モチベーション

LPIC303を勉強する中でGPGを学ぶ機会が合ったので粗い感じでまとめておく。

GPG(GNU Privacy Guard) とは

GPGとはWikipediによると、

GNU Privacy Guard (GnuPG) とは、Pretty Good Privacy (PGP) の別実装として、GPL に基づいた暗号化ソフトである。 OpenPGP 規格 (RFC4880) に完全準拠しているが、古い PGP との互換性は完全ではない。

とのことである。PGPがライセンスの関係上無償で利用できなくなったため、GNUが実装したもので、公開鍵暗号などが簡単に利用できる。

利用方法

秘密鍵と公開鍵を作成する

``` [takanabe@localhost ~]$ gpg --gen-key gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   Your selection? 1
   RSA keys may be between 1024 and 4096 bits long.
   What keysize do you want? (2048) 
   Requested keysize is 2048 bits
   Please specify how long the key should be valid.
            0 = key does not expire
         <n>  = key expires in n days
         <n>w = key expires in n weeks
         <n>m = key expires in n months
         <n>y = key expires in n years
   Key is valid for? (0) 
   Key does not expire at all
   Is this correct? (y/N) y

   GnuPG needs to construct a user ID to identify your key.

   Real name: takanabe
   Email address: takanabe@test.com
   Comment: gpg test
   You selected this USER-ID:
       "takanabe (gpg test) <takanabe@test.com>"

   Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
   You need a Passphrase to protect your secret key.

   can't connect to <code>/home/takanabe/.gnupg/S.gpg-agent': No such file or directory
   gpg-agent[2757]: directory </code>/home/takanabe/.gnupg/private-keys-v1.d' created
   We need to generate a lot of random bytes. It is a good idea to perform
   some other action (type on the keyboard, move the mouse, utilize the
   disks) during the prime generation; this gives the random number
   generator a better chance to gain enough entropy.

作成した秘密鍵と公開鍵を確認する

[takanabe@localhost ~]$ gpg --list-keys
/home/takanabe/.gnupg/pubring.gpg
---------------------------------
pub   2048R/0610501E 2014-02-23
uid                  takanabe (gpg test) <takanabe@test.com>
sub   2048R/67E56906 2014-02-23

[takanabei@localhost ~]$ gpg --list-secret-keys
/home/takanabe/.gnupg/secring.gpg
---------------------------------
sec   2048R/0610501E 2014-02-23
uid                  takanabe (gpg test) <takanabe@test.com>
ssb   2048R/67E56906 2014-02-23

インターネット上の鍵サーバ(keys.gnupg.net)へ公開鍵の公開

[takanabe@localhost ~]$ gpg --send-keys 0610501E
gpg: sending key 0610501E to hkp server keys.gnupg.net

公開した鍵の検索

[takanabe@localhost ~]$ gpg --search-keys takanabe
gpg: searching for "takanabe" from hkp server keys.gnupg.net
(1)     takanabe (gpg test) <takanabe@test.com>
        2048 bit RSA key 0610501E, created: 2014-02-23
(2)     Atsuko Takanabe <atakanabe@gmail.com>
        2048 bit RSA key 3CE2BF1D, created: 2012-06-20
(3)     Takashi Watanabe <takanabe@jcom.home.ne.jp>
        1024 bit DSA key FE27DD71, created: 2004-01-12

Keys 1-3 of 3 for "takanabe".  Enter number(s), N)ext, or Q)uit > 1
gpg: requesting key 0610501E from hkp server keys.gnupg.net
gpgkeys: key 0610501E not found on keyserver
gpg: no valid OpenPGP data found.
gpg: Total number processed: 0

公開鍵を取得する

[takanabe@localhost ~]$ gpg --recv-keys 0610501E
gpg: requesting key 0610501E from hkp server keys.gnupg.net
