GnuPG是一款非常优秀加密软件,它在我们的数字生活中扮演了极其重要的角色。越来越多的同学都开始尝试用它进行日常的签名、验证、加密和解密等工作。虽然与其相关的中文教程已经有很多,写出这篇博文,希望大家都能够用加密技术保护好自己的隐私及生命。

1. 写在前面

开始正文之前,有几点想和大家说明:

  1. 此篇博文并非是关于对非对称加密算法或GnuPG基本操作的教程(相关教程已在推荐阅读中列出);
  2. 虽然本文的操作会涉及到命令行,但跟着二翔子会手把手的将每一步写的尽量清楚,因此同学们不要有畏难心理;
  3. 文中生成的GPG密钥只做演示之用,不是二翔子日常所用的GPG密钥
  4. 由于二翔子的知识和能力有限,如果文中有没说清楚的地方,希望大家能在评论区指出,以帮助二翔子将博文写得更好。

2. 使用副签名密钥的好处及原理

想象有一天,你的私钥被远程地或物理地盗取了。拿到你私钥的人,不仅可以将别人发给你的加密信息解密,而且可以用你的签名密钥(即私钥)冒充你本人发信息。此时你的唯一选择就是撤回你的全部密钥(包括主密钥),但如此做法会使得你主签名密钥长期积累到的其他人的认证(参加Web Of Trust机制)一起作废。

这个问题实际上可以通过使用副密钥(subkeys)取代主密钥进行日常操作来缓解。其背后的原理如下:

  1. 生成一个常规的GPG密钥对,该密钥对包含一个用来签名和解密的私钥和一个用来加密要发给你的信息的公钥;
  2. 使用GPG添加一个副的私钥到你的密钥对中,此时我们有了三个密钥;
  3. 这三个密钥密钥组成的密钥串被称作主密钥,其应该被保存在一个非常安全的地方;
  4. 将在第一步中生成的那个私钥移除出密钥串,只剩下新添加的那个私钥和原来的公钥;
  5. 把此时的留下的两个密钥称作日常密钥,其被留在你的电脑上进行日常的签名、加密、解密等工作;

此后,即使你的“日常密钥”丢失或被盗,你的主密钥仍然安全。你可以用主密钥撤回已经丢失或被盗的“日常密钥”。虽然这不能阻止已经获得你日常密钥的人查看你过往的加密信息,但起码主签名密钥长期积累到的其他人的认证保住了。

3. 创建完美的GPG密钥对

现在二翔子就手把手的带着大家创建完美的GPG密钥对。此处二翔子使用的GnuPG软件版本是1.4.18,操作系统为debian 8。因为每个人使用的GnuPG版本和操作系统可能会有差异,所以如果你发现有与二翔子的操作过程或命令有出入,希望可以在评论区告知二翔子,二翔子这里现行告谢了:)

3.1 创建初始密钥对

user@temp:~$ gpg - -gen-key

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory `/home/user/.gnupg' created
gpg: new configuration file `/home/user/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/user/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/user/.gnupg/secring.gpg' created
gpg: keyring `/home/user/.gnupg/pubring.gpg' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)

Your selection? 1

1
RSA keys may be between 1024 and 4096 bits long.

这里询问你所要创建的密钥对的长度。密钥对的长度越长,加密的强度越大。随着硬件和软件技术的发展,计算机的性能越来越强,同时也意味着破解加密的难度越来越小。今天不能被破解的加密,不意味着将来不可以。因此二翔子在此强烈建议大家都使用GnuPG所提供的最长长度(当前为4096位)的密钥。

What keysize do you want? (2048) 4096

1
2
3
4
5
6
7
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years

这里询问你要把这个密钥对设置为多久后过期。将密钥设置一定的有效期是一种有效的保护措施:即使你的私钥丢失,或者忘记了passphrase,只要等到过期时间,别人就都会知道你不再用这个密钥啦。密钥过期后基本有两种选择:一种是选择重新创建一个新的密钥,并且(如果可能的话)保留旧有密钥以解密原来的电子邮件等;另一种是选择向后延长密钥的过期时间。这里二翔子选择 “1y”,意味着密钥将在创建后的一年后过期。

