瀏覽代碼

Generate a GPG key

Bob Mottram 11 年之前
父節點
當前提交
c434a1df60
共有 1 個文件被更改,包括 320 次插入0 次删除
  1. 320
    0
      beaglebone.txt

+ 320
- 0
beaglebone.txt 查看文件

@@ -1179,6 +1179,326 @@ Save and exit, then start the dovecot service.
1179 1179
 service dovecot restart
1180 1180
 #+END_SRC
1181 1181
 
1182
+** Create a GPG key
1183
+#+BEGIN_VERSE
1184
+/If privacy is outlawed, only outlaws will have privacy./
1185
+
1186
+-- Philip Zimmermann
1187
+#+END_VERSE
1188
+
1189
+*** Initial installation
1190
+
1191
+Assuming that you are logged in as root, first ensure that GPG is installed and then exit to your user account.
1192
+
1193
+#+BEGIN_SRC: bash
1194
+apt-get install gnupg
1195
+exit
1196
+#+END_SRC
1197
+
1198
+Now we will add some settings:
1199
+
1200
+#+BEGIN_SRC: bash
1201
+mkdir ~/.gnupg
1202
+emacs ~/.gnupg/gpg.conf
1203
+#+END_SRC
1204
+
1205
+The configuration should look like the following.  Of particular importance are the default preferences at the end.
1206
+
1207
+#+BEGIN_SRC: bash
1208
+# Options for GnuPG
1209
+# Copyright 1998, 1999, 2000, 2001, 2002, 2003,
1210
+#           2010 Free Software Foundation, Inc.
1211
+#
1212
+# This file is free software; as a special exception the author gives
1213
+# unlimited permission to copy and/or distribute it, with or without
1214
+# modifications, as long as this notice is preserved.
1215
+#
1216
+# This file is distributed in the hope that it will be useful, but
1217
+# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
1218
+# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
1219
+#
1220
+# Unless you specify which option file to use (with the command line
1221
+# option "--options filename"), GnuPG uses the file ~/.gnupg/gpg.conf
1222
+# by default.
1223
+#
1224
+# An options file can contain any long options which are available in
1225
+# GnuPG. If the first non white space character of a line is a '#',
1226
+# this line is ignored.  Empty lines are also ignored.
1227
+#
1228
+# See the man page for a list of options.
1229
+
1230
+# Uncomment the following option to get rid of the copyright notice
1231
+
1232
+#no-greeting
1233
+
1234
+# If you have more than 1 secret key in your keyring, you may want to
1235
+# uncomment the following option and set your preferred keyid.
1236
+
1237
+#default-key 621CC013
1238
+
1239
+# If you do not pass a recipient to gpg, it will ask for one.  Using
1240
+# this option you can encrypt to a default key.  Key validation will
1241
+# not be done in this case.  The second form uses the default key as
1242
+# default recipient.
1243
+
1244
+#default-recipient some-user-id
1245
+#default-recipient-self
1246
+
1247
+# Use --encrypt-to to add the specified key as a recipient to all
1248
+# messages.  This is useful, for example, when sending mail through a
1249
+# mail client that does not automatically encrypt mail to your key.
1250
+# In the example, this option allows you to read your local copy of
1251
+# encrypted mail that you've sent to others.
1252
+
1253
+#encrypt-to some-key-id
1254
+
1255
+# By default GnuPG creates version 4 signatures for data files as
1256
+# specified by OpenPGP.  Some earlier (PGP 6, PGP 7) versions of PGP
1257
+# require the older version 3 signatures.  Setting this option forces
1258
+# GnuPG to create version 3 signatures.
1259
+
1260
+#force-v3-sigs
1261
+
1262
+# Because some mailers change lines starting with "From " to ">From "
1263
+# it is good to handle such lines in a special way when creating
1264
+# cleartext signatures; all other PGP versions do it this way too.
1265
+
1266
+#no-escape-from-lines
1267
+
1268
+# If you do not use the Latin-1 (ISO-8859-1) charset, you should tell
1269
+# GnuPG which is the native character set.  Please check the man page
1270
+# for supported character sets.  This character set is only used for
1271
+# metadata and not for the actual message which does not undergo any
1272
+# translation.  Note that future version of GnuPG will change to UTF-8
1273
+# as default character set.  In most cases this option is not required
1274
+# as GnuPG is able to figure out the correct charset at runtime.
1275
+
1276
+#charset utf-8
1277
+
1278
+# Group names may be defined like this:
1279
+#   group mynames = paige 0x12345678 joe patti
1280
+#
1281
+# Any time "mynames" is a recipient (-r or --recipient), it will be
1282
+# expanded to the names "paige", "joe", and "patti", and the key ID
1283
+# "0x12345678".  Note there is only one level of expansion - you
1284