gpg: key 0610501E: "takanabe (gpg test) <takanabe@test.com>" not changed
gpg: Total number processed: 1
gpg:              unchanged: 1

公開鍵を利用して暗号化する

[takanabe@localhost gpg]$ vim plain.txt
[takanabe@localhost gpg]$ gpg -e -r 0610501E plain.txt 
[takanabe@localhost gpg]$ ls
1  plain.txt  plain.txt.gpg
[takanabe@localhost gpg]$ cat plain.txt
This is a gpg test!
[takanabe@localhost gpg]$ cat plain.txt.gpg 
�
  �ig�i��v"�]<�_��y5ǍQR����|MMy�&{�8�<code>�
�ߡ(�</code>�!G��^�f�)�{��"~M�l(�ʵhńʘʾ�h�#x!��}8g������A����כ>������
                         7F_�:�R�o] h���H���Vs_r1���DɅ��߱��E�f�N������5�3�j�?    ���7�z���V
X�)��
<code>̖�O�N����"{�J|�����Z�����.��q�/@Ѡ��b�� @õc�D��t��[

暗号化されたデータを秘密鍵で複合する

[takanabe@localhost gpg]$ gpg plain.txt.gpg 

You need a passphrase to unlock the secret key for
user: "takanabe (gpg test) <takanabe@test.com>"
2048-bit RSA key, ID 67E56906, created 2014-02-23 (main key ID 0610501E)

gpg: encrypted with 2048-bit RSA key, ID 67E56906, created 2014-02-23
      "takanabe (gpg test) <takanabe@test.com>"
File </code>plain.txt' exists. Overwrite? (y/N) y
[takanabe@localhost gpg]$ ls
1  plain.txt  plain.txt.gpg
[takanabe@localhost gpg]$ ls -l
total 12
-rw-rw-r--. 1 takanabe takanabe  20 Feb 23 02:52 1
-rw-rw-r--. 1 takanabe takanabe  20 Feb 23 02:55 plain.txt
-rw-rw-r--. 1 takanabe takanabe 359 Feb 23 02:53 plain.txt.gpg

鍵サーバに公開した鍵を削除する(正しくは無効化する) GPGの公開鍵暗号方式は基本的には安全だが、パスワードを忘れたり、外部に漏らしたりしてしまった時は公開鍵を無効化する必要がある。公開鍵の無効化は執行証明を作る必要がある。ただし、失効証明の作成にもパスワードを入力する必要が有るため、公開鍵と秘密鍵の作成後、失効証明も同時に生成していく方が良い。

失効証明書の作成

[takanabe@localhost gpg]$ gpg -o takanabe.revoke --gen-revoke takanabe@test.com

sec  2048R/0610501E 2014-02-23 takanabe (gpg test) <takanabe@test.com>

Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  Q = Cancel
(Probably you want to select 1 here)
Your decision? 3
Enter an optional description; end it with an empty line:
> key test is finished
> 
Reason for revocation: Key is no longer used
key test is finished
Is this okay? (y/N) y

You need a passphrase to unlock the secret key for
user: "takanabe (gpg test) <takanabe@test.com>"
2048-bit RSA key, ID 0610501E, created 2014-02-23

can't connect to `/home/takanabe/.gnupg/S.gpg-agent': No such file or directory
ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others!

公開サーバから鍵情報を削除する

[takanabe@localhost gpg]$ gpg --import takanabe.revoke 
gpg: key 0610501E: "takanabe (gpg test) <takanabe@test.com>" revocation certificate imported
gpg: Total number processed: 1
gpg:    new key revocations: 1
gpg: no ultimately trusted keys found
[takanabe@localhost gpg]$ 
[takanabe@localhost gpg]$ gpg --list-keys
/home/takanabe/.gnupg/pubring.gpg
---------------------------------
pub   2048R/0610501E 2014-02-23 [revoked: 2014-02-23]
uid                  takanabe (gpg test) <takanabe@test.com>

[takanabe@localhost gpg]$ gpg --keyserver server keys.gnupg.net --send-keys 0610501E
usage: gpg [options] [filename]
 [takanabe@localhost gpg]$ gpg --search-keys takanabe
gpg: searching for "takanabe" from hkp server keys.gnupg.net
(1) takanabe (gpg test) <takanabe@test.com>
      2048 bit RSA key 0610501E, created: 2014-02-23 (revoked)

参考情報