GPG では gpg --gen-key
などで秘密鍵を作成する際にエントロピー(マウスとかキーボードとかを操作することによって溜まる不規則な情報)が必要になるが、仮想マシンの場合はエントロピーが溜まらずいつまで経っても鍵が生成出来ないので haveged
や rng-tools
といったパッケージをインストールしてエントロピーを溜める。
環境は以下の通り。
Distributor ID: Debian Description: Debian GNU/Linux 9.8 (stretch) Release: 9.8 Codename: stretch
haveged の場合
haveged
パッケージをインストールする。
root@debian:~# apt install havegend -y
サービスが稼働しているか確認しておく。
root@debian:~# systemctl status haveged ● haveged.service - Entropy daemon using the HAVEGE algorithm Loaded: loaded (/lib/systemd/system/haveged.service; enabled; vendor preset: enabled) Active: active (running) since Wed 2019-04-03 17:21:13 JST; 5s ago Docs: man:haveged(8) http://www.issihosts.com/haveged/ Main PID: 7460 (haveged) CGroup: /system.slice/haveged.service └─7460 /usr/sbin/haveged --Foreground --verbose=1 -w 1024 4月 03 17:21:13 debian systemd[1]: Started Entropy daemon using the HAVEGE algorithm. 4月 03 17:21:14 debian haveged[7460]: haveged: ver: 1.9.1; arch: x86; vend: GenuineIntel; build: (gcc 6.3.0 ITV); collect: 128K 4月 03 17:21:14 debian haveged[7460]: haveged: cpu: (L4 VC); data: 32K (L4 V); inst: 32K (L4 V); idx: 22/40; sz: 31886/59215 4月 03 17:21:14 debian haveged[7460]: haveged: tot tests(BA8): A:1/1 B:1/1 continuous tests(B): last entropy estimate 7.99355 4月 03 17:21:14 debian haveged[7460]: haveged: fills: 0, generated: 0
rng-tools/rng-tools5 の場合
rng-tools
または rng-tools5
パッケージをインストールする(ここでは rng-tools
としておく)。恐らくサービス開始のトリガーは失敗する。
root@debian:~# apt install rng-tools
rng-tools
と rng-tools5
はどちらもデフォルトのデバイスが /dev/hwrng
になっており、これが存在しないのでシンボリックリンクを貼る。
root@debian:~# ln -s /dev/urandom /dev/hwrng
サービスを起動する。
root@debian:~# systemctl start rng-tools
もしくは rngd
を手動で実行する。
root@debian:~# rngd -r /dev/urandom
恒久的に使用するのであれば systemd のユニットを修正するか、手間をかけずに使える haveged
パッケージの方がいいかもしれない。
GPG 鍵を生成する
Debian 9 と CentOS 7 ではバージョンが異なるからかどうか知らないが動作が違う。
linus@debian:~$ gpg --help gpg (GnuPG) 2.1.18 libgcrypt 1.7.6-beta Copyright (C) 2017 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: /home/linus/.gnupg Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 Syntax: gpg [options] [files] Sign, check, encrypt or decrypt Default operation depends on the input data Commands: -s, --sign make a signature --clear-sign make a clear text signature -b, --detach-sign make a detached signature -e, --encrypt encrypt data -c, --symmetric encryption only with symmetric cipher -d, --decrypt decrypt data (default) --verify verify a signature -k, --list-keys list keys --list-signatures list keys and signatures --check-signatures list and check key signatures --fingerprint list keys and fingerprints -K, --list-secret-keys list secret keys --generate-key generate a new key pair --quick-generate-key quickly generate a new key pair --quick-add-uid quickly add a new user-id --quick-revoke-uid quickly revoke a user-id --quick-set-expire quickly set a new expiration date --full-generate-key full featured key pair generation --generate-revocation generate a revocation certificate --delete-keys remove keys from the public keyring --delete-secret-keys remove keys from the secret keyring --quick-sign-key quickly sign a key --quick-lsign-key quickly sign a key locally --sign-key sign a key --lsign-key sign a key locally --edit-key sign or edit a key --change-passphrase change a passphrase --export export keys --send-keys export keys to a keyserver --receive-keys import keys from a keyserver --search-keys search for keys on a keyserver --refresh-keys update all keys from a keyserver --import import/merge keys --card-status print the card