“UbuntuHelp:GnuPrivacyGuardHowto”的版本间的差异

2008年10月19日 (日) 05:39的版本

文章出处:

https://help.ubuntu.com/community/GnuPrivacyGuardHowto

点击翻译:

English

请不要直接编辑翻译本页，本页将定期与来源同步。

1. title How to Use Gnu Privacy Guard

"GnuPG uses public-key cryptography so that users may communicate securely. In a public-key system, each user has a pair of keys consisting of a private key and a public key. A user's private key is kept secret; it need never be revealed. The public key may be given to anyone with whom the user wants to communicate." From [GNU Privacy Handbook]

GnuPG, GPG, PGP and OpenPGP

The terms "OpenPGP", "PGP", and "GnuPG / GPG" are often used interchangeably. This is a common mistake, since they are distinctly different.

• OpenPGP is technically a proposed standard, although it is widely used. OpenPGP is not a program, and shouldn't be referred to as such.
• PGP and GnuPG are computer programs that implement the OpenPGP standard.
• PGP is an acronym for Pretty Good Privacy, a computer program which provides cryptographic privacy and authentication. For more information, see this [[1]] article.
• GnuPG is an acronym for Gnu Privacy Guard, another computer program which provides cryptographic privacy and authentication. For further information on GnuPG, see this [[2]] article.

Generating an OpenPGP Key

The core package required to start using OpenPGP, gnupg, is installed by default on Ubuntu systems. There are several programs which provide a graphical interface to the GnuPG system.

• [[3]], an OpenPGP plugin for Mozilla Thunderbird.
• Enigmail is available in the "Main" repository.

• [Privacy Assistant] is a graphical user interface for the GnuPG (GNU Privacy Guard).
• GPA is available in the "Universe" repository. See Repositories for further information on enabling repositories.

• [[4]] is a GNOME application for managing encryption keys. It also integrates with nautilus, gedit, and in other places for encryption operations.
• Seahorse is available in the "Main" repository.

• [[5]] is a simple, free, open source KDE frontend for gpg.
• KGPG is available in the "Universe" repository.

You can also generate keys using these programs. Use the section below for recommendations on settings.

Using GnuPG to generate a key

{{https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconGNOMETerminal.png%7D%7D

• Open a terminal and enter:

gpg --gen-key

• This will lead to a selection screen with the following options:

Please select what kind of key you want:
   (1) DSA and Elgamal (default)
   (2) DSA (sign only)
   (5) RSA (sign only)

• Select (1), since the others cannot be used for encryption. However, encryption subkeys may be generated later.

What keysize do you want? (2048)

• A keysize of 2048 (which is the default) is also a good choice.

Key is valid for? (0)

• Most people make their keys valid until infinity, which is the default option. If you do this don't forget to revoke the key when you no longer use it (see later).
• Hit Y and proceed.

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <[email protected]>"

Real name: Dennis Kaarsemaker
Email address: [email protected]
Comment: Tutorial key
You selected this USER-ID:
    "Dennis Kaarsemaker (Tutorial key) <[email protected]>"

• Make sure that the name on the key matches the name in your passport, or other government issued photo-identification! You can add extra e-mail addresses to the key later.
• Type O to create your key.

You need a Passphrase to protect your secret key.

• You will be asked for your passphrase twice. Usually, a short sentence or phrase that isn't easy to guess can be used. You would be asked to tap on the keyboard or do any of the things you normally do in order for randomization to take place. This is done so that the encryption algorithm has more human-entered elements, which, combined with the passphrase entered above, will result in the user's private key.

• After you type your passphrase twice, the key will be generated. Please follow the instructions on the screen till you reach a screen similiar to the one below.

gpg: key D8FC66D2 marked as ultimately trusted
public and secret key created and signed.

pub   1024D/D8FC66D2 2005-09-08
      Key fingerprint = 95BD 8377 2644 DD4F 28B5  2C37 0F6E 4CA6 D8FC 66D2
uid                  Dennis Kaarsemaker (Tutorial key) <[email protected]>
sub   2048g/389AA63E 2005-09-08

The key-id is D8FC66D2 (yours will be different).

