$ gpg --full-generate-key gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
gpg: directory '/home/locez/.gnupg' created gpg: keybox '/home/locez/.gnupg/pubring.kbx' created Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 0 Key does not expire at all Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Locez Email address: loki.a@live.cn Comment: You selected this USER-ID: "Locez <loki.a@live.cn>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy.
此时可以动动鼠标键盘让他收集足够的随机数据
生成一个用于认证的子密钥
1 2 3 4 5 6
$ gpg --expert --edit-key Locez gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
gpg> addkey
然后跟着向导进行选择就可以了,通常是选择 (8) RSA (set your own capabilities) ,然后 4096 位密钥 其中子密钥对的类型选择应该如下
1 2 3 4 5 6 7 8 9 10
Possible actions for a RSA key: Sign Encrypt Authenticate Current allowed actions: Sign Encrypt ### 此处显示的为该子密钥可以使用的用途, ### 通过多次选择下面的开关进行调整
(S) Toggle the sign capability (E) Toggle the encrypt capability (A) Toggle the authenticate capability (Q) Finished
Your selection?
然后重复上面的操作再次添加一个用于签名的子密钥,最终效果大概如下,使用 save 命令保存退出
1 2 3 4 5 6 7 8 9 10 11 12 13
gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub rsa4096/AAAAAAAAAAAAAAAA created: 2018-04-24 expires: never usage: SC trust: ultimate validity: ultimate ssb rsa4096/BBBBBBBBBBBBBBBB created: 2018-04-24 expires: never usage: E ssb rsa4096/CCCCCCCCCCCCCCCC created: 2018-04-24 expires: never usage: A ssb rsa4096/DDDDDDDDDDDDDDDD created: 2018-04-24 expires: never usage: S [ultimate] (1). Locez <loki.a@live.cn>
gpg --edit-key Locez gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa4096/AAAAAAAAAAAAAAAA created: 2018-04-24 expires: never usage: SC trust: ultimate validity: ultimate ssb rsa4096/BBBBBBBBBBBBBBBB created: 2018-04-24 expires: never usage: E card-no: 0000 00000001 ssb rsa4096/CCCCCCCCCCCCCCCC created: 2018-04-24 expires: never usage: A card-no: 00000 00000001 ssb rsa4096/DDDDDDDDDDDDDDDD created: 2018-04-24 expires: never usage: S card-no: 000000 00000001 [ultimate] (1). Locez <loki.a@live.cn>
$ gpg --delete-secret-key Locez gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.
同样输入 gpg --edit-key Locez 会看到 Secret subkeys are available. 字样,是子密钥可用,而不是原来的主密钥了
简单测试
为了验证卡片写入成功,做个简单的测试,先拔掉 Yubikey
1 2 3 4 5 6 7 8 9 10 11 12
$ echo"Hello, this is a test" > test $ gpg --output test.en -se test You did not specify a user ID. (you may use "-r")
Current recipients:
Enter the user ID. End with an empty line: Locez
Current recipients: rsa4096/BBBBBBBBBBBBBBBB 2018-04-24 "Locez <loki.a@live.cn>"
Enter the user ID. End with an empty line:
空行结束,然后会要求你插入 Yubikey 并输入 PIN 进行加密
解密如下
1 2 3 4 5 6 7
gpg --decrypt test.en gpg: encrypted with 4096-bit RSA key, ID BBBBBBBBBBBBBBBB, created 2018-04-24 "Locez <loki.a@live.cn>" Hello, this is a test gpg: Signature made Tue 24 Apr 2018 09:08:28 PM CST gpg: using RSA key BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB gpg: Good signature from "Locez <loki.a@live.cn>" [ultimate]