LoginSignup
1
2

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 3 years have passed since last update.

@tmiki(TMIKI)

【小ネタ】Amazon Linux 2環境(GnuPG 2.0.xx)でGPG鍵ペアを作る

Last updated at Posted at 2020-07-05

はじめに

git-cryptやgit-secretを利用するにあたり、GnuPGのインストールおよび鍵ペアの作成を予め終わらせておく必要があります。
GnuPGのバージョンにより、利用できるオプションが違ったため、この情報をまとめます。

TL;DR

  • GnuPGのバージョン2.1以降は --generate-key オプションが利用可能
  • それ以前のバージョンでは、 --gen-key オプションを利用する
  • Amazon Linux 2 の標準リポジトリからインストールされるGnuPGのバージョンは 2.0.xx (2020/7/5現在、2.0.22)

検証した環境

  • Oracle VirtualBox 6.1.10
  • Amazon Linux 2 (VirtualBox内VM)

Amazon Linux 2 内の /etc/os-release ファイルは下記のとおりです。

/etc/os-release
NAME="Amazon Linux"
VERSION="2"
ID="amzn"
ID_LIKE="centos rhel fedora"
VERSION_ID="2"
PRETTY_NAME="Amazon Linux 2"
ANSI_COLOR="0;33"
CPE_NAME="cpe:2.3:o:amazon:amazon_linux:2"
HOME_URL="https://amazonlinux.com/"

手順詳細

鍵ペアの作成

GnuPG 2.1以前

"$ gpg --key-gen" コマンドで鍵ペアを作成します。以下のパラメータの入力を求められますので、入力します。

  • Please select what kind of key you want:
  • What keysize do you want?
  • Real name:
  • Email address:
  • You need a Passphrase to protect your secret key.
gpg --gen-key (GnuPG 2.0.xx)
[vagrant@stdsv5 ~]$ gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: your-name
Email address: your-email-address@example.com
Comment:
You selected this USER-ID:
    "your-name <your-email-address@example.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /home/vagrant/.gnupg/trustdb.gpg: trustdb created
gpg: key 8067BD6D marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   4096R/8067BD6D 2020-07-05
      Key fingerprint = D894 8DD2 0FC9 A690 50E1  E92D 0CB6 D7C9 618B D680
uid                  your-name <your-email-address@example.com>
sub   4096R/92E37C67 2020-07-05

Passphrase入力後、十分な乱数を得るまでに時間がかかっているのか、鍵ペアの生成がなかなか完了しないことがあります。
rng-toolsを利用する、適当にディスクを読みだすなどで対処できるようです。

https://serverfault.com/questions/214605/gpg-does-not-have-enough-entropy
https://serverfault.com/questions/471412/gpg-gen-key-hangs-at-gaining-enough-entropy-on-centos-6

GnuPG 2.1以降

Ubuntuその他のLinuxディストリビューションの場合、新しいものであれば GnuPG 2.2 以降がインストールされていることが多いと思います。(2020/7/5現在、GnuPG 2.2.20が最新)

GnuPG 2.1以降の場合、 $ gpg --gen-key のほか "$ gpg --generate-key" コマンドを利用が利用できます。
以下のパラメータを求められます。

  • Real name:
  • Email address:
  • Passphrase
gpg --generate-key (GnuPG 2.2.xx)
vagrant@stdsv6:~$ gpg --generate-key
gpg (GnuPG) 2.2.19; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Note: Use "gpg --full-generate-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

Real name: your-name
Email address: your-email-address@example.com
You selected this USER-ID:
    "your-name <your-email-address@example.com>"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /home/vagrant/.gnupg/trustdb.gpg: trustdb created
gpg: key CE02F0260234EB0B marked as ultimately trusted
gpg: directory '/home/vagrant/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/vagrant/.gnupg/openpgp-revocs.d/621A52E24171B0145FBA74972342F0B600E02CEB.rev'
public and secret key created and signed.

pub   rsa3072 2020-07-05 [SC] [expires: 2022-07-05]
      621A52E24171B0145FBA74972342F0B600E02CEB
uid                      your-name <your-email-address@example.com>
sub   rsa3072 2020-07-05 [E] [expires: 2022-07-05]

鍵ペアの確認

いずれのバージョンであっても、GPGの鍵ペアの確認には "$ gpg --list-keys" コマンドを利用します。

[vagrant@stdsv5 ~]$ gpg --list-keys
/home/vagrant/.gnupg/pubring.gpg
--------------------------------
pub   4096R/8067BD6D 2020-07-05
uid                  your-name <your-email-address@example.com>
sub   4096R/92E37C67 2020-07-05
1
2
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
1
2

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?