diff --git a/sources/tech/20180314 Protecting Code Integrity with PGP - Part 5- Moving Subkeys to a Hardware Device.md b/sources/tech/20180314 Protecting Code Integrity with PGP - Part 5- Moving Subkeys to a Hardware Device.md deleted file mode 100644 index 8463598b4c15..000000000000 --- a/sources/tech/20180314 Protecting Code Integrity with PGP - Part 5- Moving Subkeys to a Hardware Device.md +++ /dev/null @@ -1,304 +0,0 @@ -Translating by qhwdw -Protecting Code Integrity with PGP — Part 5: Moving Subkeys to a Hardware Device -====== - -![](https://www.linux.com/sites/lcom/files/styles/rendered_file/public/pgp-keys.jpg?itok=aS6IWGpq) - -In this tutorial series, we're providing practical guidelines for using PGP. If you missed the previous article, you can catch up with the links below. But, in this article, we'll continue our discussion about securing your keys and look at some tips for moving your subkeys to a specialized hardware device. - -[Part 1: Basic Concepts and Tools][1] - -[Part 2: Generating Your Master Key][2] - -[Part 3: Generating PGP Subkeys][3] - -[Part 4: Moving Your Master Key to Offline Storage][4] - -### Checklist - - * Get a GnuPG-compatible hardware device (NICE) - - * Configure the device to work with GnuPG (NICE) - - * Set the user and admin PINs (NICE) - - * Move your subkeys to the device (NICE) - - - - -### Considerations - -Even though the master key is now safe from being leaked or stolen, the subkeys are still in your home directory. Anyone who manages to get their hands on those will be able to decrypt your communication or fake your signatures (if they know the passphrase). Furthermore, each time a GnuPG operation is performed, the keys are loaded into system memory and can be stolen from there by sufficiently advanced malware (think Meltdown and Spectre). - -The best way to completely protect your keys is to move them to a specialized hardware device that is capable of smartcard operations. - -#### The benefits of smartcards - -A smartcard contains a cryptographic chip that is capable of storing private keys and performing crypto operations directly on the card itself. Because the key contents never leave the smartcard, the operating system of the computer into which you plug in the hardware device is not able to retrieve the private keys themselves. This is very different from the encrypted USB storage device we used earlier for backup purposes -- while that USB device is plugged in and decrypted, the operating system is still able to access the private key contents. Using external encrypted USB media is not a substitute to having a smartcard-capable device. - -Some other benefits of smartcards: - - * They are relatively cheap and easy to obtain - - * They are small and easy to carry with you - - * They can be used with multiple devices - - * Many of them are tamper-resistant (depends on manufacturer) - - - - -#### Available smartcard devices - -Smartcards started out embedded into actual wallet-sized cards, which earned them their name. You can still buy and use GnuPG-capable smartcards, and they remain one