Key is valid for? (0) 1y

1
Key expires at Tue 05 Sep 2017 00:00:39 PM UTC

Is this correct? (y/N) y

1
2
3
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

由于Real name这一项不能以数字开头,所以二翔子只好把 “2”该写成汉语拼音的 “er”。

Real name: erxiangzi Email address: 2xiangzi-blog@riseup.net Comment:

1
2
You selected this USER-ID:
    "erxiangzi <2xiangzi-blog@riseup.net>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

1
You need a Passphrase to protect your secret key.

此处需要你设置一个密码(Passphrase),设置好以后,每一次使用GPG私钥都会要求你输入密码,起到一定的保护作用。顺便说一句,这种保护其实并不十分有效,现在有一种比较高级的玩法叫Split GPG,感兴趣的同学不妨了解一下。

<在此输入密码(Passphrase)>

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
....+++++
....+++++
gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
gpg: key AB7BB174 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2017-09-05
pub   4096R/AB7BB174 2016-09-05 [expires: 2017-09-05]
      Key fingerprint = 9FAF 11FB 58E3 1E5F 4A4D  DF31 4FF8 F994 AB7B B174
uid                  erxiangzi <2xiangzi-blog@riseup.net>
sub   4096R/AB64DCD1 2016-09-05 [expires: 2017-09-05]

3.2 添加图片

创建好初始的密钥对后,你还可以在其中附上一个JPGE格式的图片。但要知道,你可能会将你的公钥散布到很多地方,加入图片后会使公钥的体积增大,造成一些不便。二翔子在此不做推荐,不想加入图片的同学请在看完下一自然段后,略过此小结。

此处同学们看到输入的指令中有“AB7BB174”字样,这是你刚才生成的短GPG公钥ID,每个人短GPG公钥ID,除非蓄意碰撞,否则几乎不可能一样,你可以在上一小结最后的输出结果中找到你自己的。

user@temp:~$ gpg - -edit-key AB7BB174

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  4096R/AB7BB174  created: 2016-09-05  expires: 2017-09-05  usage: SC  
                     trust: ultimate      validity: ultimate
sub  4096R/AB64DCD1  created: 2016-09-05  expires: 2017-09-05  usage: E   
[ultimate] (1). erxiangzi <2xiangzi-blog@riseup.net>

gpg> addphoto

1
2
3
4
Pick an image to use for your photo ID.  The image must be a JPEG file.
Remember that the image is stored within your public key.  If you use a
very large picture, your key will become very large as well!
Keeping the image close to 240x288 is a good size to use.

Enter JPEG filename for photo ID: /home/user/me.jpg

is this photo correct (y/N/q)? y

1
2
3
You need a passphrase to unlock the secret key for
user: "erxiangzi <2xiangzi-blog@riseup.net>"
4096-bit RSA key, ID AB7BB174, created 2016-09-05

<在此输入密码(Passphrase)>

1
2
3
4
5
pub  4096R/AB7BB174  created: 2016-09-05  expires: 2017-09-05  usage: SC  
                     trust: ultimate      validity: ultimate
sub  4096R/AB64DCD1  created: 2016-09-05  expires: 2017-09-05  usage: E   
[ultimate] (1). erxiangzi <2xiangzi-blog@riseup.net>
[ unknown] (2)  [jpeg image of size 5032]

gpg> save

3.3 增强Hash偏好

现在我们让刚生成的密钥对偏好强Hash算法。

user@temp:~$ gpg - -edit-key AB7BB174

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  4096R/AB7BB174  created: 2016-09-05  expires: 2017-09-05  usage: SC  
                     trust: ultimate      validity: ultimate
sub  4096R/AB64DCD1  created: 2016-09-05  expires: 2017-09-05  usage: E   
[ultimate] (1). erxiangzi <2xiangzi-blog@riseup.net>
[ unknown] (2)  [jpeg image of size 5032]

gpg> setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP

1
2
3
4
5
Set preference list to:
     Cipher: AES256, AES192, AES, CAST5, 3DES
     Digest: SHA512, SHA384, SHA256, SHA224, SHA1
     Compression: ZLIB, BZIP2, ZIP, Uncompressed
     Features: MDC, Keyserver no-modify

Really update the preferences? (y/N) y

1
2
3
You need a passphrase to unlock the secret key for
user: "erxiangzi <2xiangzi-blog@riseup.net>"
4096-bit RSA key, ID AB7BB174, created 2016-09-05

<在此输入密码(Passphrase)>

1
2
3
4
5
pub  4096R/AB7BB174  created: 2016-09-05  expires: 2017-09-05  usage: SC  
                     trust: ultimate      validity: ultimate
sub  4096R/AB64DCD1  created: 2016-09-05  expires: 2017-09-05  usage: E   
[ultimate] (1). erxiangzi <2xiangzi-blog@riseup.net>
[ unknown] (2)  [jpeg image of size 5032]

gpg> save

3.4 添加一个新的签名副钥(signing subkey)

user@temp:~$ gpg - -edit-key AB7BB174

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  4096R/AB7BB174  created: 2016-09-05  expires: 2017-09-05  usage: SC  
                     trust: ultimate      validity: ultimate
sub  4096R/AB64DCD1  created: 2016-09-05  expires: 2017-09-05  usage: E   
[ultimate] (1). erxiangzi <2xiangzi-blog@riseup.net>
[ unknown] (2)  [jpeg image of size 5032]

gpg> addkey

1
2
3
4
5
Key is protected.

You need a passphrase to unlock the secret key for
user: "erxiangzi <2xiangzi-blog@riseup.net>"
4096-bit RSA key, ID AB7BB174, created 2016-09-05

<在此输入密码(Passphrase)>

1
2
3
4
5
Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)

Your selection? 4

1
RSA keys may be between 1024 and 4096 bits long.

What keysize do you want? (2048) 4096

1
2
3
4
5
6
7
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years

Key is valid for? (0) 1y

1
Key expires at Tue 05 Sep 2017 00:10:17 PM UTC

Is this correct? (y/N) y Really create? (y/N) y

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
......+++++
+++++

pub  4096R/AB7BB174  created: 2016-09-05  expires: 2017-09-05  usage: SC  
                     trust: ultimate      validity: ultimate
sub  4096R/AB64DCD1  created: 2016-09-05  expires: 2017-09-05  usage: E   
sub  4096R/0D65E7C7  created: 2016-09-05  expires: 2017-09-05  usage: S   
[ultimate] (1). erxiangzi <2xiangzi-blog@riseup.net>
[ unknown] (2)  [jpeg image of size 5032]

gpg> save

3.5 创建一个撤销证书(revocation certificate)

现在咱们来创建一个撤销证书。一旦你的主密钥对丢失或被盗,这个证书是你告诉外界“请忽略掉我丢失的密钥”的唯一方法。

user@temp:~$ gpg - -output revocation.cert - -gen-revoke AB7BB174

1
sec  4096R/AB7BB174 2016-09-05 erxiangzi <2xiangzi-blog@riseup.net>

Create a revocation certificate for this key? (y/N) y

1
2
3
4
5
6
7
Please select the reason for the revocation:
  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  Q = Cancel
(Probably you want to select 1 here)

Your decision? 0

1
Enter an optional description; end it with an empty line:

>

1
2
Reason for revocation: No reason specified
(No description given)

Is this okay? (y/N) y

1
2
3
You need a passphrase to unlock the secret key for
user: "erxiangzi <2xiangzi-blog@riseup.net>"
4096-bit RSA key, ID AB7BB174, created 2016-09-05

<在此输入密码(Passphrase)>

1
2
3
4
5
6
7
8
ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others!

