个人工具

GPGKeyOnUSBDrive

来自Ubuntu中文

跳转至: 导航, 搜索

Storing GPG Keys on an Encrypted USB Flash Drive(如何将GPG密钥保存在一个受到加密保护的U盘当中)

It is often desirable to be able to use a GPG key on more than one computer, for instance at home and at work, or on a desktop and a laptop. Unfortunately, storing encryption keys where you don't have physical control is generally a bad idea. Even storing keys on a laptop can be troublesome--if the laptop gets stolen, so does your GPG key. Luckily, you can probably revoke the key before anybody is able to decrypt it, but that's a hassle. What if you could securely store the key on a device that you always have on your person?

很多人都希望能在多台电脑上使用同一个GPG密钥而不论这些机器是台式机还是笔记本,也不管它们位于家中还是办公室。然而对于那些将加密密钥保存在不受保护的存储介质当中的做法而言,这显然不是一个好办法。即使存在笔记本里,也照样有麻烦……如果笔记本被盗,GPG密钥就随它去了。万幸的是你可以在别人破解密钥之前及时地更换密钥,但这样做却又带来了更多的麻烦。有没有什么办法能够将这些密钥保存在一个随身携带的设备上面呢?

1 dm-crypt (关于dm-crypt)

From the dm-crypt website: " Device-mapper is a new infrastructure in the Linux 2.6 kernel that provides a generic way to create virtual layers of block devices that can do different things on top of real block devices like striping, concatenation, mirroring, snapshotting, etc... The device-mapper is used by the LVM2 and EVMS 2.x tools. dm-crypt is such a device-mapper target that provides transparent encryption of block devices using the new Linux 2.6 cryptoapi. The user can basically specify one of the symmetric ciphers, a key (of any allowed size), an iv generation mode and then he can create a new block device in /dev. Writes to this device will be encrypted and reads decrypted. You can mount your filesystem on it as usual. But without the key you can't access your data."

This is perfect for our needs. We will create an encrypted filesystem inside of a regular file on the USB flash drive, where we will store sensitive data like GnuPG keys.

在dm-crypt站点上有这样一段话:“ Device-mapper是Linux2.6内核当中所提供的一个新特性,它提供一个通用灵活的方法用来在真实块设备上创建一个虚拟层用来实现Concatenation(级联)、Mirroring(镜像)、Snapshotting(快照)等加密操作。而device-mapper已经在LVM2和EVMS2.x中得到了应用。dm-crypt是一种使用Linux2.6提供的cryptoapi来进行明加密的工具。用户只需要指定一种对称加密算法、一个在允许长度范围内的密钥、一个第四代模式 就能在/dev下面创建一个新的块设备。对这个块进行的写入是加密的,读取是解密的,您可以像正常一样加载文件系统到它上面。但如果密钥丢失的话你将无法访问这些已经被加密的数据!

这正是我们所需要的,我们将会在一个U盘里保存的常规文件中创建一个了经过加密的文件系统,用来保存一些敏感数据,比如GnuPG密钥!

1.1 Installing the Software(软件的安装)

First, you will need to install cryptsetup: 首先你将需要安装cryptsetup

sudo apt-get install cryptsetup

This will also pull in some other necessary dependencies. 上面的过程将同时安装一些必需的依赖包。

2 Setting Up the Encrypted Filesystem (设置加密文件系统)

I store my GPG keys on a cheap, tiny USB flash drive that fits comfortably on my keyring. When I plug it in, it is automatically mounted as /media/usbdisk. The following sections will assume a similar setup.

I decided to make my encrypted filesystem live in a regular file rather than its own partition. This requires less tweaking of the disk, and makes mounting and unmounting the encrypted filesystem easier, as you will see later. However, many of the steps in this tutorial can be adapted to use a real partition instead of a regular file.

