GPGで主鍵、副鍵を作成する

投稿日: 更新日:

💻環境

OS: windows11 + WSL2(Ubuntu 22.04.4)

gpg: 2.2.27

⚠注意⚠

本番で使用する鍵を作成する際には安全な環境を確保してから作成してください

主鍵を作る

今回は楕円曲線暗号であるEdDSAで鍵を作成します。互換性等の理由がない限りは強度の観点からRSAよりEdDSAを選択するのが良いと思います。

以下のコマンドを実行し作成を開始します。

$ gpg --expert --full-gen-key

そしたら、11番のECC (set your own capabilities)を選択します

gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
   (9) ECC and ECC
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (13) Existing key
  (14) Existing key from card
Your selection? 11

主鍵の役割はCeritfyのみで十分ですのでSを押して取り消します。

Current allowed actions: Certify となっていることを確認しQで終了。

Possible actions for a ECDSA/EdDSA key: Sign Certify Authenticate
Current allowed actions: Sign Certify

   (S) Toggle the sign capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? S

Possible actions for a ECDSA/EdDSA key: Sign Certify Authenticate
Current allowed actions: Certify

   (S) Toggle the sign capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? Q

曲線を選びます。1番のCurve 25519を選択します。

Please select which elliptic curve you want:
   (1) Curve 25519
   (3) NIST P-256
   (4) NIST P-384
   (5) NIST P-521
   (6) Brainpool P-256
   (7) Brainpool P-384
   (8) Brainpool P-512
   (9) secp256k1
Your selection? 1

有効期限を決めます。0を入力し無期限とします。

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y

名前とメールアドレスを入力してください。これらは鍵を公開した際には一般に公開されるので公開されても問題ないものを入力してください。

コメントはとくに入力する必要はありません。

oを入力して確定させましょう。

GnuPG needs to construct a user ID to identify your key.

Real name: exampleName
Email address: [email protected]
Comment:
You selected this USER-ID:
    "exampleName <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o

そしたらパスワードの入力が求められますので入力してください。これは秘密鍵を守るのに使用されます。

以下のようになれば作成完了です。

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key AEB056730BD34876 marked as ultimately trusted
gpg: revocation certificate stored as '/home/ocha98/.gnupg/openpgp-revocs.d/526A35ED4EDBEC364C0776A0AEB056730BD34876.rev'
public and secret key created and signed.

pub   ed25519 2024-03-03 [C]
      526A35ED4EDBEC364C0776A0AEB056730BD34876
uid                      exampleName <[email protected]>

ここでgpg: key AEB056730BD34876 marked as ultimately trustedAEB056730BD34876の部分は鍵のIDです。実際はこれと異なると思います。

この値は次の副鍵の作成手順でも使用しますので控えておいてください。

副鍵を作成する

各役割ごとにキーを作成します。

まずは鍵の編集モードに入ります。以下のコマンドを実行してください。

ここで、AEB056730BD34876の部分は主鍵の作成で控えたものに置き換えてください。

$ gpg --expert --edit-key AEB056730BD34876

プロンプトが以下のようになれば大丈夫です

gpg>

署名用鍵

add keyと打ってください

gpg> addkey

10番の(10) ECC (sign only)を選択し、曲線は1番を選択してください。

Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
  (14) Existing key from card
Your selection? 10
Please select which elliptic curve you want:
   (1) Curve 25519
   (3) NIST P-256
   (4) NIST P-384
   (5) NIST P-521
   (6) Brainpool P-256
   (7) Brainpool P-384
   (8) Brainpool P-512
   (9) secp256k1
Your selection? 1

有効期限を設定します。ここは用途に合わせて設定してください。今回は無期限を選択します。

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y

パスワードの入力が求められます。主鍵で設定したパスワードを入れてください。

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  ed25519/AEB056730BD34876
     created: 2024-03-03  expires: never       usage: C
     trust: ultimate      validity: ultimate
ssb  ed25519/CAE4E0460A30346C
     created: 2024-03-03  expires: never       usage: S
[ultimate] (1). exampleName <[email protected]>

