mattintosh note

どこかのエンジニアモドキの備忘録

仮想マシンの Debian でエントロピーが溜まらなくて GPG の鍵が作れないとき

GPG では gpg --gen-key などで秘密鍵を作成する際にエントロピー(マウスとかキーボードとかを操作することによって溜まる不規則な情報)が必要になるが、仮想マシンの場合はエントロピーが溜まらずいつまで経っても鍵が生成出来ないので havegedrng-tools といったパッケージをインストールしてエントロピーを溜める。

環境は以下の通り。

lsb_release

Distributor ID: Debian
Description:    Debian GNU/Linux 9.8 (stretch)
Release:        9.8
Codename:       stretch

haveged の場合

haveged パッケージをインストールする。

Console (Debian 9)

root@debian:~# apt install havegend -y

サービスが稼働しているか確認しておく。

Console (Debian 9)

root@debian:~# systemctl status haveged
● haveged.service - Entropy daemon using the HAVEGE algorithm
   Loaded: loaded (/lib/systemd/system/haveged.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2019-04-03 17:21:13 JST; 5s ago
     Docs: man:haveged(8)
           http://www.issihosts.com/haveged/
 Main PID: 7460 (haveged)
   CGroup: /system.slice/haveged.service
           └─7460 /usr/sbin/haveged --Foreground --verbose=1 -w 1024

 4月 03 17:21:13 debian systemd[1]: Started Entropy daemon using the HAVEGE algorithm.
 4月 03 17:21:14 debian haveged[7460]: haveged: ver: 1.9.1; arch: x86; vend: GenuineIntel; build: (gcc 6.3.0 ITV); collect: 128K
 4月 03 17:21:14 debian haveged[7460]: haveged: cpu: (L4 VC); data: 32K (L4 V); inst: 32K (L4 V); idx: 22/40; sz: 31886/59215
 4月 03 17:21:14 debian haveged[7460]: haveged: tot tests(BA8): A:1/1 B:1/1 continuous tests(B):  last entropy estimate 7.99355
 4月 03 17:21:14 debian haveged[7460]: haveged: fills: 0, generated: 0

rng-tools/rng-tools5 の場合

rng-tools または rng-tools5 パッケージをインストールする(ここでは rng-tools としておく)。恐らくサービス開始のトリガーは失敗する。

Console (Debian 9)

root@debian:~# apt install rng-tools

rng-toolsrng-tools5 はどちらもデフォルトのデバイス/dev/hwrng になっており、これが存在しないのでシンボリックリンクを貼る。

Console (Debian 9)

root@debian:~# ln -s /dev/urandom /dev/hwrng

サービスを起動する。

Console (Debian 9)

root@debian:~# systemctl start rng-tools

もしくは rngd を手動で実行する。

Console (Debian 9)

root@debian:~# rngd -r /dev/urandom

恒久的に使用するのであれば systemd のユニットを修正するか、手間をかけずに使える haveged パッケージの方がいいかもしれない。

GPG 鍵を生成する

Debian 9 と CentOS 7 ではバージョンが異なるからかどうか知らないが動作が違う。

Console (Debian 9)

linus@debian:~$ gpg --help
gpg (GnuPG) 2.1.18
libgcrypt 1.7.6-beta
Copyright (C) 2017 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/linus/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Syntax: gpg [options] [files]
Sign, check, encrypt or decrypt
Default operation depends on the input data

Commands:
 
 -s, --sign                  make a signature
     --clear-sign            make a clear text signature
 -b, --detach-sign           make a detached signature
 -e, --encrypt               encrypt data
 -c, --symmetric             encryption only with symmetric cipher
 -d, --decrypt               decrypt data (default)
     --verify                verify a signature
 -k, --list-keys             list keys
     --list-signatures       list keys and signatures
     --check-signatures      list and check key signatures
     --fingerprint           list keys and fingerprints
 -K, --list-secret-keys      list secret keys
     --generate-key          generate a new key pair
     --quick-generate-key    quickly generate a new key pair
     --quick-add-uid         quickly add a new user-id
     --quick-revoke-uid      quickly revoke a user-id
     --quick-set-expire      quickly set a new expiration date
     --full-generate-key     full featured key pair generation
     --generate-revocation   generate a revocation certificate
     --delete-keys           remove keys from the public keyring
     --delete-secret-keys    remove keys from the secret keyring
     --quick-sign-key        quickly sign a key
     --quick-lsign-key       quickly sign a key locally
     --sign-key              sign a key
     --lsign-key             sign a key locally
     --edit-key              sign or edit a key
     --change-passphrase     change a passphrase
     --export                export keys
     --send-keys             export keys to a keyserver
     --receive-keys          import keys from a keyserver
     --search-keys           search for keys on a keyserver
     --refresh-keys          update all keys from a keyserver
     --import                import/merge keys
     --card-status           print the card status
     --edit-card             change data on a card
     --change-pin            change a card's PIN
     --update-trustdb        update the trust database
     --print-md              print message digests
     --server                run in server mode
     --tofu-policy VALUE     set the TOFU policy for a key