of the cheapest available devices you can get. However, actual smartcards have one important downside: they require a smartcard reader, and very few laptops come with one. - -For this reason, manufacturers have started providing small USB devices, the size of a USB thumb drive or smaller, that either have the microsim-sized smartcard pre-inserted, or that simply implement the smartcard protocol features on the internal chip. Here are a few recommendations: - - * [Nitrokey Start][5]: Open hardware and Free Software: one of the cheapest options for GnuPG use, but with fewest extra security features - - * [Nitrokey Pro][6]: Similar to the Nitrokey Start, but is tamper-resistant and offers more security features (but not U2F, see the Fido U2F section of the guide) - - * [Yubikey 4][7]: Proprietary hardware and software, but cheaper than Nitrokey Pro and comes available in the USB-C form that is more useful with newer laptops; also offers additional security features such as U2F - - - - -Our recommendation is to pick a device that is capable of both smartcard functionality and U2F, which, at the time of writing, means a Yubikey 4. - -#### Configuring your smartcard device - -Your smartcard device should Just Work (TM) the moment you plug it into any modern Linux or Mac workstation. You can verify it by running: -``` -$ gpg --card-status - -``` - -If you didn't get an error, but a full listing of the card details, then you are good to go. Unfortunately, troubleshooting all possible reasons why things may not be working for you is way beyond the scope of this guide. If you are having trouble getting the card to work with GnuPG, please seek support via your operating system's usual support channels. - -##### PINs don't have to be numbers - -Note, that despite having the name "PIN" (and implying that it must be a "number"), neither the user PIN nor the admin PIN on the card need to be numbers. - -Your device will probably have default user and admin PINs set up when it arrives. For Yubikeys, these are 123456 and 12345678, respectively. If those don't work for you, please check any accompanying documentation that came with your device. - -##### Quick setup - -To configure your smartcard, you will need to use the GnuPG menu system, as there are no convenient command-line switches: -``` -$ gpg --card-edit -[...omitted...] -gpg/card> admin -Admin commands are allowed -gpg/card> passwd - -``` - -You should set the user PIN (1), Admin PIN (3), and the Reset Code (4). Please make sure to record and store these in a safe place -- especially the Admin PIN and the Reset Code (which allows you to completely wipe the smartcard). You so rarely need to use the Admin PIN, that you will inevitably forget what it is if you do not record it. - -Getting back to the main card menu, you can also set other values (such as name, sex, login data, etc), but it's not necessary and will additionally leak information about your smartcard should you lose it. - -#### Moving the subkeys to your smartcard - -Exit the card menu (using "q") and save all changes. Next, let's move your subkeys onto the smartcard. You will need both your PGP key passphrase and the admin PIN of the card for most operations. Remember, that [fpr] stands for the full 40-character fingerprint of your key. -``` -$ gpg --edit-key [fpr] - -Secret subkeys are available. - -pub rsa4096/AAAABBBBCCCCDDDD - created: 2017-12-07 expires: 2019-12-07 usage: C - trust: ultimate validity: ultimate -ssb rsa2048/1111222233334444 - created: 2017-12-07 expires: never usage: E -ssb rsa2048/5555666677778888 - created: 2017-12-07 expires: never usage: S -[ultimate] (1). Alice Engineer -[ultimate] (2) Alice Engineer - -gpg> - -``` - -Using --edit-key puts us into the menu mode again, and you will notice that the key listing is a little different. From here on, all commands are done from inside this menu mode, as indicated by gpg>. - -First, let's select the key we'll be putting onto the card -- you do this by typing key 1 (it's the first one in the listing, our [E] subkey): -``` -gpg> key 1 - -``` - -The output should be subtly different: -``` -pub rsa4096/AAAABBBBCCCCDDDD - created: 2017-12-07 expires: 2019-12-07 usage: C - trust: ultimate validity: ultimate -ssb* rsa2048/1111222233334444 - created: 2017-12-07 expires: never usage: E -ssb rsa2048/5555666677778888 - created: 2017-12-07 expires: never usage: S -[ultimate] (1). Alice Engineer -[ultimate] (2) Alice Engineer - -``` - -Notice the * that is next to the ssb line corresponding to the key -- it indicates that the key is currently "selected." It works as a toggle, meaning that if you type key 1 again, the * will disappear and the key will not be selected any more. - -Now, let's move that key onto the smartcard: -``` -gpg> keytocard -Please select where to store the key: - (2) Encryption key -Your selection? 2 - -``` - -Since it's our [E] key, it makes sense to put it into the Encryption slot. When you submit your selection, you will be prompted first for your PGP key passphrase, and then for the admin PIN. If the command returns without an error, your key has been moved. - -**Important:** Now type key 1 again to unselect the first key, and key 2 to select the [S] key: -``` -gpg> key 1 -gpg> key 2 -gpg> keytocard -Please select where to store the key: - (1) Signature key - (3) Authentication key -Your selection? 1 - -``` - -You can use the [S] key both for Signature and Authentication, but we want to make sure it's in the Signature slot, so choose (1). Once again, if your command returns without an error, then the operation was successful. - -Finally, if you created an [A] key, you can move it to the card as well, making sure first to unselect key 2. Once you're done, choose "q": -``` -gpg> q -Save changes? (y/N) y - -``` - -Saving the changes will delete the keys you moved to the card from your home directory (but it's okay, because we have them in our backups should we need to do this again for a replacement smartcard). - -##### Verifying that the keys were moved - -If you perform --list-secret-keys now, you will see a subtle difference in the output: -``` -$ gpg --list-secret-keys -sec# rsa4096 2017-12-06 [C] [expires: 2019-12-06] - 111122223333444455556666AAAABBBBCCCCDDDD -uid [ultimate] Alice Engineer -uid [ultimate] Alice Engineer -ssb> rsa2048 2017-12-06 [E] -ssb> rsa2048 2017-12-06 [S] - -``` - -The > in the ssb> output indicates that the subkey is only available on the smartcard. If you go back into your secret keys directory and look at the contents there, you will notice that the .key files there have been replaced with stubs: -``` -$ cd ~/.gnupg/private-keys-v1.d -$ strings *.key - -``` - -The output should contain shadowed-private-key to indicate that these files are only stubs and the actual content is on the smartcard. - -#### Verifying that the smartcard is functioning - -To verify that the smartcard is working as intended, you can create a signature: -``` -$ echo "Hello world" | gpg --clearsign > /tmp/test.asc -$ gpg --verify /tmp/test.asc - -``` - -This should ask for your smartcard PIN on your first command, and then show "Good signature" after you run gpg --verify. - -Congratulations, you have successfully made it extremely difficult to steal your digital developer identity! - -### Other common GnuPG operations - -Here is a quick reference for some common operations you'll need to do with your PGP key. - -In all of the below commands, the [fpr] is your key fingerprint. - -#### Mounting your master key offline storage - -You will need your master key for any of the operations below, so you will first need to mount your backup offline storage and tell GnuPG to use it. First, find out where the media got mounted, for example, by looking at the output of the mount command. Then, locate the directory with the backup of your GnuPG directory and tell GnuPG to use that as its home: -``` -$ export GNUPGHOME=/media/disk/name/gnupg-backup -$ gpg --list-secret-keys - -``` - -You want to make sure that you see sec and not sec# in the output (the # means the key is not available and you're still using your regular home directory location). - -##### Updating your regular GnuPG working directory - -After you make any changes to your key using the offline storage, you will want to import these changes back into your regular working directory: -``` -$ gpg --export | gpg --homedir ~/.gnupg --import -$ unset GNUPGHOME - -``` - -#### Extending key expiration date - -The master key we created has the default expiration date of 2 years from the date of creation. This is done both for security reasons and to make obsolete keys eventually disappear from keyservers. - -To extend the expiration on your key by a year from current date, just run: -``` -$ gpg --quick-set-expire [fpr] 1y - -``` - -You can also use a specific date if that is easier to remember (e.g. your birthday, January 1st, or Canada Day): -``` -$ gpg --quick-set-expire [fpr] 2020-07-01 - -``` - -Remember to send the updated key back to keyservers: -``` -$ gpg --send-key [fpr] - -``` - -#### Revoking identities - -If you need to revoke an identity (e.g., you changed employers and your old email address is no longer valid), you can use a one-liner: -``` -$ gpg --quick-revoke-uid [fpr] 'Alice Engineer ' - -``` - -You can also do the same with the menu mode using gpg --edit-key [fpr]. - -Once you are done, remember to send the updated key back to keyservers: -``` -$ gpg --send-key [fpr] - -``` - -Next time, we'll look at how Git supports multiple levels of integration with PGP. - -Learn more about Linux through the free ["Introduction to Linux" ][8]course from The Linux Foundation and edX. - --------------------------------------------------------------------------------- - -via: https://www.linux.com/blog/learn/pgp/2018/3/protecting-code-integrity-pgp-part-5-moving-subkeys-hardware-device - -作者:[KONSTANTIN RYABITSEV][a] -译者:[译者ID](https://github.com/译者ID) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]:https://www.linux.com/users/mricon -[1]:https://www.linux.com/blog/learn/2018/2/protecting-code-integrity-pgp-part-1-basic-pgp-concepts-and-tools -[2]:https://www.linux.com/blog/learn/pgp/2018/2/protecting-code-integrity-pgp-part-2-generating-and-protecting-your-master-pgp-key -[3]:https://www.linux.com/blog/learn/pgp/2018/2/protecting-code-integrity-pgp-part-3-generating-pgp-subkeys -[4]:https://www.linux.com/blog/learn/pgp/2018/3/protecting-code-integrity-pgp-part-4-moving-your-master-key-offline-storage -[5]:https://shop.nitrokey.com/shop/product/nitrokey-start-6 -[6]:https://shop.nitrokey.com/shop/product/nitrokey-pro-3 -[7]:https://www.yubico.com/product/yubikey-4-series/ -[8]:https://training.linuxfoundation.org/linux-courses/system-administration-training/introduction-to-linux diff --git a/translated/tech/20180314 Protecting Code Integrity with PGP - Part 5- Moving Subkeys to a Hardware Device.md b/translated/tech/20180314 Protecting Code Integrity with PGP - Part 5- Moving Subkeys to a Hardware Device.md new file mode 100644 index 000000000000..8dadad1193e2 --- /dev/null +++ b/translated/tech/20180314 Protecting Code Integrity with PGP - Part 5- Moving Subkeys to a Hardware Device.md @@ -0,0 +1,304 @@ +用 PGP 保护代码完整性(五):将子密钥移到一个硬件设备中 +====== + +![](https://www.linux.com/sites/lcom/files/styles/rendered_file/public/pgp-keys.jpg?itok=aS6IWGpq) + +在本系列教程中,我们将提供一个使用 PGP 的实用指南。如果你没有看过前面的文章,你可以通过下面的链接去查看。在这篇文章中,我们将继续讨论如何保护你的密钥,谈一谈将你的子密钥移到一个专门的硬件设备中的一些技巧。 + +[第一部分:基本概念和工具][1] + +[第二部分:生成你的主密钥][2] + +[第三部分:生成 PGP 子密钥][3] + +[第四部分:将主密钥移到离线存储中][4] + +### 清单 + + * 取得一个 GnuPG 兼容的硬件设备(必要) + + * 配置 GnuPG 在设备上工作(必要) + + * 设置 user 和 admin 的 PIN(必要) + + * 移动子密钥到设备中(必要) + + + + +### 考虑事项 + +虽然现在主密钥已经不用担心泄露或失窃了,但子密钥仍然在你的 Home 目录中。任何得到它的人都能够解密你的通讯或假冒你的签名(如果他们知道密钥的密码)。并且,每次执行一个 GnuPG 操作都要将密钥加载到操作系统内存中,这将使一些更高级的恶意软件有机会得到你的密钥(想想 Meltdown 和 Spectre)。 + +完全保护密钥的最好方式就是,将它移到一个专门的硬件设备中,这种硬件设备是一个可操作的智能卡。 + +#### 智能卡的好处 + +一个智能卡包含一个加密芯片,它能够存储私钥,并且直接在智能卡内部执行秘密操作。因为密钥内容从来没有离开过智能卡,计算机操作系统并不能检索你插入的智能卡上的私钥。这与前面用于备份目的的加密 USB 存储是不同的 —— 虽然 USB 设备也是插入并解密的,但操作系统是能够去访问私钥内容的。使用外置的加密 USB 介质并不能代替智能卡设备的功能。 + +智能卡的一些其它好处: + + * 它们很便宜且易于获得 + + * 它们小巧且易于携带 + + * 它们可以用于多种设备上 + + * 它们中的很多都具有防篡改功能(取决于制造商) + + + + +#### 可用的智能卡设备 + +智能卡最初是嵌入到真实钱包大小的卡中,故而得名智能卡。你总是可以买到并使用 GnuPG 功能的智能卡,并且它们是你能得到的最便宜的可用设备之一。但是,事实上智能卡有一个很重要的缺点:它们需要一个智能卡读卡器,只有极小数的笔记本电脑上有这种读卡器。 + +由于这个原因,制造商开始推出小型 USB 设备,它的大小和 U 盘类似,内置有微型智能卡,并且在芯片上简单地实现了智能卡协议特性。下面推荐几个这样的设备: + + * [Nitrokey Start][5]:开源硬件和自由软件,可用于 GnuPG 的最便宜的选择之一,但是额外的安全特性很少。 + + * [Nitrokey Pro][6]:类似于 Nitrokey Start,它提供防篡改及更多的安全特性(但没有 U2F,具体查看指南的 U2F 节)。 + + * [Yubikey 4][7]:专利硬件和软件,但比 Nitrokey Pro 便宜,并且可以用在最新的笔记本电脑上的 USB-C 接口;也提供像 U2F 这样的额外的安全特性。 + + + + +我们推荐选一个同时具备智能卡功能和 U2F 的设备,在写这篇文章时,只能选择 Yubikey 4。 + +#### 配置智能卡设备 + +你的智能卡设备插入任何一台现代的 Linux 或 Mac 工作站上都应该能正常工作。你可以通过运行如下的命令去验证它: +``` +$ gpg --card-status + +``` + +如果你没有收到错误,有一个完整的卡列表,就表示一切正常。不幸的是,排除为什么设备不能正常工作的所有可能原因,已经超出了本指南的范围。如果你的智能卡使用 GnuPG 时有问题,请通过你的操作系统的常见支持通道寻求支持。 + +##### PIN 不一定是数字 + +注意,尽管名为 “PIN”(暗示你它必须是一个“数字”),不论是 user PIN 还是 admin PIN 都不必非要是数字。 + +当你收到一个新设备时,它可能设置有一个默认的 user 和 admin PIN,对于 Yubikeys,它分别是 123456 和 12345678。如果它们的 PIN 不是默认的,请查看设备附带的说明书。 + +##### 快速设置 + +为配置你的智能卡,你需要使用 GnuPG 菜单系统,因此这里并没有更方便的命令行开关: +``` +$ gpg --card-edit +[...omitted...] +gpg/card> admin +Admin commands are allowed +gpg/card> passwd + +``` + +你应该去设置 user PIN (1)、admin PIN (3)、和 Reset Code (4)。请确保把它们记录并保存到一个安全的地方 —— 尤其是 Admin PIN 和 Reset Code(它允许你去擦除整个智能卡内容)。你很少使用到 Admin PIN,因此如果你不记录下来,很可能会忘掉它。 + +返回到智能卡主菜单,你也可以设置其它值(比如名字、性别、登入日期、等等),但是这些都不是必需的,一旦你的智能卡丢失了,将导致额外的信息泄露。 + +#### 将子密钥移到你的智能卡中 + +退出卡菜单(使用 “q” 命令)保存所有更改。接下来,我们将你的子密钥移到智能卡中。将需要用到你的 PGP 密钥的密码,在大多数的智能卡操作中都将用到 admin PIN。记住,那个 [fpr] 表示你的密钥的完整的 40 个字符的指纹。 +``` +$ gpg --edit-key [fpr] + +Secret subkeys are available. + +pub rsa4096/AAAABBBBCCCCDDDD + created: 2017-12-07 expires: 2019-12-07 usage: C + trust: ultimate validity: ultimate +ssb rsa2048/1111222233334444 + created: 2017-12-07 expires: never usage: E +ssb rsa2048/5555666677778888 + created: 2017-12-07 expires: never usage: S +[ultimate] (1). Alice Engineer +[ultimate] (2) Alice Engineer + +gpg> + +``` + +使用 --edit-key 再次进入到菜单模式,你将注意到那个密钥清单有一点小差别。从现在开始,所有的命令都是在这个菜单模式下运行,它用 gpg> 提示符来表示。 + +首先,我们来选择移到智能卡中的密钥 —— 你可以通过键入 `key 1`(它表示选择清单中的第一个密钥)来实现: +``` +gpg> key 1 + +``` + +这个输出会有一点细微的差别: +``` +pub rsa4096/AAAABBBBCCCCDDDD + created: 2017-12-07 expires: 2019-12-07 usage: C + trust: ultimate validity: ultimate +ssb* rsa2048/1111222233334444 + created: 2017-12-07 expires: never usage: E +ssb rsa2048/5555666677778888 + created: 2017-12-07 expires: never usage: S +[ultimate] (1). Alice Engineer +[ultimate] (2) Alice Engineer + +``` + +注意与密钥对应的 ssb 行旁边的 `*` —— 它表示这是当前选定的密钥。它是可切换的,意味着如果你再次输入 `key 1`,这个 `*` 将消失,这个密钥将不再被选中。 + +现在,我们来将密钥移到智能卡中: +``` +gpg> keytocard +Please select where to store the key: + (2) Encryption key +Your selection? 2 + +``` + +由于它是我们的 [E] 密钥,把它移到加密区中是有很有意义的。当你提交了你的选择之后,将会被提示输入你的 PGP 密钥的保护密码,接下来输入智能卡的 admin PIN。如果命令没有返回错误,表示你的密钥已经被移到智能卡中了。 + +**重要:** 现在再次输入 `key 1` 去取消选中第一个密钥,并输入 `key 2` 去选择 [S] 密钥: + +``` +gpg> key 1 +gpg> key 2 +gpg> keytocard +Please select where to store the key: + (1) Signature key + (3) Authentication key +Your selection? 1 + +``` + +你可以使用 [S] 密钥同时做签名和验证,但是我们希望确保它在签名区,因此,我们选择 (1)。完成后,如果你的命令没有返回错误,表示操作已成功。 + +最后,如果你创建了一个 [A] 密钥,你也可以将它移到智能卡中,但是你需要先取消选中 `key 2`。完成后,选择 “q": +``` +gpg> q +Save changes? (y/N) y + +``` + +保存变更将把你的子密钥移到智能卡后,把你的 Home 目录中的相应子密钥删除(没有关系,因为我们的备份中还有,如果更换了智能卡,你需要再做一遍)。 + +##### 验证移动后的密钥 + +现在,如果你执行一个` --list-secret-keys` 操作,你将看到一个稍有不同的输出: +``` +$ gpg --list-secret-keys +sec# rsa4096 2017-12-06 [C] [expires: 2019-12-06] + 111122223333444455556666AAAABBBBCCCCDDDD +uid [ultimate] Alice Engineer +uid [ultimate] Alice Engineer +ssb> rsa2048 2017-12-06 [E] +ssb> rsa2048 2017-12-06 [S] + +``` + +在 ssb> 的输出中的 `>` 表示子密钥仅在智能卡上有效。如果你进入到你的密钥目录中,查看目录的内容,你将会看到那个 `.key` 文件已经被存根替换: +``` +$ cd ~/.gnupg/private-keys-v1.d +$ strings *.key + +``` + +这个输出将包含一个影子私钥,它表示那个文件仅是个存根,真正的内容在智能卡中。 + +#### 验证智能卡的功能 + +验证智能卡能否如期正常运行,你可以通过创建一个签名来验证: +``` +$ echo "Hello world" | gpg --clearsign > /tmp/test.asc +$ gpg --verify /tmp/test.asc + +``` + +首次运行这个命令时将询问你智能卡的 PIN,在你运行 `gpg —verify` 之后,它将显示 "Good signature”。 + +祝贺你,你已经成功将窃取你的开发者数字身份变得更加困难了! + +### 其它常见 GnuPG 操作 + +下面是使用你的 PGP 密钥需要做的一些常见操作的快速指南。 + +在下面的所有命令中,[fpr] 表示你的密钥指纹。 + +#### 挂载主密钥离线存储 + +下面的一些操作将需要你的主密钥,因此首先需要去挂载你的主密钥离线存储,并告诉 GnuPG 去使用它。首先,找出介质挂载路径,可以通过查看 mount 命令的输出找到它。接着,设置你的 GnuPG 目录为你的介质上备份的目录,并告诉 GnuPG 将那个目录做为它的 Home: +``` +$ export GNUPGHOME=/media/disk/name/gnupg-backup +$ gpg --list-secret-keys + +``` + +确保你在输出中看到的是 `sec` 而不是 `sec#`(这个 `#` 表示密钥不可用,仍然使用的是惯常的那个 Home 目录)。 + +##### 更新你惯常使用的那个 GnuPG 工作目录 + +在你的离线存储上做了任何更改之后,你应该将这些更改同步应用到你惯常使用的工作目录中: +``` +$ gpg --export | gpg --homedir ~/.gnupg --import +$ unset GNUPGHOME + +``` + +#### 延长密钥过期日期 + +我们创建的主密钥的默认过期日期是自创建之日起两年后。这样做都是为安全考虑,这样将使淘汰密钥最终从密钥服务器上消失。 + +延长你的密钥过期日期,从当前日期延长一年,只需要运行如下命令: +``` +$ gpg --quick-set-expire [fpr] 1y + +``` + +如果为了好记住,你也可以使用一个特定日期(比如,你的生日、1 月 1 日、或加拿大国庆日): +``` +$ gpg --quick-set-expire [fpr] 2020-07-01 + +``` + +记得将更新后的密钥发送到密钥服务器: +``` +$ gpg --send-key [fpr] + +``` + +#### 吊销身份 + +如果你需要吊销一个身份(比如,你换了雇主并且旧的邮件地址不再有效了),你可以使用一行命令搞定: +``` +$ gpg --quick-revoke-uid [fpr] 'Alice Engineer ' + +``` + +你也可以通过使用 `gpg --edit-key [fpr]` 在菜单模式下完成同样的事情。 + +完成后,记得将更新后的密钥发送到密钥服务器上: +``` +$ gpg --send-key [fpr] + +``` + +下一篇文章中,我们将谈谈 Git 如何支持 PGP 的多级别集成。 + +通过来自 Linux 基金会和 edX 的免费课程 [“Linux 入门" ][8]学习更多 Linux 知识。 + +-------------------------------------------------------------------------------- + +via: https://www.linux.com/blog/learn/pgp/2018/3/protecting-code-integrity-pgp-part-5-moving-subkeys-hardware-device + +作者:[KONSTANTIN RYABITSEV][a] +译者:[qhwdw](https://github.com/qhwdw) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:https://www.linux.com/users/mricon +[1]:https://www.linux.com/blog/learn/2018/2/protecting-code-integrity-pgp-part-1-basic-pgp-concepts-and-tools +[2]:https://www.linux.com/blog/learn/pgp/2018/2/protecting-code-integrity-pgp-part-2-generating-and-protecting-your-master-pgp-key +[3]:https://www.linux.com/blog/learn/pgp/2018/2/protecting-code-integrity-pgp-part-3-generating-pgp-subkeys +[4]:https://www.linux.com/blog/learn/pgp/2018/3/protecting-code-integrity-pgp-part-4-moving-your-master-key-offline-storage +[5]:https://shop.nitrokey.com/shop/product/nitrokey-start-6 +[6]:https://shop.nitrokey.com/shop/product/nitrokey-pro-3 +[7]:https://www.yubico.com/product/yubikey-4-series/ +[8]:https://training.linuxfoundation.org/linux-courses/system-administration-training/introduction-to-linux