3072) 4096 Requested keysize is 4096 bits
输入有效期(
2d
两天,3w
为三周,5m
为五月,1y
为一年):Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 1y Key expires at Mon Aug 14 17:32:10 2023 CST Is this correct? (y/N) y
输入信息以构建用户 ID:
GnuPG needs to construct a user ID to identify your key. . Real name: <这里输入你的名字> Email address: <这里输入你的邮箱> Comment: <留空> You selected this USER-ID: "<你的名字> <<你的邮箱>>" . Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
输入密钥密码:
此处忘记复制了,大致上就是一个框,中间 `Passphrase` 输密码,然后再输入一次,然后回车。
完成生成:
We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key <你的密钥ID> marked as ultimately trusted gpg: revocation certificate stored as '<撤销密钥保存路径>' public and secret key created and signed. . pub rsa4096 2022-08-14 [C] [expires: 2023-08-14] E08F47B250F8CB12347B2DFA11DC61840BEABCED uid <你的名字> <<你的邮箱>>
生成完成后,建议将撤销密钥保存到安全的位置(物理硬盘或打印)。
生成用于替代 SSH 密钥的子密钥(签名、加密及鉴权)
开始生成
gpg --expert --edit-key <你的名字> gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. . Secret key is available. . gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2023-08-14 sec rsa4096/11DC61840BEB9ECD created: 2022-08-14 expires: 2023-08-14 usage: C trust: ultimate validity: ultimate [ultimate] (1). <你的名字> <<你的邮箱>>
你应该会看见一个由
gpg>
开头的,类似命令行的东西,我称作 GPG 控制台,下文以gpg>
开头的就是指这里的输入。添加子密钥,并选择自定能力
gpg> addkey Please select what kind of key you want: (3) DSA (sign only) (4) RSA (sign only) (5) Elgamal (encrypt only) (6) RSA (encrypt only) (7) DSA (set your own capabilities) (8) RSA (set your own capabilities) (10) ECC (sign only) (11) ECC (set your own capabilities) (12) ECC (encrypt only) (13) Existing key (14) Existing key from card Your selection? 8
添加鉴权
Authenticate
能力,其他两种应已默认启用,最终应有Sign``Encrypt``Authenticate
三种能力Possible actions for a RSA key: Sign Encrypt Authenticate Current allowed actions: Sign Encrypt (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished . Your selection? A . Possible actions for a RSA key: Sign Encrypt Authenticate Current allowed actions: Sign Encrypt Authenticate (S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished . Your selection? Q
输入密钥长度
RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (3072) 4096 Requested keysize is 4096 bits
输入有效期
Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 1y Key expires at Mon Aug 14 18:03:22 2023 CST Is this correct? (y/N) y Really create? (y/N) y
输入主密钥密码(上一部分你设置的那个),并完成生成
We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. . sec rsa4096/<主密钥ID> created: 2022-08-14 expires: 2023-08-14 usage: C trust: ultimate validity: ultimate ssb rsa4096/<子密钥ID> created: 2022-08-14 expires: 2023-08-14 usage: SEA [ultimate] (1). <你的名字> <<你的邮箱>>
记得保存!!!
gpg> save
最后你可以确认一下生成成功
$ gpg --list-keys <保存路径> .------------------------------- pub rsa4096 2022-08-14 [C] [expires: 2023-08-14] E08F47B250F8CB85627B2DFA11DC61840BHJKLO uid [ultimate] <你的名字> <<你的邮箱>> sub rsa4096 2022-08-14 [SEA] [expires: 2023-08-14]
你应该会看到如上图的,拥有认证
C
能力的主密钥pub
以及拥有签名加密鉴权SEA
能力的sub
子密钥。
设置 GPG Agent 以用于 SSH 验证
启用 GPG Agent 的 SSH 支持
nano ~/.gnupg/gpg-agent.conf
用编辑器打开后,将
enable-ssh-support
添加到文件末尾设置
SSH_AUTH_SOCK
以使 SSH 使用 GPG Agent 替代 SSH Agent,将以下内容添加到对应终端的启动脚本fish: ~/.config/fish/config.fish bash: ~/.bashrc zsh: ~/.zshrc
我用的是 fish,不确定 bash 和 zsh 的路径是否正确。
# 这是 fish 的 set -e SSH_AGENT_PID if test -z $gnupg_SSH_AUTH_SOCK_BY; or test $gnupg_SSH_AUTH_SOCK_BY -ne $fish_pid set -gx SSH_AUTH_SOCK (gpgconf --list-dirs agent-ssh-socket) end set -gx GPG_TTY (tty) gpg-connect-agent updatestartuptty /bye >/dev/null
# 这是 bash 或 zsh 的 unset SSH_AGENT_PID if [ "${gnupg_SSH_AUTH_SOCK_by:-0}" -ne $$ ]; then export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)" fi export GPG_TTY=$(tty) gpg-connect-agent updatestartuptty /bye >/dev/null
获取子密钥 Keygrid
$ gpg --list-keys --with-keygrip <保存路径> .------------------------------- pub rsa4096 2022-08-14 [C] [expires: 2023-08-14] E08F47B250F12345677B2DFA11ABCDE40BEB9ECD Keygrip = D14395D05A68DE9876543044D42A0HGTYDEF7E38 uid [ultimate] <你的名字> <<你的邮箱>> sub rsa4096 2022-08-14 [SEA] [expires: 2023-08-14] Keygrip = <下一步用到的子密钥Keygrid>
添加子密钥 Keygrid 用于 SSH 验证
echo <上一步得到的子密钥Keygrid> >> ~/.gnupg/sshcontrol
重启终端
检查 SSH Key 是否存在
$ ssh-add -l 4096 SHA256:8xkd+tbKlCnz2+RCRliMqGsFBQIhPBHcRl6EtJ1vBtk (none) (RSA)
导出 SSH 公钥
$ gpg --export-ssh-key <你的名字> ssh-rsa <一长串内容> openpgp:0x193CEF1B
这整一个,连带
ssh-rsa
和openpgp:XXXXXXXX
就是你的公钥了,你可以将它上传到 GitHub 等平台。最后,你可以测试下是否有效
$ ssh -T git@github.com Hi sunxyw! You've successfully authenticated, but GitHub does not provide shell access.
好,完成。
感谢你的阅读,再见。
下一篇打算写将 GPG 密钥用于签名提交(Commit Signing)以及 GitHub Vigilant mode 的说明,也可能是 GnuPG 的日常使用?
本作品采用《CC 协议》,转载必须注明作者和本文链接
推荐文章: