#Obmedzenie používania slabého hašovacieho algoritmu SHA1:
Prednastavené algoritmy použité novo vygenerovanými kľúčmi je možné definovať v ~/.gnupg/gpg.conf (ak neexistuje, vytvoríme ho):
personal-digest-preferences SHA512,SHA384,SHA256,SHA224
Pre bezpečné podpisovanie explicitne nastavíme bezpečný algoritmus v ~/.gnupg/gpg.conf:
Cert-digest-algo SHA256(prípadne „digest-algo SHA256“)
Bližšie informácie nájdete napríklad tu.
# Vytvorenie primárneho (master) kľúča:
Počas generovania primárneho kľúčového páru bude treba špecifikovať heslo k privátnemu kľúču – toto heslo bude používané len pri vytváraní alebo modifikácii podkľúčov – odporúčame použiť silné, no dobre zapamätateľné heslo (passphrase).
$ gpg –expert –full-gen-key (alebo gpg –expert –gen-key, pre GnuPG verzie 1)
gpg (GnuPG) 2.1.11; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(9) ECC and ECC
(10) ECC (sign only)
(11) ECC (set your own capabilities)
Your selection? 8
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Sign Certify Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? S
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Certify Encrypt
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? E
Possible actions for a RSA key: Sign Certify Encrypt Authenticate
Current allowed actions: Certify
(S) Toggle the sign capability
(E) Toggle the encrypt capability
(A) Toggle the authenticate capability
(Q) Finished
Your selection? Q
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Fri 02 Apr 2021 03:51:47 PM CEST
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: Janko Mrkvicka
Email address: janko.mkrvicka@csirt.sk
Comment:
You selected this USER-ID:
„Janko Mrkvicka <janko.mkrvicka@csirt.sk>“
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 0xA9B3110ED21FA171 marked as ultimately trusted
gpg: revocation certificate stored as ‚/home/janko/.gnupg/openpgp-revocs.d/D44CA7BBB71DA3735157D764A9B3110ED21FA171.rev‘
public and secret key created and signed.
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: PGP
gpg: depth: 0 valid: 5 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 5u
gpg: next trustdb check due at 2021-03-04
pub rsa4096/0xA9B3110ED21FA171 2019-04-03 [] [expires: 2021-04-02]
Key fingerprint = D44C A7BB B71D A373 5157 D764 A9B3 110E D21F A171
uid [ultimate] Janko Mrkvicka <janko.mkrvicka@csirt.sk>
# Konfigurácia primárneho (master) kľúča – nastavenie použitia iba silných algoritmov:
$ gpg –expert –edit-key 0xA9B3110ED21FA171
gpg (GnuPG) 2.1.11; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa4096/0xA9B3110ED21FA171
created: 2019-04-03 expires: 2021-04-02 usage: C
trust: ultimate validity: ultimate
[ultimate] (1). Janko Mrkvicka <janko.mkrvicka@csirt.sk>
gpg> setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
Set preference list to:
Cipher: AES256, AES192, AES, CAST5, 3DES
Digest: SHA512, SHA384, SHA256, SHA224, SHA1
Compression: ZLIB, BZIP2, ZIP, Uncompressed
Features: MDC, Keyserver no-modify
Really update the preferences? (y/N) y
sec rsa4096/0xA9B3110ED21FA171
created: 2019-04-03 expires: 2021-04-02 usage: C
trust: ultimate validity: ultimate
[ultimate] (1). Janko Mrkvicka <janko.mkrvicka@csirt.sk>
gpg> save
Vygenerovaný kľúčový pár je vhodné / potrebné zazálohovať na offline médium. Takisto jeho heslo.
# Pridanie identity ku kľúču:
$ gpg –expert –edit-key 0xA9B3110ED21FA171
gpg (GnuPG) 2.1.11; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa4096/0xA9B3110ED21FA171
created: 2019-04-03 expires: 2021-04-02 usage: C
trust: ultimate validity: ultimate
ssb rsa4096/0x67A1C966778BAE55
created: 2019-04-03 expires: 2021-04-02 usage: S
ssb rsa4096/0xFCBFA27BBBF1180C
created: 2019-04-03 expires: 2021-04-02 usage: E
[ultimate] (1). Janko Mrkvicka <janko.mkrvicka@csirt.sk>
gpg> adduid
Real name: Janko Mrkvicka
Email address: janicko@csirt.sk
Comment:
You selected this USER-ID:
„Janko Mrkvicka <janicko@csirt.sk>“
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
sec rsa4096/0xA9B3110ED21FA171
created: 2019-04-03 expires: 2021-04-02 usage: C
trust: ultimate validity: ultimate
ssb rsa4096/0x67A1C966778BAE55
created: 2019-04-03 expires: 2021-04-02 usage: S
ssb rsa4096/0xFCBFA27BBBF1180C
created: 2019-04-03 expires: 2021-04-02 usage: E
[ultimate] (1) Janko Mrkvicka <janko.mkrvicka@csirt.sk>
[ unknown] (2). Janko Mrkvicka <janicko@csirt.sk>
gpg> save
Ak máme záujem špecifikovať, ktorá identita je primárna, je to možné pomocou:
$ gpg –expert –edit-key 0xA9B3110ED21FA171
gpg> uid 2 #t.j. poradové číslo identity
gpg> primary
gpg> save
$ gpg –list-secret-keys
/home/mrkvicka/.gnupg/pubring.gpg
——————————–
sec rsa4096/0xA9B3110ED21FA171 2019-04-03 [C] [expires: 2021-04-02]
Key fingerprint = D44C A7BB B71D A373 5157 D764 A9B3 110E D21F A171
uid [ultimate] Janko Mrkvicka <janko.mkrvicka@csirt.sk>
# Vytvorenie podpisového a šifrovacieho podkľúča:
Počas generovania podkľúča bude treba špecifikovať heslo k privátnemu kľúču. Toto heslo sa bude používať pri práci s e-mailmi. Odporúčame vygenerovať silné a zároveň jednoducho napísateľné heslo (passphrase). Toto heslo by malo byť odlišné od hesla ku primárnemu kľúču.
