gpg2 - OpenPGP encryption and signing tool
GPG是加密和数字签名的免费工具,大多用于加密信息的传递。除了仅用密码加密外,GPG最大的不同是提供了“公钥/私钥”对。
查看gpg帮助信息
[[email protected] ~]# gpg --help gpg (GnuPG) 2.0.22 libgcrypt 1.5.3 Copyright (C) 2013 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: ~/.gnupg Supported algorithms: Pubkey: RSA, ?, ?, ELG, DSA #支持的非对称加密算法 Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, #支持的加密算法 CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 #支持的散列算法 Compression: Uncompressed, ZIP, ZLIB, BZIP2 #支持的压缩算法 Syntax: gpg [options] [files] Sign, check, encrypt or decrypt Default operation depends on the input data Commands: -s, --sign make a signature #生成一份签名 --clearsign make a clear text signature #生成明文签名 -b, --detach-sign make a detached signature #生成分离的签名 -e, --encrypt encrypt data #数据加密 -c, --symmetric encryption only with symmetric cipher #使用对称加密 -d, --decrypt decrypt data (default) #解密数据(默认) --verify verify a signature #验证签名 -k, --list-keys list keys #列出签名 --list-sigs list keys and signatures #列出秘钥和签名 --check-sigs list and check key signatures #列出并检查秘钥签名 --fingerprint list keys and fingerprints #列出秘钥和指纹 -K, --list-secret-keys list secret keys #列出(secret)私钥 --gen-key generate a new key pair #生成新的秘钥对 --gen-revoke generate a revocation certificate #生成一个吊销证书 --delete-keys remove keys from the public keyring #从公钥中删除 --delete-secret-keys remove keys from the secret keyring #从私钥中删除 --sign-key sign a key #秘钥签名 --lsign-key sign a key locally # --edit-key sign or edit a key #签名或编辑秘钥 --passwd change a passphrase #更改密码口令 --export export keys #输出秘钥 --send-keys export keys to a key server #输出密码到服务器 --recv-keys import keys from a key server #从服务器导入秘钥 --search-keys search for keys on a key server # 在秘钥服务器上搜索秘钥 --refresh-keys update all keys from a keyserver #从秘钥服务器上同步所用秘钥 --import import/merge keys #导入或者合并秘钥 --card-status print the card status #打印card状态 --card-edit change data on a card #更改card上数据 --change-pin change a card‘s PIN #改变card PIN码 --update-trustdb update the trust database #更新信任数据库 --print-md print message digests #打印信息摘要 --server run in server mode #服务器上运行的模式 Options: -a, --armor create ascii armored output #创建ascii码封装的输出 -r, --recipient USER-ID encrypt for USER-ID #为接受的用户id家吗 -u, --local-user USER-ID use USER-ID to sign or decrypt #使用用户id来解密 -z N set compress level to N (0 disables) #压缩等级 --textmode use canonical text mode #使用标准文本模式 -o, --output FILE write output to FILE #写输出到文件 -v, --verbose verbose #显示过程 -n, --dry-run do not make any changes #不做改变 -i, --interactive prompt before overwriting #覆盖前询问 --openpgp use strict OpenPGP behavior #严格遵守OpenGPG (See the man page for a complete listing of all commands and options) Examples: -se -r Bob [file] sign and encrypt for user Bob --clearsign [file] make a clear text signature --detach-sign [file] make a detached signature --list-keys [names] show keys --fingerprint [names] show fingerprints Please report bugs to <http://bugs.gnupg.org>.[object Object]
对称加密file文件
[[email protected] tmp]# gpg -c file [[email protected] tmp]# ls -l file file file.gpg [[email protected] tmp]# ls -l file.gpg -rw-r--r--. 1 root root 512 Jul 17 15:57 file.gpg
解密文件
[[email protected] tmp]# gpg -o file2 -d file.gpg ls 在hostA上生成公钥私钥对 gpg --gen-key [[email protected] tmp]# gpg --gen-key gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 2048 Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 4w Key expires at Mon 14 Aug 2017 04:04:01 PM CST Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: yemo Name must be at least 5 characters long Real name: memeda Email address: [email protected] Comment: no You selected this USER-ID: "memeda (no) <[email protected]>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key C59856DA marked as ultimately trusted public and secret key created and signed. 使用对称秘钥加密,每次使用秘钥需要输入密码 lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk x Enter passphrase x x x x x x Passphrase ________________________________________ x x x x <OK> <Cancel> x mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj
在hostA主机上查看公钥
gpg --list-keys
[[email protected] tmp]# gpg --list-key /root/.gnupg/pubring.gpg ------------------------ pub 2048R/C59856DA 2017-07-17 [expires: 2017-08-14] uid memeda (no) <[email protected]> sub 2048R/BA219184 2017-07-17 [expires: 2017-08-14]
在hostA主机上导出公钥到文件momoda.pubkey
gpg -a --export -o momoda.pubkey
[[email protected] tmp]# gpg -a --export -o momoda.pubkey [[email protected] tmp]# ls -lh momoda.pubkey -rw-r--r--. 1 root root 1.7K Jul 17 16:12 momoda.pubkey
hostA主机上复制公钥文件到需加密的B主机上
scp wang.pubkey hostB:
[[email protected] tmp]# scp momoda.pubkey [email protected]:/root/ The authenticity of host ‘172.17.250.212 (172.17.250.212)‘ can‘t be established. ECDSA key fingerprint is 3e:98:b5:4f:e2:44:f7:df:e5:51:7c:a3:24:52:04:d1. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added ‘172.17.250.212‘ (ECDSA) to the list of known hosts. [email protected]‘s password: Permission denied, please try again. [email protected]‘s password: momoda.pubkey 100% 1731 1.7KB/s 00:00
hostB上 生成公私钥对
[[email protected] ~]# gpg --gen-key [[email protected] ~]# gpg --list-key /root/.gnupg/pubring.gpg ------------------------ pub 2048R/5C32ECD0 2017-07-17 [expires: 2017-08-14] uid haimo sub 2048R/23F36627 2017-07-17 [expires: 2017-08-14]
hostB导入A的公钥
[[email protected] ~]# gpg --import momoda.pubkey gpg: key C59856DA: public key "memeda (no) <[email protected]>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) [[email protected] ~]# gpg --list-key /root/.gnupg/pubring.gpg ------------------------ pub 2048R/5C32ECD0 2017-07-17 [expires: 2017-08-14] uid haimo sub 2048R/23F36627 2017-07-17 [expires: 2017-08-14] pub 2048R/C59856DA 2017-07-17 [expires: 2017-08-14] uid memeda (no) <[email protected]> sub 2048R/BA219184 2017-07-17 [expires: 2017-08-14]
用从hostA主机导入的公钥,加密hostB主机的文件file,生成file.gpg
[[email protected] ~]# gpg -e -r memeda file gpg: BA219184: There is no assurance this key belongs to the named user pub 2048R/BA219184 2017-07-17 memeda (no) <[email protected]> Primary key fingerprint: 7C32 1116 B70B 7762 A94D F85A B7EC 75FF C598 56DA Subkey fingerprint: 5D77 4DA0 AF72 C988 EDE0 BC79 9F8E 3973 BA21 9184 It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes. Use this key anyway? (y/N) y [[email protected] ~]# ls anaconda-ksost.cfg file file.gpg initial-setup-ks.cfg momoda.pubkey original-ks.cfg test
复制文件到hostA
[[email protected] ~]# scp file.gpg [email protected]:/tmp/ The authenticity of host ‘172.17.251.145 (172.17.251.145)‘ can‘t be established. ECDSA key fingerprint is 0b:42:00:5d:5e:47:36:34:a4:37:a3:16:12:18:ec:94. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added ‘172.17.251.145‘ (ECDSA) to the list of known hosts. [email protected]‘s password: file.gpg 100% 659 0.6KB/s 00:00
在hostA中使用私钥解密文件
[[email protected] tmp]# gpg -d file.gpg You need a passphrase to unlock the secret key for user: "memeda (no) <[email protected]>" 2048-bit RSA key, ID BA219184, created 2017-07-17 (main key ID C59856DA) gpg: encrypted with 2048-bit RSA key, ID BA219184, created 2017-07-17 "memeda (no) <[email protected]>" # # /etc/fstab # Created by anaconda on Sun May 14 05:22:45 2017 # # Accessible filesystems, by reference, are maintained under ‘/dev/disk‘ # See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info # UUID=61f2ffd9-1745-4d97-bdc6-9d7fa4c8e9b2 / xfs defaults 0 0 UUID=2c7fe7ac-7664-49f0-8f2b-03d23b52262b /boot xfs defaults 0 0 UUID=2edbee5c-f153-492b-a837-4b72fafcc482 /usr xfs defaults 0 0 UUID=968c4242-bfa8-49db-8d2b-a43c81013e5f swap swap defaults 0 0
删除公钥和私钥
[[email protected] tmp]# gpg --delete-secret-keys memeda [[email protected] tmp]# gpg --delete-keys memeda [[email protected] tmp]# gpg --list-key gpg: checking the trustdb gpg: no ultimately trusted keys found
时间: 2024-08-01 15:50:15