GnuPG高级指导(3)导出私钥
1 为什么要导出分发私钥
友情提示:分发私钥,是危险的!
我有好几个电脑,只想用一对密钥;也就是说我需要把我的私钥,放到那几个电脑上。这样,我就就可以在任意电脑上,解密和签名以及其他。
1 怎么做
使用(临时)公钥把私钥加密,然后传到我的其他某个电脑,再解密。
3 我的debian8,生成(临时)密钥
root@debian8:~# gpg -K
root@debian8:~# gpg -k
/root/.gnupg/pubring.gpg
------------------------
pub 4096R/276856F7 2016-11-25 [expires: 2017-04-24]
uid FranklinYang (Encrypt RSA 4096) <andypeker@163.com>
sub 4096R/0A09DAC9 2016-11-25 [expires: 2017-04-24]
root@debian8:~#
root@debian8:~#
(编辑这个key,并且修改trust)
root@debian8:~# gpg -K
/root/.gnupg/secring.gpg
------------------------
sec 1024D/D04D1A0B 2016-11-25 [expires: 2016-12-09]
uid debian8
ssb 2048g/C1845DA4 2016-11-25
root@debian8:~# gpg -k
/root/.gnupg/pubring.gpg
------------------------
pub 4096R/276856F7 2016-11-25 [expires: 2017-04-24]
uid FranklinYang (Encrypt RSA 4096) <andypeker@163.com>
sub 4096R/0A09DAC9 2016-11-25 [expires: 2017-04-24]
pub 1024D/D04D1A0B 2016-11-25 [expires: 2016-12-09]
uid debian8
sub 2048g/C1845DA4 2016-11-25 [expires: 2016-12-09]
root@debian8:~#
4 我的Centos7,生成(临时)密钥
[root@centos7 ~]# gpg -K
[root@centos7 ~]#
[root@centos7 ~]#
[root@centos7 ~]# gpg -k
/root/.gnupg/pubring.gpg
------------------------
pub 4096R/276856F7 2016-11-25 [expires: 2017-04-24]
uid FranklinYang (Encrypt RSA 4096) <andypeker@163.com>
sub 4096R/0A09DAC9 2016-11-25 [expires: 2017-04-24]
[root@centos7 ~]#
[root@centos7 ~]#
(编辑这个key,并且修改trust)
[root@centos7 ~]# gpg -K
/root/.gnupg/secring.gpg
------------------------
sec 1024D/28D414A1 2016-11-25 [expires: 2016-12-09]
uid centos7
ssb 2048g/CDA873F4 2016-11-25
[root@centos7 ~]# gpg -k
/root/.gnupg/pubring.gpg
------------------------
pub 4096R/276856F7 2016-11-25 [expires: 2017-04-24]
uid FranklinYang (Encrypt RSA 4096) <andypeker@163.com>
sub 4096R/0A09DAC9 2016-11-25 [expires: 2017-04-24]
pub 1024D/28D414A1 2016-11-25 [expires: 2016-12-09]
uid centos7
sub 2048g/CDA873F4 2016-11-25 [expires: 2016-12-09]
[root@centos7 ~]#
5 导出2个(临时)公钥给我的(opensuse13)电脑
root@debian8:~# gpg -a -o debian8.pub.key --export D04D1A0B
root@debian8:~#
root@debian8:~#
root@debian8:~# l debian8.pub.key
-rw-r--r-- 1 root root 1645 Nov 25 23:16 debian8.pub.key
root@debian8:~#
root@debian8:~# scp debian8.pub.key root@192.168.19.147:/root/
Password:
debian8.pub.key 100% 1645 1.6KB/s 00:00
root@debian8:~#
root@debian8:~#
[root@centos7 ~]# gpg -a -o centos7.pub.key --export 28D414A1
[root@centos7 ~]# ls -l centos7.pub.key
-rw-r--r--. 1 root root 1662 Nov 25 23:15 centos7.pub.key
[root@centos7 ~]#
[root@centos7 ~]# scp centos7.pub.key root@192.168.19.147:/root/
Password:
centos7.pub.key 100% 1662 1.6KB/s 00:00
[root@centos7 ~]#
5 我的(opensuse13)电脑导入2个(临时)公钥
opensuse13:~ # gpg --import debian8.pub.key
gpg: key D04D1A0B: public key "debian8" imported
gpg: Total number processed: 1
gpg: imported: 1
opensuse13:~ # gpg --import centos7.pub.key
gpg: key 28D414A1: public key "centos7" imported
gpg: Total number processed: 1
gpg: imported: 1
opensuse13:~ #
(编辑这二个key,并且修改trust)
opensuse13:~ # gpg -k
/root/.gnupg/pubring.gpg
------------------------
pub 4096R/276856F7 2016-11-25 [expires: 2017-04-24]
uid [ultimate] FranklinYang (Encrypt RSA 4096) <andypeker@163.com>
sub 4096R/0A09DAC9 2016-11-25 [expires: 2017-04-24]
pub 1024D/D04D1A0B 2016-11-25 [expires: 2016-12-09]
uid [unknown] debian8
sub 2048g/C1845DA4 2016-11-25 [expires: 2016-12-09]
pub 1024D/28D414A1 2016-11-25 [expires: 2016-12-09]
uid [unknown] centos7
sub 2048g/CDA873F4 2016-11-25 [expires: 2016-12-09]
opensuse13:~ #
整个过程的唯一不安全的地方就在这里,通过scp分发2个“临时”公钥;没有涉及认证,也没有签名!其实可以签名一下,或者对比指纹fingerprint,达到认证这2个公钥的效果。
6 我的(opensuse13)导出我的私钥
opensuse13:~ # gpg -K
/root/.gnupg/secring.gpg
------------------------
sec 4096R/276856F7 2016-11-25 [expires: 2017-04-24]
uid FranklinYang (Encrypt RSA 4096) <andypeker@163.com>
ssb 4096R/0A09DAC9 2016-11-25
opensuse13:~ # gpg -a -o FranklinYang.rsa.sec.key --export-secret-keys 276856F7
opensuse13:~ # l FranklinYang.rsa.sec.key
-rw-r--r-- 1 root root 3132 Nov 25 21:19 FranklinYang.rsa.sec.key
opensuse13:~ #
或者:
opensuse13:~ #
opensuse13:~ # gpg -o FranklinYang.sec.key --export-secret-keys FranklinYang
opensuse13:~ #
opensuse13:~ #