Počas generovania budete vyzvaní taktiež na zadanie hesla k privátnemu primárnemu kľúču, ktorý musí byť odomknutý, aby bolo možné podpísať práve generovaný podkľúč.
$ gpg –expert –edit-key 0xA9B3110ED21FA171
gpg (GnuPG) 2.1.11; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Secret key is available.
sec rsa4096/0xA9B3110ED21FA171
created: 2019-04-03 expires: 2021-04-02 usage: C
trust: ultimate validity: ultimate
[ultimate] (1). Janko Mrkvicka <janko.mkrvicka@csirt.sk>
gpg> addkey
Please select what kind of key you want:
(3) DSA (sign only)
(4) RSA (sign only)
(5) Elgamal (encrypt only)
(6) RSA (encrypt only)
(7) DSA (set your own capabilities)
(8) RSA (set your own capabilities)
(10) ECC (sign only)
(11) ECC (set your own capabilities)
(12) ECC (encrypt only)
(13) Existing key
Your selection? 4
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 2y
Key expires at Fri 02 Apr 2021 04:14:01 PM CEST
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
sec rsa4096/0xA9B3110ED21FA171
created: 2019-04-03 expires: 2021-04-02 usage: C
trust: ultimate validity: ultimate
ssb rsa4096/0x67A1C966778BAE55
created: 2019-04-03 expires: 2021-04-02 usage: S
[ultimate] (1). Janko Mrkvicka <janko.mkrvicka@csirt.sk>
gpg> save
Obdobným spôsobom sa generuje šifrovací podkľúč – možnosť (6) RSA (encrypt only).
# Finálna podoba vygenerovaných kľúčov:
$gpg –list-secret-keys 0xA9B3110ED21FA171
——————————–
sec rsa4096/0xA9B3110ED21FA171 2019-04-03 [C] [expires: 2021-04-02]
Key fingerprint = D44C A7BB B71D A373 5157 D764 A9B3 110E D21F A171
uid [ultimate] Janko Mrkvicka <janko.mkrvicka@csirt.sk>
uid [ultimate] Janko Mrkvicka <janicko@csirt.sk>
ssb rsa4096/0x67A1C966778BAE55 2019-04-03 [S] [expires: 2021-04-02]
Key fingerprint = 8F7D 0B0D 7186 1597 E477 EC8D 67A1 C966 778B AE55
ssb rsa4096/0xFCBFA27BBBF1180C 2019-04-03 [E] [expires: 2021-04-02]
Key fingerprint = 4C92 815E B824 B057 DC91 4076 FCBF A27B BBF1 180C
# Export primárnych kľúčov aj všetkých podkľúčov:
Pre export všetkých kľúčov:
$ gpg –export-secret-keys –armor –output /media/janko/BACKUP/janko.mrkvicka_allkeys_secret.gpg 0xA9B3110ED21FA171
Pre export verejných kľúčov:
$ gpg –export –armor –output /media/janko/BACKUP/janko.mrkvicka_allkeys_public.gpg 0xA9B3110ED21FA171
# Export podkľúčov:
$ gpg –export-secret-subkeys –armor –output ./janko.mrkvicka_subkeys_secret.gpg 0xA9B3110ED21FA171
Po zazálohovaní kľúčov (najmä primárneho kľúčového páru), tento potrebujeme vymazať z pracovného počítača.
$ gpg –delete-secret-keys 0xA9B3110ED21FA171
gpg (GnuPG) 2.1.11; Copyright (C) 2016 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
sec rsa4096/0xA9B3110ED21FA171 2019-04-03 Janko Mrkvicka <janko.mkrvicka@csirt.sk>
Delete this key from the keyring? (y/N) y
This is a secret key! – really delete? (y/N) y
Nasleduje dialóg potvrdzujúci vymazávanie kľúča aj všetkých podkľúčov. Ak si chceme ponechať podkľúče, stačí nepotvrdiť ich vymazanie.
Návody ku jednotlivým službám štátneho IT môžeš odteraz využívať aj prostredníctvom mobilnej aplikácie.
