GnuPG用多个sub keys保护primary key

首先创建primary key. 原则上, 作为自己身份的证明, 应该是永远不过期的. passphrase则应足够保险, 自己好记的, 别人不容易猜出的, 允许空格, 最好有数字符号, 不少于20个字符.

C:\Documents and Settings\user>gpg --gen-key
gpg (GnuPG) 1.4.7; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) "

Real name: Pcxingxing Admin
Email address: admin@pcxingxing.net.ru
Comment: pcxingxing
You selected this USER-ID:
"Pcxingxing Admin (pcxingxing) "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.++++++++++.++++++++++++++++++++++++++++++.+++++++++++++++++++++++++++++++++++.+
++++.+++++.++++++++++++++++++++.++++++++++..++++++++++.++++++++++>+++++..>+++++< +++++.+++++ We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. ++++++++++++++++++++.++++++++++++++++++++++++++++++.++++++++++.+++++.+++++..++++ +..++++++++++++++++++++.+++++++++++++++.++++++++++...+++++.++++++++++.++++++++++ >..++++++++++>+++++>+++++.......................................................
..................................<+++++............+++++^^^^^^^^^^^ gpg: key 195BF502 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 1024D/195BF502 2008-08-22 Key fingerprint = 3710 1AF5 31D5 1C71 B594 74E7 9646 85D1 195B F502 uid Pcxingxing Admin (pcxingxing)
sub 2048g/02630FCE 2008-08-22
============================================================
别忘了生成一个密钥撤销证书. 这个一定要妥善保管, 不能泄露
C:\Documents and Settings\user>gpg --output revokecert.txt --gen-revok
ng pcxingxing

sec 1024D/195BF502 2008-08-22 Pcxingxing Admin (pcxingxing)

Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
0 = No reason specified
1 = Key has been compromised
2 = Key is superseded
3 = Key is no longer used
Q = Cancel
(Probably you want to select 1 here)
Your decision? 1
Enter an optional description; end it with an empty line:
>
Reason for revocation: Key has been compromised
(No description given)
Is this okay? (y/N) y

You need a passphrase to unlock the secret key for
user: "Pcxingxing Admin (pcxingxing) "
1024-bit DSA key, ID 195BF502, created 2008-08-22

ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable. But have some caution: The print syste
your machine might store the data and make it available to others!
============================================================


下面为各种用途创建sub keys. 比如, 在家里, 工作场所和便携电脑上的, 用于签名和加密的不同密钥. 这些sub keys可以适当设置有效期限.更新一下公钥

C:\Documents and Settings\user>gpg --edit pcxingxing
gpg (GnuPG) 1.4.7; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Secret key is available.

pub 1024D/195BF502 created: 2008-08-22 expires: never usage: SC
trust: ultimate validity: ultimate
sub 2048g/02630FCE created: 2008-08-22 expires: never usage: E
[ultimate] (1). Pcxingxing Admin (pcxingxing)

Command> addkey
Key is protected.

You need a passphrase to unlock the secret key for
user: "Pcxingxing Admin (pcxingxing) "
1024-bit DSA key, ID 195BF502, created 2008-08-22

Please select what kind of key you want:
(2) DSA (sign only)
(4) Elgamal (encrypt only)
(5) RSA (sign only)
(6) RSA (encrypt only)
Your selection? 2
DSA keypair will have 1024 bits.
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.+++++.+++++.++++++++++.+++++++++++++++...+++++++++++++++++++++++++.+++++.+++++.
+++++++++++++++...++++++++++.++++++++++.++++++++++++++++++++++++++++++.......+++
++

pub 1024D/195BF502 created: 2008-08-22 expires: never usage: SC
trust: ultimate validity: ultimate
sub 2048g/02630FCE created: 2008-08-22 expires: never usage: E
sub 1024D/B9F75C53 created: 2008-08-22 expires: never usage: S
[ultimate] (1). Pcxingxing Admin (pcxingxing)

Command> addkey
Key is protected.

You need a passphrase to unlock the secret key for
user: "Pcxingxing Admin (pcxingxing) "
1024-bit DSA key, ID 195BF502, created 2008-08-22

Please select what kind of key you want:
(2) DSA (sign only)
(4) Elgamal (encrypt only)
(5) RSA (sign only)
(6) RSA (encrypt only)
Your selection? 4
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 0
ELG-E keysizes must be in the range 1024-4096
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
...+++++.+++++++++++++++.+++++.++++++++++.+++++..++++++++++.+++++.++++++++++...+
++++...+++++.+++++++++++++++.+++++++++++++++..+++++.++++++++++....+++++.+++++.++
++++++++...+++++>...+++++..+++++>+++++........+++++^^^

pub 1024D/195BF502 created: 2008-08-22 expires: never usage: SC
trust: ultimate validity: ultimate
sub 2048g/02630FCE created: 2008-08-22 expires: never usage: E
sub 1024D/B9F75C53 created: 2008-08-22 expires: never usage: S
sub 2048g/136191CB created: 2008-08-22 expires: never usage: E
[ultimate] (1). Pcxingxing Admin (pcxingxing)

Command> quit
Save changes? (y/N) y

============================================================

然后 就可以为各种用途导出钥匙链了. 用--export-secret-subkeys选项导出的私钥钥匙链里的primary key是无效的, 从而保证了它的安全. 在修改不同用途的钥匙链时, 可以用passwd命令设置不同的passphrase, 然后去掉多余的 sub keys.

C:\Documents and Settings\user>gpg --edit pcxingxing
gpg (GnuPG) 1.4.7; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.

Secret key is available.

pub 1024D/195BF502 created: 2008-08-22 expires: never usage: SC
trust: ultimate validity: ultimate
sub 2048g/02630FCE created: 2008-08-22 expires: never usage: E
sub 1024D/B9F75C53 created: 2008-08-22 expires: never usage: S
sub 2048g/136191CB created: 2008-08-22 expires: never usage: E
[ultimate] (1). Pcxingxing Admin (pcxingxing)

Command> passwd
Key is protected.

You need a passphrase to unlock the secret key for
user: "Pcxingxing Admin (pcxingxing) 1024-bit DSA key, ID 195BF502, created 2008-08-22

Enter the new passphrase for this secret key.

别忘了发布公钥.
C:\Documents and Settings\user>gpg --keyserver keyserver.ubuntu.com --send-keys
195BF502
gpg: sending key 195BF502 to hkp server keyserver.ubuntu.com
更新一下公钥

gpg --keyserver keyserver.ubuntu.com --refresh-keys
如果还没信任过这个key, 现在可以设置信任
gpg --edit-key pcxingxing
Command> trust
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
pub  1024D/195BF502  created: 2008-08-22  expires: never       usage: SC
                    trust: ultimate      validity: ultimate
sub  2048g/02630FCE  created: 2008-08-22  expires: never       usage: E
sub  1024D/B9F75C53  created: 2008-08-22  expires: never       usage: S
sub  2048g/136191CB  created: 2008-08-22  expires: never       usage: E
[ultimate] (1). Pcxingxing Admin (pcxingxing) 
Command> quit