3.6 导出主密钥对及撤销证书

创建私钥备份:

user@temp:~$ gpg - -export-secret-keys - -armor AB7BB174 > erxiangzi_gpg_private.key

创建公钥备份:

user@temp:~$ gpg - -export - -armor AB7BB174 > erxiangzi_gpg_public.key

私钥公钥撤销证书打包:(Windows操作系统的操作与此不同)

user@temp:~$ tar -cf gpg_master_keys.tar erxiangzi_gpg*.key revocation.cert

理论上讲,当你打包后,除了特殊情况(如密钥丢失需要撤回或者需要将他人的密钥签名),你不会再用到这个打包文件了。介于这个打包文件非常重要,二翔子建议将其转移到一个强加密的移动介质(如U盘或CD)当中,再把这个移动介质藏好。选择移动介质来存储,一方面是因为其隐藏性好(比如你可以将刻好的CD丢进一箱子的盗版碟中);另一方面也是为了防止如果存储 在笔记本电脑上,密钥会随着笔记本的丢失或被盗一同消失。

完成上述步骤后别忘了把刚才导出的私钥公钥撤销证书都擦除(注意:不仅仅是删除)掉:

user@temp:~$ shred -u erxiangzi*.key revocation.cert

3.7 将主密钥对替换为日常使用的密钥对

这个日常使用的密钥对(以下简称日常密钥对)之中不应该包含你的主签名密钥日常密钥对可以暴露在不受信任的环境(如你的手机、联网的虚拟机)之中。

3.7.1 导出主、副两个签名密钥

将主、副两个签名密钥导出到一个叫做subkeys的临时文件中:

user@temp:~$ gpg - -export-secret-subkeys AB7BB174 > subkeys

需要注意: 如果你当初没有设置密码(Passphrase)(这种情况在Split-GPG用户中很常见),由于GnuPG软件的设计,你的私钥不会被导出。这就需要你临时设置一个密码,等到导出完成,再将密码设置回空值。具体步骤如下(没有遇到此问题的同学请直接跳过):

user@temp:~$ gpg - -edit-key AB7BB174

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  4096R/AB7BB174  created: 2016-09-05  expires: 2017-09-05  usage: SC  
                     trust: ultimate      validity: ultimate
sub  4096R/AB64DCD1  created: 2016-09-05  expires: 2017-09-05  usage: E   
sub  4096R/0D65E7C7  created: 2016-09-05  expires: 2017-09-05  usage: S   
[ultimate] (1). erxiangzi <2xiangzi-blog@riseup.net>
[ unknown] (2)  [jpeg image of size 5032]

gpg> passwd

1
2
3
4
5
Secret parts of primary key are not available.

You need a passphrase to unlock the secret key for
user: "erxiangzi <2xiangzi-blog@riseup.net>"
4096-bit RSA key, ID AB64DCD1, created 2016-09-05

<在此输入原密码(Passphrase)>

1
Enter the new passphrase for this secret key.

<在此输入新密码(Passphrase)>

Do you really want to do this? (y/N) y

gpg> save

3.7.2 删除主签名密钥

因为之前已经将主签名密钥打包备份到安全的移动介质中,你现在可以大胆的将其从密钥串中删除掉:

user@temp:~$ gpg - -delete-secret-keys AB7BB174

1
2
3
4
5
6
gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.


sec  4096R/AB7BB174 2016-09-05 erxiangzi <2xiangzi-blog@riseup.net>

Delete this key from the keyring? (y/N) y This is a secret key! - really delete? (y/N) y

3.7.3 导入副签名密钥

因为刚才已经将主签名密钥删除掉了,所以现在只有副签名密钥被导入回电脑:

user@temp:~$ gpg - -import subkeys

1
2
3
4
5
6
gpg: key AB7BB174: secret key imported
gpg: key AB7BB174: "erxiangzi <2xiangzi-blog@riseup.net>" 1 new signature
gpg: Total number processed: 1
gpg:         new signatures: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1

user@temp:~$ gpg - -list-secret-keys

1
2
3
4
5
6
/home/user/.gnupg/secring.gpg
-----------------------------
sec#  4096R/AB7BB174 2016-09-05 [expires: 2017-09-05]
uid                  erxiangzi <2xiangzi-blog@riseup.net>
ssb   4096R/AB64DCD1 2016-09-05
ssb   4096R/0D65E7C7 2016-09-05