• Set your key as the default key by entering this line in your ~/.bashrc.

export GPGKEY=D8FC66D2

• Please note that will be sourced only during your next session, unless you source it manually.
• Now restart the gpg-agent and source your .bashrc again:

killall -q gpg-agent
eval $(gpg-agent --daemon)
source ~/.bashrc

Creating a revocation key/certificate

• A revocation certificate must be generated to revoke your public key if your private key has been compromised in any way.
• You can create a revocation certificate by :

gpg --output revoke.asc --gen-revoke <KEY-ID>

• The revocation key may be printed and/or stored as a file. Take care to safeguard your revocation key.

Making an ASCII armored version your public key

There are several sites out there that also allow you to paste an ASCII armored version your public key to import it. This method is often preferred, because the key comes directly from the user. The reasoning behind this preference is that a key on a keyserver may be corrupted, or the keyserver unavailable.

• Create an ASCII armored version of your public key using GnuPG by using this command:

• {{https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=example.png%7D%7D This is the command using our example:

gpg --export -a D8FC66D2 > mykey.asc

Uploading the key to Ubuntu keyserver

This section explains how to upload your public key to a keyserver so that anyone can download it. Once you have uploaded it to one keyserver, it will propagate to the other keyservers. Eventually most of the keyservers will have a copy of your key. You can accelerate the process by sending your key to several keyservers.

• Using GnuPG:

gpg --send-keys --keyserver keyserver.ubuntu.com <KEY-ID>

• {{https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=example.png%7D%7D Using our example, the command would be:

gpg --send-keys --keyserver keyserver.ubuntu.com D8FC66D2

• Using a web browser to submit to Ubuntu key server:
• Export your key by issuing this command:

• Copy the content of mykey.asc:
• Open http://keyserver.ubuntu.com:11371/ in a browser window.
• Paste the copied content in the box under the label, Submit a key
• Click on Submit this key to the keyserver!

Reading OpenPGP E-mail

OpenPGP implementations can be used to digitally sign, encrypt, and decrypt email messages for heightened security. You can register your own personal OpenPGP keys with Launchpad, and under some situations, Launchpad will send you signed or encrypted email. You would then use OpenPGP support in your mail reader to decrypt these messages or verify a message's digital signature. Of course, you can also use the OpenPGP support in your mail reader to trade encrypted messages with your colleagues, or sign your own messages so that others can have better assurances that the email that appears to come from you actually does comes from you. The instructions below are not intended to provide you with detailed information on OpenPGP, its various implementations, or its use. These instructions simply provide links that can help you set up your mail reader to be compatible with OpenPGP signed and/or encrypted email. We need your help to flesh out these instructions!

Linux mail readers

This section is not all inclusive. Please feel free to add additional mail clients.

Evolution

Evolution has built-in support for OpenPGP. Look under the Security tab when you edit accounts.

• Open Evolution and go to Edit->Preferences.
• Choose your email account, click on it, and then click Edit.
• Click on the security tab.
• In the PGP/GPG Key ID: box, paste your KEY-ID.
• Click OK. Click Close.
• If you want to use your key in any new email, simply click on the Security menu item in your new mail message, and then click on PGP Sign.

KMail

Kmail / Kontact has built-in support For Gutsy, and later releases, everything required is installed by default. See the Kmail GPG page for details.

Claws Mail

Claws Mail supports OpenPGP through the plugin claws-mail-pgpinline

• claws-mail-pgpinline is available in the "Universe" repository.

• The plugin may have to be loaded manually after installing it. Open Claws Mail and select Configuration -> Plugins
• If PGP/Core and PGP/inline are in the Plugins dialogue box, the plugins are loaded correctly.
• Otherwise, click on the Load Plugin button towards the bottom of the window. In the file selection dialogue, select pgpinline.so and click the Open button.
• When Claws Mail tries to open encrypted e-mail, the program will prompt for your key's passphrase and then show the e-mail with the decrypted message.

