GPG では gpg --gen-key などで秘密鍵を作成する際にエントロピー(マウスとかキーボードとかを操作することによって溜まる不規則な情報)が必要になるが、仮想マシンの場合はエントロピーが溜まらずいつまで経っても鍵が生成出来ないので haveged や rng-tools といったパッケージをインストールしてエントロピーを溜める。
環境は以下の通り。
Distributor ID: Debian Description: Debian GNU/Linux 9.8 (stretch) Release: 9.8 Codename: stretch
haveged の場合
haveged パッケージをインストールする。
root@debian:~# apt install havegend -y
サービスが稼働しているか確認しておく。
root@debian:~# systemctl status haveged
● haveged.service - Entropy daemon using the HAVEGE algorithm
Loaded: loaded (/lib/systemd/system/haveged.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2019-04-03 17:21:13 JST; 5s ago
Docs: man:haveged(8)
http://www.issihosts.com/haveged/
Main PID: 7460 (haveged)
CGroup: /system.slice/haveged.service
└─7460 /usr/sbin/haveged --Foreground --verbose=1 -w 1024
4月 03 17:21:13 debian systemd[1]: Started Entropy daemon using the HAVEGE algorithm.
4月 03 17:21:14 debian haveged[7460]: haveged: ver: 1.9.1; arch: x86; vend: GenuineIntel; build: (gcc 6.3.0 ITV); collect: 128K
4月 03 17:21:14 debian haveged[7460]: haveged: cpu: (L4 VC); data: 32K (L4 V); inst: 32K (L4 V); idx: 22/40; sz: 31886/59215
4月 03 17:21:14 debian haveged[7460]: haveged: tot tests(BA8): A:1/1 B:1/1 continuous tests(B): last entropy estimate 7.99355
4月 03 17:21:14 debian haveged[7460]: haveged: fills: 0, generated: 0
rng-tools/rng-tools5 の場合
rng-tools または rng-tools5 パッケージをインストールする(ここでは rng-tools としておく)。恐らくサービス開始のトリガーは失敗する。
root@debian:~# apt install rng-tools
rng-tools と rng-tools5 はどちらもデフォルトのデバイスが /dev/hwrng になっており、これが存在しないのでシンボリックリンクを貼る。
root@debian:~# ln -s /dev/urandom /dev/hwrng
サービスを起動する。
root@debian:~# systemctl start rng-tools
もしくは rngd を手動で実行する。
root@debian:~# rngd -r /dev/urandom
恒久的に使用するのであれば systemd のユニットを修正するか、手間をかけずに使える haveged パッケージの方がいいかもしれない。
GPG 鍵を生成する
Debian 9 と CentOS 7 ではバージョンが異なるからかどうか知らないが動作が違う。
linus@debian:~$ gpg --help
gpg (GnuPG) 2.1.18
libgcrypt 1.7.6-beta
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /home/linus/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
Syntax: gpg [options] [files]
Sign, check, encrypt or decrypt
Default operation depends on the input data
Commands:
-s, --sign make a signature
--clear-sign make a clear text signature
-b, --detach-sign make a detached signature
-e, --encrypt encrypt data
-c, --symmetric encryption only with symmetric cipher
-d, --decrypt decrypt data (default)
--verify verify a signature
-k, --list-keys list keys
--list-signatures list keys and signatures
--check-signatures list and check key signatures
--fingerprint list keys and fingerprints
-K, --list-secret-keys list secret keys
--generate-key generate a new key pair
--quick-generate-key quickly generate a new key pair
--quick-add-uid quickly add a new user-id
--quick-revoke-uid quickly revoke a user-id
--quick-set-expire quickly set a new expiration date
--full-generate-key full featured key pair generation
--generate-revocation generate a revocation certificate
--delete-keys remove keys from the public keyring
--delete-secret-keys remove keys from the secret keyring
--quick-sign-key quickly sign a key
--quick-lsign-key quickly sign a key locally
--sign-key sign a key
--lsign-key sign a key locally
--edit-key sign or edit a key
--change-passphrase change a passphrase
--export export keys
--send-keys export keys to a keyserver
--receive-keys import keys from a keyserver
--search-keys search for keys on a keyserver
--refresh-keys update all keys from a keyserver
--import import/merge keys
--card-status print the card status
--edit-card change data on a card
