mirror of
https://salsa.debian.org/gnuk-team/gnuk/gnuk.git
synced 2024-09-20 10:50:09 +00:00
229 lines
7.4 KiB
ReStructuredText
229 lines
7.4 KiB
ReStructuredText
============================
|
|
Generating 2048-bit RSA keys
|
|
============================
|
|
|
|
This document describes how I generate 2048-bit RSA keys.
|
|
|
|
.. BREAK
|
|
|
|
Here is the log to generate signature key and encryption subkey.
|
|
|
|
I invoke GnuPG with ``--gen-key`` option. ::
|
|
|
|
$ gpg --gen-key
|
|
gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
|
|
This is free software: you are free to change and redistribute it.
|
|
There is NO WARRANTY, to the extent permitted by law.
|
|
|
|
and GnuPG asks kind of key. Select ``RSA and RSA``. ::
|
|
|
|
Please select what kind of key you want:
|
|
(1) RSA and RSA (default)
|
|
(2) DSA and Elgamal
|
|
(3) DSA (sign only)
|
|
(4) RSA (sign only)
|
|
Your selection? 1
|
|
RSA keys may be between 1024 and 4096 bits long.
|
|
|
|
and select 2048-bit (as Gnuk Token only suppurt this). ::
|
|
|
|
What keysize do you want? (2048)
|
|
Requested keysize is 2048 bits
|
|
|
|
and select expiration of the key. ::
|
|
|
|
Please specify how long the key should be valid.
|
|
0 = key does not expire
|
|
<n> = key expires in n days
|
|
<n>w = key expires in n weeks
|
|
<n>m = key expires in n months
|
|
<n>y = key expires in n years
|
|
Key is valid for? (0) 0
|
|
Key does not expire at all
|
|
|
|
Confirm key types, bitsize and expiration. ::
|
|
|
|
Is this correct? (y/N) y
|
|
|
|
Then enter user ID. ::
|
|
|
|
You need a user ID to identify your key; the software constructs the user ID
|
|
from the Real Name, Comment and Email Address in this form:
|
|
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
|
|
|
|
Real name: Niibe Yutaka
|
|
Email address: gniibe@fsij.org
|
|
Comment:
|
|
You selected this USER-ID:
|
|
"Niibe Yutaka <gniibe@fsij.org>"
|
|
|
|
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
|
|
|
|
and enter passphrase for this **key on PC**. ::
|
|
|
|
You need a Passphrase to protect your secret key.
|
|
<PASSWORD-KEY-ON-PC>
|
|
|
|
Then, GnuPG generate keys. It takes some time. ::
|
|
|
|
We need to generate a lot of random bytes. It is a good idea to perform
|
|
some other action (type on the keyboard, move the mouse, utilize the
|
|
disks) during the prime generation; this gives the random number
|
|
generator a better chance to gain enough entropy.
|
|
...+++++
|
|
+++++
|
|
We need to generate a lot of random bytes. It is a good idea to perform
|
|
some other action (type on the keyboard, move the mouse, utilize the
|
|
disks) during the prime generation; this gives the random number
|
|
generator a better chance to gain enough entropy.
|
|
..+++++
|
|
|
|
Not enough random bytes available. Please do some other work to give
|
|
the OS a chance to collect more entropy! (Need 15 more bytes)
|
|
...+++++
|
|
gpg: key 28C0CD7C marked as ultimately trusted
|
|
public and secret key created and signed.
|
|
|
|
gpg: checking the trustdb
|
|
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
|
|
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
|
|
pub 2048R/28C0CD7C 2011-05-24
|
|
Key fingerprint = 0B4D C763 D57B ADBB 1870 A978 BDEE 4A35 28C0 CD7C
|
|
uid Niibe Yutaka <gniibe@fsij.org>
|
|
sub 2048R/F01E19B7 2011-05-24
|
|
$
|
|
|
|
Done.
|
|
|
|
Then, I create authentication subkey. Authentication subkey is not that common, but very useful (say, for SSH authentication). As it is not that common, we need ``--expert`` option for GnuPG. ::
|
|
|
|
$ gpg --expert --edit-key 28C0CD7C
|
|
gpg (GnuPG) 1.4.11; Copyright (C) 2010 Free Software Foundation, Inc.
|
|
This is free software: you are free to change and redistribute it.
|
|
There is NO WARRANTY, to the extent permitted by law.
|
|
|
|
Secret key is available.
|
|
|
|
pub 2048R/28C0CD7C created: 2011-05-24 expires: never usage: SC
|
|
trust: ultimate validity: ultimate
|
|
sub 2048R/F01E19B7 created: 2011-05-24 expires: never usage: E
|
|
[ultimate] (1). Niibe Yutaka <gniibe@fsij.org>
|
|
|
|
gpg>
|
|
|
|
Here, I enter ``addkey`` command. Then, I enter the passphrase of **key on PC**, I specified above. ::
|
|
|
|
gpg> addkey
|
|
Key is protected.
