GPG和keybase.io

GPG(GnuPG)是一种使用混合加密技术(对称/非对称,对称加密提升加密速度,公钥加密用来保证key交换时的安全性)的应用。它的主要作用在于:

  1. 身份验证。对自己的工作签名,比如git提交,邮件等。
  2. 加密。对交流的过程进行加密保护,防止被别人窃取。

如果是用gpg工具来生成和发布key的话,流程是这样的:

生成key


~> gpg --gen-key
gpg (GnuPG) 1.4.19; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Sat Dec 23 16:20:33 2017 CST
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: Rich Dickson
Email address: dickson.rich@richdick.com
Comment: richdick
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.   ##用密码保护master key

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
..+++++
...+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
..........+++++
........+++++
gpg: key C5071A6F marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   4  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 4u
gpg: next trustdb check due at 2017-08-02
pub   2048R/C5071A6F 2016-12-23 [expires: 2017-12-23]
      Key fingerprint = 1D98 85B1 7D28 942B A265  3BEA AFD0 0C00 C507 1A6F
uid                  Rich Dickson (richdick) <dickson.rich@richdick.com>
sub   2048R/DDAF894F 2016-12-23 [expires: 2017-12-23]

把这个key导出保存在一个安全的地方,比如保险柜 :)

 ~> gpg --export-secret-keys --armor "Rich Dickson (richdick) <dickson.rich@richdick.com>" > richdick-private-key.asc

把public key发布出去


公共的key server可以选hkp://keys.gnupg.net或者keybase.io. Keybase用起来比较方便,下面以它来举例:

brew install keybase

keybase login

keybase pgp select --multi
#    Algo    Key Id             Created   UserId
=    ====    ======             =======   ======
2    2048R   AFD00C00C5071A6F             Rich Dickson <dickson.rich@richdick.com>
Choose a key: 2
▶ INFO Bundle unlocked: AFD00C00C5071A6F
▶ INFO Generated new PGP key:
▶ INFO   user: Rich Dickson (richdick) <dickson.rich@richdick.com>
▶ INFO   2048-bit RSA key, ID AFD00C00C5071A6F, created 2016-12-23
▶ INFO Key AFD00C00C5071A6F imported

我有个朋友叫Logan,我在keybase上搜索下它:

~> keybase search logan
loganhan twitter:logan_han github:logan-han coinbase:loganhan dns://han.life

假设我现在需要给它传递一段加密信息,那么可以这样:

 ~> echo 'Merry Xmas, Logan!' > secrets.txt
 ~> keybase encrypt -i secrets.txt -o secrets.txt.asc loganhan
▶ INFO Identifying recipient loganhan
✔ <tracked> public key fingerprint: BFC6 69B1 861B 8A71 044A 70F1 5E6A 5830 E81F 7EA2
You last followed loganhan on 2016-08-03 10:09:33 CST
 

加密后的内容如下:

BEGIN KEYBASE SALTPACK ENCRYPTED MESSAGE. kiQrUWZvE8pSlIf jYX6ZmEkk4Gba7a 
....
3gZJb6yMWYBnlCU VCVZhPh2MvRiWne lhaaSZViJOXr407 Wt7NXT9RU6Mb96M 28XkWJMHHE60iwD ASc8SRp0HDuMCMg CXx6bMqIWf68ZfT yL19g5vgAGaQi8b yyY7tFMpJ5d5GJe eTa0ZP4AiI20Ez5 4eAZKoy9D4L3R77 ezDwAo5OscyQTUY voRvduVQoWhET3p w9eF13YSk2tajBq 7OuopZZOS1RjE9y sKnmYXLEvaiOKw0 . END KEYBASE SALTPACK ENCRYPTED MESSAGE.

我的同事如果收到这个加密后的文件的话,可以用下面的命令解密:

 ~> keybase decrypt -i secrets.txt.asc
Message authored by iambowen
Merry Xmas, Logan!

验证身份


我觉得如果希拉里的团队知道用邮件加密的功能,就不会被钓鱼,导致邮件泄密,最终败选。GPG可以用在多个地方去验证身份,比如Twitter、DNS、github等。以github为例,在个人的setting里面可以添加GPG的public key。
首先,导出GPG的public key,并在setting页面添加:

gpg --export --armor iambowen.m@gmail.com | pbcopy

本地配置git的signing key:

 git config --global user.signingkey iambowen.m@gmail.com

提交的时候附加身份信息:

 ~> git commit -S

You need a passphrase to unlock the secret key for
user: "Bowen Ma (My GPG key) <iambowen.m@gmail.com>"
2048-bit RSA key, ID A02C6030, created 2016-06-21

[master 0a06550] Why: Testing commit with GPG
 1 file changed, 1 insertion(+)
 create mode 100644 README.md

在github检查这次提交

https://github.com/iambowen/microservices-training-lesson-8-security/commit/0a06550f2738b780544af839662fd9f6dfc506b4

可以看到提交者的身份已经被验证过了。

其实我个人使用GPG(或者keybase这个工具)去加密的场景很少,不过如果以后对于安全的要求加强,这个应该是可以用到的。

推荐阅读更多精彩内容

  • Spring Cloud为开发人员提供了快速构建分布式系统中一些常见模式的工具(例如配置管理,服务发现,断路器,智...
    卡卡罗2017阅读 87,321评论 13 122
  • 先来看 PGP 和 GPG 程序的介绍。 PGP PGP(英语:Pretty Good Privacy,中文含义"...
    faner阅读 29,664评论 2 10
  • 前言 久闻 PGP 大名,印象中是使用非对称加密算法,且经常能在邮件列表的签名档中看到一长串的 PGP Publi...
    yestyle阅读 6,268评论 0 9
  • 每个人心中,都有一个安静的房间,收起一些记忆:想要封存但又不得不面对的印记。这是一间秘密储藏室。 不论你愿不愿意,...
    密斯森林阅读 84评论 0 3
  • 好累好忙,明天加油!
    alex__chen阅读 22评论 0 0