最新消息:

GPG和keybase.io

技巧 小编 81浏览 0评论

GPG(GnuPG)是一种使用混合加密技术(对称/非对称,对称加密提升加密速度,公钥加密用来保证key交换时的安全性)的应用。它的主要作用在于:

身份验证。对自己的工作签名,比如git提交,邮件等。
加密。对交流的过程进行加密保护,防止被别人窃取。

如果是用gpg工具来生成和发布key的话,流程是这样的:
生成key

~> gpg –gen-key
gpg (GnuPG) 1.4.19; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 1y
Key expires at Sat Dec 23 16:20:33 2017 CST
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
“Heinrich Heine (Der Dichter)
Real name: Rich Dickson
Email address: dickson.rich@richdick.com
Comment: richdick
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key. ##用密码保护master key

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
..+++++
…+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
……….+++++
……..+++++
gpg: key C5071A6F marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 4 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 4u
gpg: next trustdb check due at 2017-08-02
pub 2048R/C5071A6F 2016-12-23 [expires: 2017-12-23]
Key fingerprint = 1D98 85B1 7D28 942B A265 3BEA AFD0 0C00 C507 1A6F
uid Rich Dickson (richdick)
sub 2048R/DDAF894F 2016-12-23 [expires: 2017-12-23]

把这个key导出保存在一个安全的地方,比如保险柜 🙂
~> gpg –export-secret-keys –armor “Rich Dickson (richdick) ” > richdick-private-key.asc

把public key发布出去

公共的key server可以选hkp://keys.gnupg.net或者keybase.io. Keybase用起来比较方便,下面以它来举例:
brew install keybase

keybase login

keybase pgp select –multi
# Algo Key Id Created UserId
= ==== ====== ======= ======
2 2048R AFD00C00C5071A6F Rich Dickson
Choose a key: 2
▶ INFO Bundle unlocked: AFD00C00C5071A6F
▶ INFO Generated new PGP key:
▶ INFO user: Rich Dickson (richdick)
▶ INFO 2048-bit RSA key, ID AFD00C00C5071A6F, created 2016-12-23
▶ INFO Key AFD00C00C5071A6F imported

我有个朋友叫Logan,我在keybase上搜索下它:
~> keybase search logan
loganhan twitter:logan_han github:logan-han coinbase:loganhan dns://han.life

假设我现在需要给它传递一段加密信息,那么可以这样:
~> echo ‘Merry Xmas, Logan!’ > secrets.txt
~> keybase encrypt -i secrets.txt -o secrets.txt.asc loganhan
▶ INFO Identifying recipient loganhan
public key fingerprint: BFC6 69B1 861B 8A71 044A 70F1 5E6A 5830 E81F 7EA2
You last followed loganhan on 2016-08-03 10:09:33 CST

加密后的内容如下:
BEGIN KEYBASE SALTPACK ENCRYPTED MESSAGE. kiQrUWZvE8pSlIf jYX6ZmEkk4Gba7a
….
3gZJb6yMWYBnlCU VCVZhPh2MvRiWne lhaaSZViJOXr407 Wt7NXT9RU6Mb96M 28XkWJMHHE60iwD ASc8SRp0HDuMCMg CXx6bMqIWf68ZfT yL19g5vgAGaQi8b yyY7tFMpJ5d5GJe eTa0ZP4AiI20Ez5 4eAZKoy9D4L3R77 ezDwAo5OscyQTUY voRvduVQoWhET3p w9eF13YSk2tajBq 7OuopZZOS1RjE9y sKnmYXLEvaiOKw0 . END KEYBASE SALTPACK ENCRYPTED MESSAGE.

我的同事如果收到这个加密后的文件的话,可以用下面的命令解密:
~> keybase decrypt -i secrets.txt.asc
Message authored by iambowen
Merry Xmas, Logan!

验证身份

我觉得如果希拉里的团队知道用邮件加密的功能,就不会被钓鱼,导致邮件泄密,最终败选。GPG可以用在多个地方去验证身份,比如Twitter、DNS、github等。以github为例,在个人的setting里面可以添加GPG的public key。
首先,导出GPG的public key,并在setting页面添加:
gpg –export –armor iambowen.m@gmail.com | pbcopy

本地配置git的signing key:
git config –global user.signingkey iambowen.m@gmail.com

提交的时候附加身份信息:
~> git commit -S

You need a passphrase to unlock the secret key for
user: “Bowen Ma (My GPG key)
2048-bit RSA key, ID A02C6030, created 2016-06-21

[master 0a06550] Why: Testing commit with GPG
1 file changed, 1 insertion(+)
create mode 100644 README.md

在github检查这次提交
https://github.com/iambowen/microservices-training-lesson-8-security/commit/0a06550f2738b780544af839662fd9f6dfc506b4

可以看到提交者的身份已经被验证过了。
其实我个人使用GPG(或者keybase这个工具)去加密的场景很少,不过如果以后对于安全的要求加强,这个应该是可以用到的。

作者:iambowen,來源:简书。

转载请注明:软飞精选 » GPG和keybase.io

您必须 登录 才能发表评论!