|
|
|
|
You need a passphrase to unlock the secret key for
|
|
user: "Niibe Yutaka <gniibe@fsij.org>"
|
|
2048-bit RSA key, ID 28C0CD7C, created 2011-05-24
|
|
<PASSWORD-KEY-ON-PC>
|
|
gpg: gpg-agent is not available in this session
|
|
|
|
GnuPG askes kind of key. I select ``RSA (set your own capabilities)``. ::
|
|
|
|
Please select what kind of key you want:
|
|
(3) DSA (sign only)
|
|
(4) RSA (sign only)
|
|
(5) Elgamal (encrypt only)
|
|
(6) RSA (encrypt only)
|
|
(7) DSA (set your own capabilities)
|
|
(8) RSA (set your own capabilities)
|
|
Your selection? 8
|
|
|
|
And select ``Authenticate`` for the capabilities for this key. Initially, it's ``Sign`` and ``Encrypt``. I need to deselect ``Sign`` and ``Encryp``, and select ``Authenticate``. To do that, I enter ``s``, ``a``, and ``e``. ::
|
|
|
|
Possible actions for a RSA key: Sign Encrypt Authenticate
|
|
Current allowed actions: Sign Encrypt
|
|
|
|
(S) Toggle the sign capability
|
|
(E) Toggle the encrypt capability
|
|
(A) Toggle the authenticate capability
|
|
(Q) Finished
|
|
|
|
Your selection? s
|
|
|
|
Possible actions for a RSA key: Sign Encrypt Authenticate
|
|
Current allowed actions: Encrypt
|
|
|
|
(S) Toggle the sign capability
|
|
(E) Toggle the encrypt capability
|
|
(A) Toggle the authenticate capability
|
|
(Q) Finished
|
|
|
|
Your selection? a
|
|
|
|
Possible actions for a RSA key: Sign Encrypt Authenticate
|
|
Current allowed actions: Encrypt Authenticate
|
|
|
|
(S) Toggle the sign capability
|
|
(E) Toggle the encrypt capability
|
|
(A) Toggle the authenticate capability
|
|
(Q) Finished
|
|
|
|
Your selection? e
|
|
|
|
Possible actions for a RSA key: Sign Encrypt Authenticate
|
|
Current allowed actions: Authenticate
|
|
|
|
(S) Toggle the sign capability
|
|
(E) Toggle the encrypt capability
|
|
(A) Toggle the authenticate capability
|
|
(Q) Finished
|
|
|
|
OK, I set the capability of ``Authenticate``. I enter ``q`` to finish setting capabilities. ::
|
|
|
|
Your selection? q
|
|
|
|
GnuPG asks bitsize and expiration, I enter 2048 for bitsize and no expiration. Then, I confirm that I really create the key. ::
|
|
|
|
RSA keys may be between 1024 and 4096 bits long.
|
|
What keysize do you want? (2048)
|
|
Requested keysize is 2048 bits
|
|
Please specify how long the key should be valid.
|
|
0 = key does not expire
|
|
<n> = key expires in n days
|
|
<n>w = key expires in n weeks
|
|
<n>m = key expires in n months
|
|
<n>y = key expires in n years
|
|
Key is valid for? (0) 0
|
|
Key does not expire at all
|
|
Is this correct? (y/N) y
|
|
Really create? (y/N) y
|
|
|
|
Then, GnuPG generate the key. ::
|
|
|
|
We need to generate a lot of random bytes. It is a good idea to perform
|
|
some other action (type on the keyboard, move the mouse, utilize the
|
|
disks) during the prime generation; this gives the random number
|
|
generator a better chance to gain enough entropy.
|
|
.......+++++
|
|
+++++
|
|
|
|
pub 2048R/28C0CD7C created: 2011-05-24 expires: never usage: SC
|
|
trust: ultimate validity: ultimate
|
|
sub 2048R/F01E19B7 created: 2011-05-24 expires: never usage: E
|
|
sub 2048R/B8929606 created: 2011-05-24 expires: never usage: A
|
|
[ultimate] (1). Niibe Yutaka <gniibe@fsij.org>
|
|
|
|
gpg>
|
|
|
|
I save the key. ::
|
|
|
|
gpg> save
|
|
$
|
|
|
|
Now, we have three keys (one primary key for signature and certification, subkey for encryption, and another subkey for authentication).
|
|
|
|
|
|
Publishing public key
|
|
=====================
|
|
|
|
I make a file for my public key by ``--export`` option of GnuPG. ::
|
|
|
|
$ gpg --armor --output gniibe.asc --export 4CA7BABE
|
|
|
|
and put it at: http://www.gniibe.org/gniibe.asc
|