status --edit-card change data on a card --change-pin change a card's PIN --update-trustdb update the trust database --print-md print message digests --server run in server mode --tofu-policy VALUE set the TOFU policy for a key Options: -a, --armor create ascii armored output -r, --recipient USER-ID encrypt for USER-ID -u, --local-user USER-ID use USER-ID to sign or decrypt -z N set compress level to N (0 disables) --textmode use canonical text mode -o, --output FILE write output to FILE -v, --verbose verbose -n, --dry-run do not make any changes -i, --interactive prompt before overwriting --openpgp use strict OpenPGP behavior (See the man page for a complete listing of all commands and options) Examples: -se -r Bob [file] sign and encrypt for user Bob --clear-sign [file] make a clear text signature --detach-sign [file] make a detached signature --list-keys [names] show keys --fingerprint [names] show fingerprints Please report bugs to <https://bugs.gnupg.org>.
[linus@localhost ~]$ gpg --help gpg (GnuPG) 2.0.22 libgcrypt 1.5.3 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, ?, ?, ELG, DSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2 Syntax: gpg [options] [files] Sign, check, encrypt or decrypt Default operation depends on the input data Commands: -s, --sign make a signature --clearsign make a clear text signature -b, --detach-sign make a detached signature -e, --encrypt encrypt data -c, --symmetric encryption only with symmetric cipher -d, --decrypt decrypt data (default) --verify verify a signature -k, --list-keys list keys --list-sigs list keys and signatures --check-sigs list and check key signatures --fingerprint list keys and fingerprints -K, --list-secret-keys list secret keys --gen-key generate a new key pair --gen-revoke generate a revocation certificate --delete-keys remove keys from the public keyring --delete-secret-keys remove keys from the secret keyring --sign-key sign a key --lsign-key sign a key locally --edit-key sign or edit a key --passwd change a passphrase --export export keys --send-keys export keys to a key server --recv-keys import keys from a key server --search-keys search for keys on a key server --refresh-keys update all keys from a keyserver --import import/merge keys --card-status print the card status --card-edit change data on a card --change-pin change a card's PIN --update-trustdb update the trust database --print-md print message digests --server run in server mode Options: -a, --armor create ascii armored output -r, --recipient USER-ID encrypt for USER-ID -u, --local-user USER-ID use USER-ID to sign or decrypt -z N set compress level to N (0 disables) --textmode use canonical text mode -o, --output FILE write output to FILE -v, --verbose verbose -n, --dry-run do not make any changes -i, --interactive prompt before overwriting --openpgp use strict OpenPGP behavior (See the man page for a complete listing of all commands and options) Examples: -se -r Bob [file] sign and encrypt for user Bob --clearsign [file] make a clear text signature --detach-sign [file] make a detached signature --list-keys [names] show keys --fingerprint [names] show fingerprints Please report bugs to <http://bugs.gnupg.org>.
CentOS 7 で gpg --gen-key
を実行した場合、鍵種と鍵長、有効期限が聞かれるが、Debian 9 ではこれらの項目は聞かれず、名前とメールアドレス、パスワードの応答のみになっている。コマンドを叩いた時にメッセージが出るが、鍵種等も指定したいのであれば --full-generate-key
を使えとのこと。
linus@debian:~$ gpg --full-generate-key
試験では確か --gen-key
を覚えておけばよかったような気がするけど、同じコマンドなのにディストリで動作が違うものについて LPI や LPI-Japan はどうしていくのかね。
(個人的には gzip -k
が RHEL 系に無いのが辛いがこれは試験に出ない)