信息安全 - 如何更改 PGP 密钥的（子）密钥用法？ - 吾爱随笔录

如何更改 PGP 密钥的（子）密钥用法？

信息安全密钥管理 pgp gnupg 密钥用法

2021-08-21 10:55:55

gpg2生成具有 (S)igning、(E)ncryption、(C)ertification 使用集中的一个或几个的密钥。然而，例如 Enigmail 创建了一个主键，也为 (A) 身份验证设置，然后 GnuPG 会显示该主键。如何使用设置/修改它gpg2？我在中找不到任何命令--edit-keys，当我创建子项时，唯一的选项是

 Please select what kind of key you want:  
   (3) DSA (sign only)  
   (4) RSA (sign only)  
   (5) Elgamal (encrypt only)  
   (6) RSA (encrypt only)

2个回答

从 GnuPG 2.2.6 开始，有一个隐藏的键编辑子命令“change-usage”可以做到这一点。相关提交。

让我们用测试键试试这个子命令。我们先创建一个：

mkdir /tmp/gpg-change-usage
chmod 700 /tmp/gpg-change-usage
gpg --homedir /tmp/gpg-change-usage --quick-generate-key someone@example.com rsa4096 cert 1d

现在请注意，这个新密钥是仅认证的主密钥。

$ gpg --homedir /tmp/gpg-change-usage -k
/tmp/gpg-change-usage/pubring.kbx
---------------------------------
pub   rsa4096 2019-04-04 [C] [expires: 2019-04-05]
      987BE3D9CF90B1C912A165734EBF4D26A937DE4C
uid           [ultimate] someone@example.com

改变用法很简单：

$ gpg --homedir /tmp/gpg-change-usage --edit-key someone@example.com 
gpg (GnuPG) 2.2.12; Copyright (C) 2018 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa4096/4EBF4D26A937DE4C
     created: 2019-04-04  expires: 2019-04-05  usage: C   
     trust: ultimate      validity: ultimate
[ultimate] (1). someone@example.com

gpg> change-usage
Changing usage of the primary key.

Possible actions for a RSA key: Sign Certify Encrypt Authenticate 
Current allowed actions: Certify 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? s

Possible actions for a RSA key: Sign Certify Encrypt Authenticate 
Current allowed actions: Sign Certify 

   (S) Toggle the sign capability
   (E) Toggle the encrypt capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? q

sec  rsa4096/4EBF4D26A937DE4C
     created: 2019-04-04  expires: 2019-04-05  usage: SC  
     trust: ultimate      validity: ultimate
[ultimate] (1). someone@example.com

gpg> save

现在请注意，我们的密钥获得了签名能力。

$ gpg --homedir /tmp/gpg-change-usage -k
/tmp/gpg-change-usage/pubring.kbx
---------------------------------
pub   rsa4096 2019-04-04 [SC] [expires: 2019-04-05]
      987BE3D9CF90B1C912A165734EBF4D26A937DE4C
uid           [ultimate] someone@example.com

而已！

为了添加新的子项具有特定的用途，开始gpg2用--expert开关。然后选项是

Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
Your selection?

最后两种方法允许单独切换 S、E、A 中的每一个。C 仅适用于主键，您也可以使用gpg2 --expert --gen-key. 但是，我不知道以后有什么方法可以修改使用字段。

其它你可能感兴趣的问题

上一篇OpenSSL PKCS#7 与 S/MIME 下一篇短信密码是“标准”吗？