網(wǎng)絡(luò)上關(guān)于GnuPG的博客都沒有提到一個(gè)關(guān)鍵的東西 ------ “子密鑰”庶溶!但是煮纵,子密鑰卻是GnuPG的最重要、最關(guān)鍵偏螺、最核心行疏!
在GnuPG里,日常的加密和簽名套像,使用子密鑰酿联;主密鑰并非用來日常加密和簽名。
使用到主密鑰的場景夺巩,比較特殊贞让,有哪些呢?下面是debian社區(qū)的說法:
· when you sign someone else's key or revoke an existing signature,
· when you add a new UID or mark an existing UID as primary,
· when you create a new subkey,
· when you revoke an existing UID or subkey,
· when you change the preferences (e.g., with setpref) on a UID,
· when you change the expiration date on your master key or any of its subkey, or
· when you revoke or generate a revocation certificate for the complete key.
(Because each of these operation is done by adding a new self- or revocation signatures from the private master key.)
(關(guān)于主密鑰對柳譬,pub + sec的使用喳张,我會(huì)再寫文章介紹)
另外,說明一下征绎;一個(gè)主密鑰蹲姐,可以綁定若干個(gè)子密鑰;這些子密鑰有的具備加密功能人柿,有的具備簽名功能柴墩。
比如我的密鑰是這樣:
gpg>
pub 2048R/6EB6C991 created: 2016-11-24 expires: 2017-02-22 usage: SC
trust: ultimate validity: ultimate
sub 2048R/8B5EC34E created: 2016-11-24 expires: 2017-02-02 usage: E
sub 2048g/3F1F2211 created: 2016-11-28 expires: 2016-12-19 usage: E
sub 2048g/E423A188 created: 2016-11-28 expires: 2016-12-19 usage: E
sub 2048D/A9B67F16 created: 2016-12-01 expires: 2016-12-08 usage: S
sub 2048R/A03B3497 created: 2016-12-01 expires: 2016-12-08 usage: S
sub 1024D/A0C43169 created: 2016-12-01 expires: 2016-12-08 usage: S
[ultimate] (1). virtual <164820658@qq.com>
gpg>
其中有六個(gè)子密鑰,三個(gè)用來加密(E)凫岖,三個(gè)用來簽名(S)江咳。
gpg命令對于“導(dǎo)出密鑰”有三個(gè)選項(xiàng):
--export-key;
--export-secret-key;
--export-secret-subkey;
主密鑰要嚴(yán)格保密,主密鑰的私鑰更加嚴(yán)格保密保密再保密哥放!
--export-key歼指,導(dǎo)出公鑰(主公鑰 --- pub爹土,全部子公鑰 --- sub);
--export-secret-keys踩身,導(dǎo)出私鑰(主私鑰 --- sec胀茵,全部子私鑰 --- ssb);
這個(gè)選項(xiàng)導(dǎo)出的東西挟阻,應(yīng)該找個(gè)地方藏起來琼娘,比如加密U盤、保險(xiǎn)箱附鸽、保險(xiǎn)庫脱拼、有軍隊(duì)把守必須生物識(shí)別的嚴(yán)密機(jī)構(gòu)!
--export-secret-subkeys坷备,使用自己的私鑰的正確的做法熄浓,僅僅導(dǎo)出全部子私鑰!當(dāng)然省撑,還是要加密(并且驗(yàn)證簽名)傳輸?shù)狡渌娔X上赌蔑,再導(dǎo)入。
示例如下:
加密 + 簽名一段消息丁侄,然后解密 + 驗(yàn)證簽名:
ps:
重要的提示惯雳,sec#,這里有一個(gè)符號#鸿摇, 標(biāo)識(shí)主私鑰不在這個(gè)電腦上(它應(yīng)該已經(jīng)被放在一個(gè)極其石景、極端、極度安全的地方了)拙吉。