暗号化用鍵

addkeyと打ってください。

gpg> addkey

12番のECC (encrypt only)を選択し曲線は1番を選択してください。

Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
  (14) Existing key from card
Your selection? 12
Please select which elliptic curve you want:
   (1) Curve 25519
   (3) NIST P-256
   (4) NIST P-384
   (5) NIST P-521
   (6) Brainpool P-256
   (7) Brainpool P-384
   (8) Brainpool P-512
   (9) secp256k1
Your selection? 1

有効期限を設定します。ここは用途に合わせて設定してください。今回は無期限を選択します。

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y

パスワードの入力が求められます。主鍵で設定したパスワードを入れてください。

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  ed25519/AEB056730BD34876
     created: 2024-03-03  expires: never       usage: C
     trust: ultimate      validity: ultimate
ssb  ed25519/CAE4E0460A30346C
     created: 2024-03-03  expires: never       usage: S
ssb  cv25519/E4F4A2193380C7AC
     created: 2024-03-03  expires: never       usage: E
[ultimate] (1). exampleName <[email protected]>

認証用鍵

addkeyと打ってください。

gpg> addkey

11番のECC (set your own capabilities)を選択します。

Please select what kind of key you want:
   (3) DSA (sign only)
   (4) RSA (sign only)
   (5) Elgamal (encrypt only)
   (6) RSA (encrypt only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (12) ECC (encrypt only)
  (13) Existing key
  (14) Existing key from card
Your selection? 11

A,Sの順に入力します。

Current allowed actions: Authenticateとなっていることを確認しQで終了します。

Possible actions for a ECDSA/EdDSA key: Sign Authenticate
Current allowed actions: Sign

   (S) Toggle the sign capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? A

Possible actions for a ECDSA/EdDSA key: Sign Authenticate
Current allowed actions: Sign Authenticate

   (S) Toggle the sign capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? S

Possible actions for a ECDSA/EdDSA key: Sign Authenticate
Current allowed actions: Authenticate

   (S) Toggle the sign capability
   (A) Toggle the authenticate capability
   (Q) Finished

Your selection? Q

曲線は1を選択します。

Please select which elliptic curve you want:
   (1) Curve 25519
   (3) NIST P-256
   (4) NIST P-384
   (5) NIST P-521
   (6) Brainpool P-256
   (7) Brainpool P-384
   (8) Brainpool P-512
   (9) secp256k1
Your selection? 1

有効期限を設定します。ここは用途に合わせて設定してください。今回は無期限を選択します。

Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
Really create? (y/N) y

パスワードの入力が求められます。主鍵で設定したパスワードを入れてください。

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

sec  ed25519/AEB056730BD34876
     created: 2024-03-03  expires: never       usage: C
     trust: ultimate      validity: ultimate
ssb  ed25519/CAE4E0460A30346C
     created: 2024-03-03  expires: never       usage: S
ssb  cv25519/E4F4A2193380C7AC
     created: 2024-03-03  expires: never       usage: E
ssb  ed25519/8492AAC42EFF7072
     created: 2024-03-03  expires: never       usage: A
[ultimate] (1). exampleName <[email protected]>

全て作成できたら以下のコマンドで終了します。

gpg> save

確認

--list-keysで作成した鍵を確認できます。

pubが主鍵、subが副鍵を示しています。

C: Certify, S: Sign, E: Encrypt, A: Authenticate を示しています。

$ gpg --list-keys
/home/ocha98/.gnupg/pubring.kbx
-------------------------------
pub   ed25519 2024-03-03 [C]
      526A35ED4EDBEC364C0776A0AEB056730BD34876
uid           [ultimate] exampleName <[email protected]>
sub   ed25519 2024-03-03 [S]
sub   cv25519 2024-03-03 [E]
sub   ed25519 2024-03-03 [A]

書いた人

profile_image

お茶の葉

物理とプログラミングが好きな人