Thunderbird

• Thunderbird supports OpenPGP through the enigmail plugin.
• Enigmail is available in the "Main" repository.

• Configure OpenPGP support in Thunderbird under Enigmail->Preferences and add under GnuPG executable path. The path for GnuPG is /usr/bin/gpg.

GMail

• You can setup FireGPG (http://getfiregpg.org/install.html) in order to sign, decrypt, encrypt, etc straight from any website. This is quite useful when using gmail, where one only has to go to Tools in Firefox and choose the relevant option under FireGPG

Mutt

• Create a ~/.mutt directory and copy this file into it: /usr/share/doc/mutt/examples/gpg.rc
• Append this line to the muttrc configuration file.

• If you're using Mutt 1.5.13, you'll need to fix the paths to pgpewrap as detailed in [post]

Miscellaneous/all platforms (web mail)

This section in need of expansion. Please feel free to add any additional plugins for Firefox or other browsers.

FireGPG

• [[6]] is a Firefox extension which brings an interface to e ncrypt, decrypt, sign or verify the signature of text in any web page using GnuPG.
• FireGPG integrates with the Google web mail interface, bringing OpenPGP functionality to Gmail.
• Support for other web mail providers is planned.

Validation on Launchpad

You need to tell Launchpad about your OpenPGP key(s) to be able to sign the Ubuntu Code of Conduct (and thus become an Ubuntero) and to build packages using HCT.

OpenPGP keys and Launchpad

• Visit the OpenPGP Keys page once logged into Launchpad. Paste your key fingerprint into the textbox:

• {{https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=example.png%7D%7D The key fingerprint would be something like:

Launchpad will send you an email which you will have to decrypt. You can save the text to a file: (Sample message- make sure not to alter format)

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.3 (GNU/Linux)

hQIOA0THhKozD+K5EAf9F3PcOL2iU6onH2YsvB6IKDXNxbK0NBVy6ppxcNq8hoTe
cuHvzWLFfh1ehhSNe1V6xpuFnt5sJoeA4qEEOxez3HmY80tKIKMPLyhC/8JiSIW9
fwuxj4C0F6pdyrpvGbQAzfPEFk/P1AtIHXm4WLXduhBT7YEpmUk/I4A/KlSrKoiP
J5vBtbroUyp2jvIhDUmY7ToU+ifrDe3+VP1ZzSEJzOOXec9oPbcbvf5NptXA7Hbp
S0ElBAcLjKpAu7VKotCwFZIsVXDHT/mxf2qm88bGIrlXS5uTzvmyhQps1KmyNiCz
I0i5kSVvHZWyVZ+8FrROLqYAqqnEIMg9hUnbFAervgf/YiYs0xxWLYf9e14eoMZA
ranGT72q/JHmBNBYenOijaquFNi1TH5J8Udtt2RfdyRUlmGilxRvtIYL8gpnuNpS
+GHOoBWUN2f4nawaDeqgrf6Nt3qQWWLO4iJPgieejFP2FP6zkLme1t7dXo+z1ary
EZuxSLtKIWkOFEZ8Gcn02hBgOhJZucnkF6BmVW9dr1C4QEAmGM631uqfsp5PapAn
yjHbEU1L2R9i7vPtJNRr6ubFLWg1Yhfv63ByxSx/WQHMMqlrbL+moXBGED3L2hM8
7FP9eapBRgmS+Bda9ArcGMUElTOkWoUYIOPyLOYmo15LvbxHOVaXjn7+fDgr2S1J
R9LArwHycmdKKelRww+ZvylHIfq8xy10atRQIYawchh9A1myXD1TlWbrrIkodQJF
iEpO2i1LKvqwZHOx3szT4hF+44tNFzQIL1j+zF5Hrt2WOTnS5WXGgGRtfEd8F7fN
khQZOAdhwrnlY+yknruC8Y8Jm8vM57+KnPgBfvxuxzLX1XFTfTZCHXeUmwwu3mga
m+6WzckeBGBDHKK6GqwFoOAykTwjyqOZaty7DPHeoINc0tLMVr9Ks64DScf8bgh4
MkNonA0YhMQbkmwRc33APw441+/iLw5gqndQdX44kKqC71dG6LqanAOjD29Xj3JV
ZBsjg95Jrx7Sx+i/V0PUeaU9QjCT0Q1jEy1Bcs8NYtTJnpG+4oHYJ0pyiGxIquQH
V9E+hW6Qehx5DbsIXEvfeaBBHOfAHHOhUH14WK4bsJWm8wZ50XiYBZrNFOqzsm13
2STcY4VIoJp3Uw2qNyvZXQUhpndlfgQGO14CMSadzDn6Vts=
=hTe6
-----END PGP MESSAGE-----