这里我们注意到,sec后面多了一个“#”,这表示主签名密钥已经不在密钥串中了。

3.7.4 擦除subkeys文件

user@temp:~$ shred - -remove subkeys

4. 简单回顾

到了这里,你很可能会问:我们刚才都干了啥?

  1. 首先咱们使用能够利用的最强设置生成了一个密钥对;
  2. 然后咱们向这个密钥对中加入了一个副签名密钥,使之成为一个密钥串;
  3. 接着咱们导出了密钥串并将其与撤销证书一起打包并存储在了安全的移动介质上。那个打包文件就是主密钥对
  4. 最后咱们将主签名密钥从本机的密钥串中删掉了,此时的密钥串被称之为日常密钥对

5. 使用日常密钥对

现在你可以用这个日常密钥对进行加密、解密、签名了。

但如果你要认证他人的密钥,或者撤回这个日常密钥对,则需要用到主密钥对了。

6. 意外发生后的应对措施

一旦日常密钥对丢失或被盗,由于事先做足了准备工作,我们不必将整个密钥串全部撤回,这意味着长期积累在主签名密钥上的Web Of Trust签名被保住了。

6.1 导入主密钥

首先我们要找到事先藏好的移动介质,将主密钥对压缩包解压缩:

[user@temp ~]$ tar xvf gpg_master_keys.tar

1
2
3
erxiangzi_gpg_private.key
erxiangzi_gpg_public.key
revocation.cert

然后导入主密钥:

[user@temp ~]$ gpg - -import alice_gpg_p*.key

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
gpg: directory `/home/user/.gnupg' created
gpg: new configuration file `/home/user/.gnupg/gpg.conf' created
gpg: WARNING: options in `/home/user/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/home/user/.gnupg/secring.gpg' created
gpg: keyring `/home/user/.gnupg/pubring.gpg' created
gpg: key AB7BB174: secret key imported
gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
gpg: key AB7BB174: public key "erxiangzi <2xiangzi-blog@riseup.net>" imported
gpg: key AB7BB174: "erxiangzi <2xiangzi-blog@riseup.net>" 1 new signature
gpg: Total number processed: 2
gpg:               imported: 1  (RSA: 1)
gpg:         new signatures: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1

验证一下我们的导入结果:

user@temp:~$ gpg - -edit-key AB7BB174

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

pub  4096R/AB7BB174  created: 2016-09-05  expires: 2017-09-05  usage: SC  
                     trust: ultimate      validity: ultimate
sub  4096R/AB64DCD1  created: 2016-09-05  expires: 2017-09-05  usage: E   
sub  4096R/0D65E7C7  created: 2016-09-05  expires: 2017-09-05  usage: S   
[ultimate] (1). erxiangzi <2xiangzi-blog@riseup.net>
[ unknown] (2)  [jpeg image of size 5032]
  • 可以看到最重要的主密钥显示:SC(“sign”&“certify”,代表可以签名和认证其它密钥)
  • 第一个副密钥显示:E(“encrypt”,加密)
  • 第二个副密钥显示:S(“sign”,签名)