您可以将您的GPG密钥保存在一个便宜、小巧的U盘当中,然后挂在钥匙扣上随身携带。当您将它插入到机器里面它将自动的被挂载到/media/usbdisk。 下面将介绍该方法的实现过程。

您可将加密文件系统保存在一个特定的文件当中而不是单独分区,这样不要对磁盘做太多的调整便让对加密文件系统的登录和退出操作变得更加容易。同时相对于常规文件而言,本指南中的许多安装步骤都更加适合于在一个真实的分区中进行操作!

2.1 Creating the File(创建文件)

Before we can make a filesystem, we need a file that is large enough to hold it. This can be accomplished with dd:

在创建文件系统之前,您需要一个足够大的文件来存放它。您可以按照下面的方式进行操作:

dd if=/dev/zero of=/media/usbdisk/disk.img bs=1M count=16

The above command will make a 16 MB file containing only zeros. Modify the count option to get your desired encrypted filesystem size.

上述命令将可以用来创建一个16MB大小的空文件(该文件被0所填充)。修改"count"参数可以调整您所需加密文件系统的大小。

Setting up the Encrypted Loop Device(设置加密回环设备)

Before we can actually create the filesystem on our new file, we need to attach it to a loop device and set up a device-mapper target with encryption. losetup -f will find the first free loop device, so we will set its output to a variable called loopdev and use it for several commands:

在新文件当中创建加密文件系统之前,需要将该文件与一个回环设备建立关联并设置一个加密的设备映射表目标。 可以使用 losetup -f命令来寻找空闲的回环设备,然后将其输出到一个称为loopdev的变量,同时使用下面的命令来操作这个变量。

sudo modprobe loop
sudo modprobe dm-crypt
sudo modprobe aes
export loopdev=$(sudo losetup -f)
sudo losetup $loopdev /media/usbdisk/disk.img
sudo cryptsetup -c aes -s 256 -h sha256 -y create usbkey $loopdev

This will set up the file with 256-bit AES encryption, hashing the passphrase you issue through SHA-256.

After it's set up, it's a good idea to remove the usbkey device-mapper device and re-run cryptsetup to make sure that you didn't mistype the initial password (I say this from experience...):

下面将会创建一个使用256位AES加密算法进行加密的文件,同时使用SHA-256来对密码短语口令进行哈希操作。

sudo cryptsetup remove usbkey
sudo cryptsetup -c aes -s 256 -h sha256 create usbkey $loopdev

If all goes well, we're ready for the next step!

如果一切顺利,我们将开始一下步的安装指导。

Creating the Actual Filesystem(创建真实的文件系统)

This is the easiest step of all. I chose the ext3 filesystem for its journaling capability, just in case the USB drive gets removed before the filesystem is unmounted. The cryptsetup command above created the device /dev/mapper/usbkey, which is a map through dm-crypt to the encrypted filesystem. So, this device appears to the system as a regular old block device, like a hard disk or partition. The following command will create an ext3 filesystem on the encrypted file:

本过程将会是所有安装过程当中最容易的一个,您可以选择ext3格式的文件系统以便获得日志功能,假使在USB设备非正常移除的情况之下,系统也能够快速的恢复过来。上面提到的cryptsetup命令建立了设备 /dev/mapper/usbkey ,此设备是通过dm-crypt到加密的文件系统的映射。系统把它认成常规的旧块设备,就像是硬盘或分区。下面的命令将用来在一个经过加密的文件当中创建一个ext3格式的文件系统。

sudo mkfs.ext3 /dev/mapper/usbkey

Now, try mounting the filesystem:

现在可以尝试加载刚刚创建的文件系统

sudo mkdir -p /mnt/encrypted
sudo mount -t ext3 /dev/mapper/usbkey /mnt/encrypted

Setting up GnuPG on the Encrypted Filesystem(在加密文件系统中进行GnuPG的设置)

Now, make a .gnupg directory in /mnt/encrypted, make it owned by your user, and link it to your own ~/.gnupg (if you already have a .gnupg directory, move it out of the way first):