• Now run:

• You will need to enter your passphrase.
• The message will be displayed along with the link you must follow to confirm your key in Launchpad.
• Follow the link, enter your Launchpad password as asked, and you are done!

Validating using Firefox and FireGPG

• If you are on gmail, using the FireGPG addon, simply scroll down and click "decrypt this mail". You will now see the decrypted message with a link and a token. Copy that URL:

https://launchpad.net/token/somealphanumerictoken

• Follow the link and click on "Confirm". Please note that validation does take some time. If you run into an internal 500 server, simply try again with the same token.
• A confirming page should appear once the validation is successfully completed.

Signing Data

Signing data is helpful in verifying if the data from a person is indeed from that person. A typical scenario is described below.

Launchpad Key Signing

When you've set up GnuPG and have a key in the strong set, it is time to sign the Ubuntu Code Of Conduct if you want to become an Ubuntu member or Ubuntero. Signing is done in 3 easy steps:

1. Download the code of conduct from https://launchpad.net/codeofconduct/1.0.1.
2. Run the command

   gpg --clearsign UbuntuCodeofConduct-1.0.1.txt

3. Upload the contents of Ubuntu``Codeof``Conduct-1.0.txt.asc on https://launchpad.net/codeofconduct/1.0.1/+sign

Getting your key signed

The whole point of all this is to create a web of trust. By signing someone's public key, you state that you have checked that the person that uses a certain keypair, is who he says he is and really is in control of the private key. This way a complete network of people who trust each other can be created. This network is called the Strongly connected set. Information about it can be found at http://pgp.cs.uu.nl/ In summary,

• Locate someone that lives near you and can meet with you to verify your ID. Sites like http://www.biglumber.com/ are useful for this purpose
• Arrange for a meeting. Bring at least one ID with photo and printed fingerprint of your OpenPGP key, ask the same from the person you will be meeting with.
• Meet, verify your IDs and exchange OpenPGP key fingerprints
• Sign the key of the person you've just met. Send him/her the key you've just signed.
• Update your keys on the keyserver, the signature you've just created will be uploaded.

Keysigning Guidelines

Since a signature means that you checked and verified that a certain public key belongs to a certain person who is in control of the accompanying private key, you need to follow these guidelines when signing peoples keys:

1. Keysigning is always done after meeting in person
2. During this meeting you hand each other your OpenPGP key fingerprint and at least one government issued ID with a photograph. These key fingerprints are usually distributed as key fingerprint slips, created by a script such as gpg-key2ps (package: signing-party)
3. You check whether the name on the key corresponds with the name on the ID and whether the person in front of you is indeed who he says he is.
4. Having done these two checks, you only need to check whether this person is in control of the private key. You do this by sending him/her back his/her signed public key, encrypted with his public key. The caff program makes this part very easy. You need to create a file named .caffrc in your homedir (only once) with the following content:

   $CONFIG{owner} = q{Your full name here};
   $CONFIG{email} = q{The emailaddress used in your key here};
   $CONFIG{keyid} = [ qw{last 16 characters of your key fingerprint here} ];

   Now you can simply run the following command:

   caff key_id_of_other_persons_key

5. When you receive signed keys from others, you get them as attachment, save these attachments and import them with gpg. You can then send this signature to the keyservers so other people can know about it.

   gpg --import filename_of_saved_signature
   gpg --send-keys $GPGKEY

Backing up and restoring your key pair

Why should you back up your key pair? If you loose your key pair:

• Any files encrypted with the lost key pair will be unrecoverable.
• You will not be able to decrypt mails sent to you.
• Decrypting emails sent to you requires your private key, this key is not stored on the keyservers.