6.2 撤回被盗取或丢失的副密钥

gpg> list

1
2
3
4
5
6
pub  4096R/AB7BB174  created: 2016-09-05  expires: 2017-09-05  usage: SC  
                     trust: ultimate      validity: ultimate
sub  4096R/AB64DCD1  created: 2016-09-05  expires: 2017-09-05  usage: E   
sub  4096R/0D65E7C7  created: 2016-09-05  expires: 2017-09-05  usage: S   
[ultimate] (1). erxiangzi <2xiangzi-blog@riseup.net>
[ unknown] (2)  [jpeg image of size 5032]

gpg> key 1

1
2
3
4
5
6
pub  4096R/AB7BB174  created: 2016-09-05  expires: 2017-09-05  usage: SC  
                     trust: ultimate      validity: ultimate
sub*  4096R/AB64DCD1  created: 2016-09-05  expires: 2017-09-05  usage: E   
sub  4096R/0D65E7C7  created: 2016-09-05  expires: 2017-09-05  usage: S   
[ultimate] (1). erxiangzi <2xiangzi-blog@riseup.net>
[ unknown] (2)  [jpeg image of size 5032]

gpg> key 2

1
2
3
4
5
6
pub  4096R/AB7BB174  created: 2016-09-05  expires: 2017-09-05  usage: SC  
                     trust: ultimate      validity: ultimate
sub*  4096R/AB64DCD1  created: 2016-09-05  expires: 2017-09-05  usage: E   
sub*  4096R/0D65E7C7  created: 2016-09-05  expires: 2017-09-05  usage: S   
[ultimate] (1). erxiangzi <2xiangzi-blog@riseup.net>
[ unknown] (2)  [jpeg image of size 5032]

gpg> revkey

Do you really want to revoke the selected subkeys? (y/N) y

1
2
3
4
5
6
Please select the reason for the revocation:
  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  Q = Cancel

Your decision? 1

1
Enter an optional description; end it with an empty line:

>

1
2
Reason for revocation: Key has been compromised
(No description given)

Is this okay? (y/N) y

1
2
3
You need a passphrase to unlock the secret key for
user: "erxiangzi <2xiangzi-blog@riseup.net>"
4096-bit RSA key, ID AB7BB174, created: 2016-09-05

<在此输入密码(Passphrase)>

1
2
3
You need a passphrase to unlock the secret key for
user: "erxiangzi <2xiangzi-blog@riseup.net>"
4096-bit RSA key, ID AB7BB174, created: 2016-09-05

<在此输入密码(Passphrase)>

1
2
3
4
5
6
7
8
pub  4096R/AB7BB174  created: 2016-09-05  expires: 2017-09-05  usage: SC  
                     trust: ultimate      validity: ultimate
This key was revoked on 2016-09-05 by RSA key AB7BB174 erxiangzi <2xiangzi-blog@riseup.net>
sub  4096R/AB64DCD1  created: 2016-09-05  expires: 2017-09-05  usage: E   
This key was revoked on 2016-09-05 by RSA key AB7BB174 erxiangzi <2xiangzi-blog@riseup.net>
sub  4096R/0D65E7C7  created: 2016-09-05  expires: 2017-09-05  usage: S   
[ultimate] (1). erxiangzi <2xiangzi-blog@riseup.net>
[ unknown] (2)  [jpeg image of size 5032]

gpg> save

6.3 告知外界你撤回密钥的消息

6.3.1 导出被撤回的密钥到 ASCII 文件

[user@temp ~]$ gpg - -export -a > revoked_keys.asc

之后将 ASCII文件中的内容贴到互联网上。二翔子此次撤回密钥就是用了这种方法。

6.3.2 使用key server

如果你之前将自己的公钥上传到了某个key server上(此处以sks.keyservers.net为例),那么你需要使用如下命令告知服务器你撤回了密钥: [user@temp ~]$ gpg - -keyserver sks.keyservers.net - -send-keys AB7BB174

1
gpg: sending key AB7BB174 to hkp server sks.keyservers.net

[user@temp ~]$ gpg - -keyserver sks.keyservers.net - -send-keys AB7BB174

1
gpg: sending key AB7BB174 to hkp server sks.keyservers.net

7. 推荐阅读

  1. Using GnuPG with QubesOS
  2. Creating the perfect GPG keypair
  3. RSA算法原理(一)
  4. RSA算法原理(二)
  5. GPG(pgp)加解密中文完整教程
  6. Using OpenPGP subkeys in Debian development