Options:
 
 -a, --armor                 create ascii armored output
 -r, --recipient USER-ID     encrypt for USER-ID
 -u, --local-user USER-ID    use USER-ID to sign or decrypt
 -z N                        set compress level to N (0 disables)
     --textmode              use canonical text mode
 -o, --output FILE           write output to FILE
 -v, --verbose               verbose
 -n, --dry-run               do not make any changes
 -i, --interactive           prompt before overwriting
     --openpgp               use strict OpenPGP behavior

(See the man page for a complete listing of all commands and options)

Examples:

 -se -r Bob [file]          sign and encrypt for user Bob
 --clear-sign [file]        make a clear text signature
 --detach-sign [file]       make a detached signature
 --list-keys [names]        show keys
 --fingerprint [names]      show fingerprints

Please report bugs to <https://bugs.gnupg.org>.

Console (CentOS 7)

[linus@localhost ~]$ gpg --help
gpg (GnuPG) 2.0.22
libgcrypt 1.5.3
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, ?, ?, ELG, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Syntax: gpg [options] [files]
Sign, check, encrypt or decrypt
Default operation depends on the input data

Commands:
 
 -s, --sign                 make a signature
     --clearsign            make a clear text signature
 -b, --detach-sign          make a detached signature
 -e, --encrypt              encrypt data
 -c, --symmetric            encryption only with symmetric cipher
 -d, --decrypt              decrypt data (default)
     --verify               verify a signature
 -k, --list-keys            list keys
     --list-sigs            list keys and signatures
     --check-sigs           list and check key signatures
     --fingerprint          list keys and fingerprints
 -K, --list-secret-keys     list secret keys
     --gen-key              generate a new key pair
     --gen-revoke           generate a revocation certificate
     --delete-keys          remove keys from the public keyring
     --delete-secret-keys   remove keys from the secret keyring
     --sign-key             sign a key
     --lsign-key            sign a key locally
     --edit-key             sign or edit a key
     --passwd               change a passphrase
     --export               export keys
     --send-keys            export keys to a key server
     --recv-keys            import keys from a key server
     --search-keys          search for keys on a key server
     --refresh-keys         update all keys from a keyserver
     --import               import/merge keys
     --card-status          print the card status
     --card-edit            change data on a card
     --change-pin           change a card's PIN
     --update-trustdb       update the trust database
     --print-md             print message digests
     --server               run in server mode

Options:
 
 -a, --armor                create ascii armored output
 -r, --recipient USER-ID    encrypt for USER-ID
 -u, --local-user USER-ID   use USER-ID to sign or decrypt
 -z N                       set compress level to N (0 disables)
     --textmode             use canonical text mode
 -o, --output FILE          write output to FILE
 -v, --verbose              verbose
 -n, --dry-run              do not make any changes
 -i, --interactive          prompt before overwriting
     --openpgp              use strict OpenPGP behavior

(See the man page for a complete listing of all commands and options)

Examples:

 -se -r Bob [file]          sign and encrypt for user Bob
 --clearsign [file]         make a clear text signature
 --detach-sign [file]       make a detached signature
 --list-keys [names]        show keys
 --fingerprint [names]      show fingerprints

Please report bugs to <http://bugs.gnupg.org>.

CentOS 7 で gpg --gen-key を実行した場合、鍵種と鍵長、有効期限が聞かれるが、Debian 9 ではこれらの項目は聞かれず、名前とメールアドレス、パスワードの応答のみになっている。コマンドを叩いた時にメッセージが出るが、鍵種等も指定したいのであれば --full-generate-key を使えとのこと。

Console (Debian 9)

linus@debian:~$ gpg --full-generate-key

試験では確か --gen-key を覚えておけばよかったような気がするけど、同じコマンドなのにディストリで動作が違うものについて LPI や LPI-Japan はどうしていくのかね。

(個人的には gzip -kRHEL 系に無いのが辛いがこれは試験に出ない)