+# cannot make an group that points to another group.  Note also that
1285
+# if there are spaces in the recipient name, this will appear as two
1286
+# recipients.  In these cases it is better to use the key ID.
1287
+
1288
+#group mynames = paige 0x12345678 joe patti
1289
+
1290
+# Lock the file only once for the lifetime of a process.  If you do
1291
+# not define this, the lock will be obtained and released every time
1292
+# it is needed, which is usually preferable.
1293
+
1294
+#lock-once
1295
+
1296
+# GnuPG can send and receive keys to and from a keyserver.  These
1297
+# servers can be HKP, email, or LDAP (if GnuPG is built with LDAP
1298
+# support).
1299
+#
1300
+# Example HKP keyserver:
1301
+#      hkp://keys.gnupg.net
1302
+#      hkp://subkeys.pgp.net
1303
+#
1304
+# Example email keyserver:
1305
+#      mailto:pgp-public-keys@keys.pgp.net
1306
+#
1307
+# Example LDAP keyservers:
1308
+#      ldap://keyserver.pgp.com
1309
+#
1310
+# Regular URL syntax applies, and you can set an alternate port
1311
+# through the usual method:
1312
+#      hkp://keyserver.example.net:22742
1313
+#
1314
+# Most users just set the name and type of their preferred keyserver.
1315
+# Note that most servers (with the notable exception of
1316
+# ldap://keyserver.pgp.com) synchronize changes with each other.  Note
1317
+# also that a single server name may actually point to multiple
1318
+# servers via DNS round-robin.  hkp://keys.gnupg.net is an example of
1319
+# such a "server", which spreads the load over a number of physical
1320
+# servers.  To see the IP address of the server actually used, you may use
1321
+# the "--keyserver-options debug".
1322
+
1323
+keyserver hkp://keys.gnupg.net
1324
+#keyserver mailto:pgp-public-keys@keys.nl.pgp.net
1325
+#keyserver ldap://keyserver.pgp.com
1326
+
1327
+# Common options for keyserver functions:
1328
+#
1329
+# include-disabled : when searching, include keys marked as "disabled"
1330
+#                    on the keyserver (not all keyservers support this).
1331
+#
1332
+# no-include-revoked : when searching, do not include keys marked as
1333
+#                      "revoked" on the keyserver.
1334
+#
1335
+# verbose : show more information as the keys are fetched.
1336
+#           Can be used more than once to increase the amount
1337
+#           of information shown.
1338
+#
1339
+# use-temp-files : use temporary files instead of a pipe to talk to the
1340
+#                  keyserver.  Some platforms (Win32 for one) always
1341
+#                  have this on.
1342
+#
1343
+# keep-temp-files : do not delete temporary files after using them
1344
+#                   (really only useful for debugging)
1345
+#
1346
+# http-proxy="proxy" : set the proxy to use for HTTP and HKP keyservers.
1347
+#                      This overrides the "http_proxy" environment variable,
1348
+#                      if any.
1349
+#
1350
+# auto-key-retrieve : automatically fetch keys as needed from the keyserver
1351
+#                     when verifying signatures or when importing keys that
1352
+#                     have been revoked by a revocation key that is not
1353
+#                     present on the keyring.
1354
+#
1355
+# no-include-attributes : do not include attribute IDs (aka "photo IDs")
1356
+#                         when sending keys to the keyserver.
1357
+
1358
+keyserver-options auto-key-retrieve
1359
+
1360
+# Display photo user IDs in key listings
1361
+
1362
+# list-options show-photos
1363
+
1364
+# Display photo user IDs when a signature from a key with a photo is
1365
+# verified
1366
+
1367
+# verify-options show-photos
1368
+
1369
+# Use this program to display photo user IDs
1370
+#
1371
+# %i is expanded to a temporary file that contains the photo.
1372
+# %I is the same as %i, but the file isn't deleted afterwards by GnuPG.
1373
+# %k is expanded to the key ID of the key.
1374
+# %K is expanded to the long OpenPGP key ID of the key.
1375
+# %t is expanded to the extension of the image (e.g. "jpg").
1376
+# %T is expanded to the MIME type of the image (e.g. "image/jpeg").
1377
+# %f is expanded to the fingerprint of the key.
1378
+# %% is %, of course.
1379
+#
1380
+# If %i or %I are not present, then the photo is supplied to the
1381
+# viewer on standard input.  If your platform supports it, standard
1382
+# input is the best way to do this as it avoids the time and effort in
1383
+# generating and then cleaning up a secure temp file.
1384
+#
1385