--change-pin change a card's PIN
--update-trustdb update the trust database
--print-md print message digests
--server run in server mode
--tofu-policy VALUE set the TOFU policy for a key
Options:
-a, --armor create ascii armored output
-r, --recipient USER-ID encrypt for USER-ID
-u, --local-user USER-ID use USER-ID to sign or decrypt
-z N set compress level to N (0 disables)
--textmode use canonical text mode
-o, --output FILE write output to FILE
-v, --verbose verbose
-n, --dry-run do not make any changes
-i, --interactive prompt before overwriting
--openpgp use strict OpenPGP behavior
(See the man page for a complete listing of all commands and options)
Examples:
-se -r Bob [file] sign and encrypt for user Bob
--clear-sign [file] make a clear text signature
--detach-sign [file] make a detached signature
--list-keys [names] show keys
--fingerprint [names] show fingerprints
Please report bugs to <https://bugs.gnupg.org>.
[linus@localhost ~]$ gpg --help
gpg (GnuPG) 2.0.22
libgcrypt 1.5.3
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ?, ?, ELG, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
Syntax: gpg [options] [files]
Sign, check, encrypt or decrypt
Default operation depends on the input data
Commands:
-s, --sign make a signature
--clearsign make a clear text signature
-b, --detach-sign make a detached signature
-e, --encrypt encrypt data
-c, --symmetric encryption only with symmetric cipher
-d, --decrypt decrypt data (default)
--verify verify a signature
-k, --list-keys list keys
--list-sigs list keys and signatures
--check-sigs list and check key signatures
--fingerprint list keys and fingerprints
-K, --list-secret-keys list secret keys
--gen-key generate a new key pair
--gen-revoke generate a revocation certificate
--delete-keys remove keys from the public keyring
--delete-secret-keys remove keys from the secret keyring
--sign-key sign a key
--lsign-key sign a key locally
--edit-key sign or edit a key
--passwd change a passphrase
--export export keys
--send-keys export keys to a key server
--recv-keys import keys from a key server
--search-keys search for keys on a key server
--refresh-keys update all keys from a keyserver
--import import/merge keys
--card-status print the card status
--card-edit change data on a card
--change-pin change a card's PIN
--update-trustdb update the trust database
--print-md print message digests
--server run in server mode
Options:
-a, --armor create ascii armored output
-r, --recipient USER-ID encrypt for USER-ID
-u, --local-user USER-ID use USER-ID to sign or decrypt
-z N set compress level to N (0 disables)
--textmode use canonical text mode
-o, --output FILE write output to FILE
-v, --verbose verbose
-n, --dry-run do not make any changes
-i, --interactive prompt before overwriting
--openpgp use strict OpenPGP behavior
(See the man page for a complete listing of all commands and options)
Examples:
-se -r Bob [file] sign and encrypt for user Bob
--clearsign [file] make a clear text signature
--detach-sign [file] make a detached signature
--list-keys [names] show keys
--fingerprint [names] show fingerprints
Please report bugs to <http://bugs.gnupg.org>.
CentOS 7 で gpg --gen-key を実行した場合、鍵種と鍵長、有効期限が聞かれるが、Debian 9 ではこれらの項目は聞かれず、名前とメールアドレス、パスワードの応答のみになっている。コマンドを叩いた時にメッセージが出るが、鍵種等も指定したいのであれば --full-generate-key を使えとのこと。
linus@debian:~$ gpg --full-generate-key
試験では確か --gen-key を覚えておけばよかったような気がするけど、同じコマンドなのにディストリで動作が違うものについて LPI や LPI-Japan はどうしていくのかね。
(個人的には gzip -k が RHEL 系に無いのが辛いがこれは試験に出ない)