If you lose your keypair you should revoke your key. This cannot be done without a revocation key.

Backing up your public key

• List your public keys:

gpg --list-keys

• Look for the line that starts something like "pub 1024D/". The part after the 1024D is the key_id. To export the key:

gpg -ao _something_-public.key --export key_id

Backing up your private key

• List your secret keys:

gpg --list-secret-keys

• Look for the line that starts something like "sec 1024D/". The part after the 1024D is the key_id. To export the secret key:

gpg -ao _something_-private.key --export-secret-keys key_id

Restoring your keys

• To restore your keys - copy the two files created above to the machine and type:

gpg --import _something_-public.key gpg --import _something_-private.key

Make sure you protect these files!

Revoking a keypair

In the event your keys are lost or compromised, you should revoke your keypair. This tells other users that your key is no longer reliable.

• To revoke your key:
• Import your revocation key.
• Upload the revocation key to your keyserver of choice.

GPG 2.0

GPG 2.0 is the new kid on the block. GPG 2.0 is aimed or done for the desktops rather than embedded or server applications.

• GnuPG2 is available in the "Universe" repository.
• If you want to use gnupg2 with the firepg firefox extension, you need to install gnupg2 first.
• While both of gnupg2 and gunpg can co-exist with each other it is preferable to uninstall gnupg before installing gnupg2.
• If you are going to use gpg2 for the same purposes as outlined above then just need to add 2 to the gpg command.

gpg2 --gen-key

Tips and Tricks

• Add your key to ~/.bashrc by adding a line similiar to export GPGKEY=YOUR-KEY-ID
• gnupg-agent and pinentry-gtk2 are packages that facilitate not having to enter the password for your key every time you want to use it. Open the file ~/.gnupg/gpg.conf in your favorite editor. Browse through it and change what you like. A few useful things to change are:
• keyserver-options auto-key-retrieve
• use-agent (the Ubuntu default for Gutsy and later releases.)

The former makes gpg automatically retrieve gpg keys when verifying signatures. The latter makes you use gpg-agent, which is very useful if you use gpg a lot but don't like typing your password all the time. It is also required for some programs (such a Kmail) to sign or encrypt messages). Gnupg-agent and pinentry are in Main for Gutsy and automatically installed/configured in Kubuntu. If you are upgrading from Ubuntu 7.04 (Fiesty), the file ~/.gnupg/gpg.conf may have failed to be created by default in your home directory due to a bug in the gnupg package. In that case, GPG agent integration will not be enabled by default. If you have not created your own gpg.conf, you can correct this issue by running cp /usr/share/gnupg/options.skel ~/.gnupg/gpg.conf. If you do have a gpg.conf and are affected by this issue, correct it by running echo use-agent >> ~/.gnupg/gpg.conf. Now create the file ~/.gnupg/gpg-agent.conf with the following content:

pinentry-program /usr/bin/pinentry-gtk-2
default-cache-ttl 86400
max-cache-ttl 86400

This will make gpg-agent use pinentry-gtk2 and it will remember your password for 24 hours (please consider the security implications for doing this - anyone gaining access to your computer for 24 hours would then be able to sign anything with your key). For Kubuntu, use pinentry-qt instead.

Related Articles

• GPGKeyOnUSBDrive
• UnsignedGpgKey
• GPGsigningforSSHHowTo

Resources

• [Manual]
• [GnuPG, on Linux Gazette]
• [short history of PGP / OpenPGP / GnuPG]
• [Howto], thanks to Kassetra
• [Guide to GnuPG] -- Ubuntu Forums
• [[7]]
• [[8]] -- Backing up and restoring your keys
• [[9]] -- Wikipedia article
• [[10]] -- GnuPG for everyday use