+# If no photo-viewer is provided, GnuPG will look for xloadimage, eog,
1386
+# or display (ImageMagick).  On Mac OS X and Windows, the default is
1387
+# to use your regular JPEG image viewer.
1388
+#
1389
+# Some other viewers:
1390
+# photo-viewer "qiv %i"
1391
+# photo-viewer "ee %i"
1392
+#
1393
+# This one saves a copy of the photo ID in your home directory:
1394
+# photo-viewer "cat > ~/photoid-for-key-%k.%t"
1395
+#
1396
+# Use your MIME handler to view photos:
1397
+# photo-viewer "metamail -q -d -b -c %T -s 'KeyID 0x%k' -f GnuPG"
1398
+
1399
+# Passphrase agent
1400
+#
1401
+# We support the old experimental passphrase agent protocol as well as
1402
+# the new Assuan based one (currently available in the "newpg" package
1403
+# at ftp.gnupg.org/gcrypt/alpha/aegypten/).  To make use of the agent,
1404
+# you have to run an agent as daemon and use the option
1405
+#
1406
+# use-agent
1407
+#
1408
+# which tries to use the agent but will fallback to the regular mode
1409
+# if there is a problem connecting to the agent.  The normal way to
1410
+# locate the agent is by looking at the environment variable
1411
+# GPG_AGENT_INFO which should have been set during gpg-agent startup.
1412
+# In certain situations the use of this variable is not possible, thus
1413
+# the option
1414
+#
1415
+# --gpg-agent-info=<path>:<pid>:1
1416
+#
1417
+# may be used to override it.
1418
+
1419
+# Automatic key location
1420
+#
1421
+# GnuPG can automatically locate and retrieve keys as needed using the
1422
+# auto-key-locate option.  This happens when encrypting to an email
1423
+# address (in the "user@example.com" form), and there are no
1424
+# user@example.com keys on the local keyring.  This option takes the
1425
+# following arguments, in the order they are to be tried:
1426
+#
1427
+# cert = locate a key using DNS CERT, as specified in RFC-4398.
1428
+#        GnuPG can handle both the PGP (key) and IPGP (URL + fingerprint)
1429
+#        CERT methods.
1430
+#
1431
+# pka = locate a key using DNS PKA.
1432
+#
1433
+# ldap = locate a key using the PGP Universal method of checking
1434
+#        "ldap://keys.(thedomain)".  For example, encrypting to
1435
+#        user@example.com will check ldap://keys.example.com.
1436
+#
1437
+# keyserver = locate a key using whatever keyserver is defined using
1438
+#             the keyserver option.
1439
+#
1440
+# You may also list arbitrary keyservers here by URL.
1441
+#
1442
+# Try CERT, then PKA, then LDAP, then hkp://subkeys.net:
1443
+#auto-key-locate cert pka ldap hkp://subkeys.pgp.net
1444
+
1445
+# default preferences
1446
+personal-digest-preferences SHA256
1447
+cert-digest-algo SHA256
1448
+default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
1449
+#+END_SRC
1450
+
1451
+Save and exit.
1452
+
1453
+*** If you have an existing key
1454
+#+BEGIN_SRC: bash
1455
+gpg --import ~/public_key.txt
1456
+gpg --allow-secret-key-import --import ~/private_key.txt
1457
+shred -zu ~/private_key.txt
1458
+#+END_SRC
1459
+
1460
+Now check the digest preferences, replacing /keyID/ with your GPG key ID.  This applies especially if you have a key which was generated some time ago.
1461
+
1462
+#+BEGIN_SRC: bash
1463
+export MYGPGKEYID=keyID
1464
+gpg --edit-key $MYGPGKEYID
1465
+setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
1466
+save
1467
+gpg --send-keys $MYGPGKEYID
1468
+#+END_SRC
1469
+*** To create a new key
1470
+Generate a key with the following command:
1471
+
1472
+#+BEGIN_SRC: bash
1473
+gpg --gen-key
1474
+#+END_SRC
1475
+
1476
+You can find your GPG key ID by entering:
1477
+
1478
+#+BEGIN_SRC: bash
1479
+gpg --list-keys
1480
+#+END_SRC
1481
+
1482
+The key ID is the second part of the string of numbers and letters.  So for example in:
1483
+
1484
+#+BEGIN_SRC: bash
1485
+pub   4096R/EA982E38 2012-05-20
1486
+#+END_SRC
1487
+
1488
+the key ID is EA982E38.  Now send your public key to a server so that others can find it.
1489
+
1490
+#+BEGIN_SRC: bash
1491
+gpg --send-keys $MYGPGKEYID
1492
+#+END_SRC
1493
+*** root settings
1494
+If you later create an encrypted mailing list then the root user will also need to have good GPG settings so that it can generate key pairs for the list.  The easiest way to ensure this is to do the following, replacing /myusername/ with your username:
1495
+
1496
+#+BEGIN_SRC: bash
1497
+su
1498
+cp -r /home/myusername/.gnupg ~/
1499
+chown root:root ~/.gnupg
1500
+#+END_SRC
1501
+
1182 1502
 ** Create Email folders and rules
1183 1503
 
1184 1504
 #+BEGIN_VERSE