现在请在/mnt/encrypted文件夹下面创建一个名为.gnupg的目录,将该目录的权限设定为您的用户所有,把它链接到您自己的~/.gnupg (如果你已经拥有了一个.gnupg目录,请先将其移除):

sudo mkdir /mnt/encrypted/.gnupg
sudo chown $UID.$UID /mnt/encrypted/.gnupg
chmod 0700 /mnt/encrypted/.gnupg
ln -s /mnt/encrypted/.gnupg ~/.gnupg

Now, create a GnuPG key as described in UbuntuHelp:GPGKey or, if you already have a key, move the files in your old .gnupg directory into the new one, possibly using shred or wipe to securely remove the old files.

现在请按照UbuntuHelp:GPGKey所说的那样创建一个GnuPG密钥,如果你已经拥有一个密钥,那么请将您的旧.gnupg目录下面的文件移动到新的里面,同时使用shred或者是wipe来安全的清除掉原来的旧文件。

Making Things Easier(让一切变得更容易)

Simplifying the Mount Process(简化加载过程)

It's not really fun to type three or four commands each time you want to mount your encrypted filesystem. So, I wrote two really simple scripts for mounting and unmounting. Before using these, you should unmount your filesystem and detach the loop device:

每次加载加密文件系统都需要输入3到4条命令实在是有点烦人,所以我们提供两条简单的方法供加载和卸载时使用。在使用它们之前您应该卸载您的文件系统,分离回环设备。

sudo umount /mnt/encrypted
sudo cryptsetup remove usbkey
sudo losetup -d $loopdev

Now, save the following as mount.sh in the root of your USB drive (not in the encrypted filesystem!):

现在请在root帐户下面将下面的文件命名为mount.sh然后保存到您的U盘当中(注意:不是保存到加密的文件系统当中去):

inline:mount.sh

Then, save the following as umount.sh in the same place:

同样的,将下面的文件重命名为umount.sh并将其和上面那个保存到一起:

inline:umount.sh

You may not be able to execute these scripts directly, since the default auto-mounting options prohibit running executables. But, since they are shell scripts, you can simply pass them on to sh. So, once the USB drive has been mounted, you can simply type

由于默认的自动挂载选项阻止运行可执行文件,因此您可能会无法直接执行这些脚本。但是因为它们都是shell脚本,所以您只需传到sh执行。U盘加载以后,您可以直接的输入:

sh /media/usbdisk/mount.sh

and all the work will be done for you! (Of course, you will need the encryption password, and you may be asked for a password for sudo.)

然后所有的工作都将自行替您完成!(当然了,您需要加密口令,同时可能要求为sudo输入口令。)

Verifying PGP Signatures Without the Encrypted Filesystem(无加密文件系统验证PGP签名)

You might want to be able to verify a signed message without needing to mount the encrypted filesystem. To facilitate this, simply copy the public keyring and the trust database file to the "real" .gnupg directory:

您可能想要在无须加载加密文件系统的情况下验证一个签名信息。您只需拷贝公用密钥环和可以信任的数据库文件到您的”真实“的.gnupg 目录下面。

cp /mnt/encrypted/.gnupg/{pubring,trustdb}.gpg /tmp
sh /media/usbdisk/umount.sh
sudo mv /tmp/{pubring,trustdb}.gpg /mnt/encrypted/.gnupg

Now, when the encrypted filesystem is not mounted, you will see those files in your .gnupg directory, so that gpg --verify will work. But when it is mounted, you will see the files that are actually in the encrypted filesystem.

现在,如果在没有加载加密文件系统时,您也可以在您的.gnupg目录当中看到上述文件,说明gpg--verify已经起效了。但是当它被加载时,您会到其实这些文件是在加密文件系统中的。


文章来源:官方WIKI
翻译人员:Murodoch
校对人员:purewind
文章状态:完成