GnuPGを使用して暗号化用の鍵を生成する!

GnuPGを使用して、暗号化、証明、認証に使用するための鍵の作成を行います。環境は、Ubuntu LTS 16.04上で、GnuPG2を使用します。

公開鍵と秘密鍵の作成

“gpg2 --full-gen-key”コマンドで公開鍵と秘密鍵を作成します。

$ gpg2 --full-gen-key
gpg (GnuPG) 2.1.11; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: Laboratory for Personal ICT
Email address: site-master@lab4ict.com
Comment: Laboratory one
You selected this USER-ID:
    "Laboratory for Personal ICT (Laboratory one) <site-master@lab4ict.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
  
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 627C7AE0 marked as ultimately trusted
gpg: directory '/home/sysadm001/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/sysadm001/.gnupg/openpgp-revocs.d/6FDF8845FB9DC16F4E9992ABFCE82D1E627C7AE0.rev'
public and secret key created and signed.

gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: PGP
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   rsa4096/627C7AE0 2018-01-03 [S]
      Key fingerprint = 6FDF 8845 FB9D C16F 4E99  92AB FCE8 2D1E 627C 7AE0
uid         [ultimate] Laboratory for Personal ICT (Laboratory one) <site-master@lab4ict.com>
sub   rsa4096/8475A20B 2018-01-03 []

失効証明書の作成

“gpg --gen-revoke”コマンドで、秘密鍵が盗まれて鍵を失効する必要が発生した時のために、失効証明書を作成します。

$ gpg2 --output revoke_lab4ict_com.asc --gen-revoke site-master@lab4ict.com

sec  rsa4096/627C7AE0 2018-01-03 Laboratory for Personal ICT (Laboratory one) <site-master@lab4ict.com>

Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  Q = Cancel
(Probably you want to select 1 here)
Your decision? 1
Enter an optional description; end it with an empty line:
> 
Reason for revocation: Key has been compromised
(No description given)
Is this okay? (y/N) y
ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others!
sysadm001@mobcli004:~/gpg$ ls 
revoke_lab4ict_com.asc

公開鍵と秘密鍵の確認

"gpg2 --list-keys"コマンドで公開鍵を確認します。

$ gpg2 --list-keys
/home/sysadm001/.gnupg/pubring.kbx
----------------------------------
pub   rsa4096/627C7AE0 2018-01-03 [SC]
uid         [ultimate] Laboratory for Personal ICT (Laboratory one) <site-master@lab4ict.com>
sub   rsa4096/8475A20B 2018-01-03 [E]

"gpg2 --list-secret-keys"秘密鍵を確認します。

$ gpg2 --list-secret-keys
/home/sysadm001/.gnupg/pubring.kbx
----------------------------------
sec   rsa4096/627C7AE0 2018-01-03 [SC]
uid         [ultimate] Laboratory for Personal ICT (Laboratory one) <site-master@lab4ict.com>
ssb   rsa4096/8475A20B 2018-01-03 [E]

認証用のサブキーの生成

"gpg --expert --edit-key"コマンドを使用して認証用のサブキーを生成します。

$ gpg2 --expert --edit-key site-master@lab4ict.com
gpg (GnuPG) 2.1.11; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa4096/627C7AE0
     created: 2018-01-03  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa4096/8475A20B
     created: 2018-01-03  expires: never       usage: E   
[ultimate] (1). Laboratory for Personal ICT (Laboratory one) <site-master@lab4ict.com>

gpg> addkey
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
Your selection? 8

Possible actions for a RSA key: Sign Encrypt Authenticate 
Current allowed actions: Sign Encrypt 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? a

Possible actions for a RSA key: Sign Encrypt Authenticate 
Current allowed actions: Sign Encrypt Authenticate 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  rsa4096/627C7AE0
     created: 2018-01-03  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa4096/8475A20B
     created: 2018-01-03  expires: never       usage: E   
ssb  rsa4096/90BDE63E
     created: 2018-01-03  expires: never       usage: SEA 
[ultimate] (1). Laboratory for Personal ICT (Laboratory one) <site-master@lab4ict.com>

gpg> save

公開鍵と秘密鍵のバックアップ

公開鍵と秘密鍵のバックアップを取得します。

$ gpg2 --export-secret-keys --armor site-master@lab4ict.com > secret-keys.backup
$ gpg2 --export --armor site-master@lab4ict.com > public-keys.backup
$ ls 
public-keys.backup  revoke_lab4ict_com.asc  secret-keys.backup

おわりに

gpg2コマンドを使用して、暗号化、署名、認証で使用するための鍵を作成しました。