【演示環境 Centos 5.7, gpg】
GPG (an open source implementation of the OpenPGP IETF standard crypto system)通過GPG加密,生成公、私鈅對,私鈅爲自己祕密保存,公鑰則公開發布。別人通過我的公鑰對文件進行加密,我通過私鑰對文件進行解密。或者我通過私鈅對文件進行簽名,對方通過我們的公鑰驗證文件真僞。
【優點】:1、加密不需要密碼,只要系統中有對應公鑰即可。2、解密需要私鑰及私鑰保護密碼,雙重安全。
創建密鑰:
- #gpg --gen-key
- [root@client ~]# gpg --gen-key
- gpg (GnuPG) 1.4.5; Copyright (C) 2006 Free Software Foundation, Inc.
- This program comes with ABSOLUTELY NO WARRANTY.
- This is free software, and you are welcome to redistribute it
- under certain conditions. See the file COPYING for details.
- Please select what kind of key you want:
- (1) DSA and Elgamal (default)
- (2) DSA (sign only)
- (5) RSA (sign only)
- Your selection? 1 (選擇加密形式)
- DSA keypair will have 1024 bits.
- ELG-E keys may be between 1024 and 4096 bits long.
- What keysize do you want? (2048)
- Requested keysize is 2048 bits
- Please specify how long the key should be valid.
- 0 = key does not expire
- <n> = key expires in n days
- <n>w = key expires in n weeks
- <n>m = key expires in n months
- <n>y = key expires in n years
- Key is valid for? (0) 1y (選擇密鑰期限)
- Key expires at Wed 06 Mar 2013 04:47:35 PM CST
- Is this correct? (y/N) y (確認)
- You need a user ID to identify your key; the software constructs the user ID
- from the Real Name, Comment and Email Address in this form:
- "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
- Real name: tttttt (用戶名)
- Email address: [email protected] (郵件)
- Comment: hhhhhh (內容)
- You selected this USER-ID:
- "ttttt (hhhhhh) <test@126.com>"
- Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O (保存)
- You need a Passphrase to protect your secret key.
- Enter passphrase: xxxxxx (這不是私鑰,是私鑰的保護密碼,解密時用到)
- We need to generate a lot of random bytes. It is a good idea to perform
- some other action (type on the keyboard, move the mouse, utilize the
- disks) during the prime generation; this gives the random number
- generator a better chance to gain enough entropy.
- +++++++++++++++++++++++++...+++++.++++++++++++++++++++.++++++++++++++++++++++++++++++.++++++++++++++++++++++++++++++++++++++++++++++++++>.++++++++++.....+++++
- We need to generate a lot of random bytes. It is a good idea to perform
- some other action (type on the keyboard, move the mouse, utilize the
- disks) during the prime generation; this gives the random number
- generator a better chance to gain enough entropy.
- ..+++++++++++++++++++++++++...+++++.+++++++++++++++++++++++++++++++++++++++++++++.+++++.+++++++++++++++..+++++++++++++++.+++++++++++++++..+++++++++++++++.+++++>.++++++++++>+++++>+++++.>+++++............................+++++^^^
- gpg: key 6B180A56 marked as ultimately trusted
- public and secret key created and signed.
- gpg: checking the trustdb
- gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
- gpg: depth: 0 valid: 5 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 5u
- gpg: next trustdb check due at 2012-04-04
- pub 1024D/6B180A56 2012-03-06 [expires: 2013-03-06]
- Key fingerprint = CDC4 0517 0772 40DD 9B3A B76D 495C 223C 6B18 0A56
- uid ttttt (hhhhhh) <test@126.com>
- sub 2048g/C453FA82 2012-03-06 [expires: 2013-03-06]
列出密鈅公鑰列表,(一臺主機可以導入若干公私鑰,列出列表查看uid)
- #gpg --list-keys (或 gpg -v --fingerprint)
- /root/.gnupg/secring.gpg ------------------------
- sec 1024D/91C9DDA0 2012-03-05 [expires: 2012-04-04]
- uid tttttt (hhhhhh) <test@126.com>
- ssb 2048g/61849255 2012-03-05
備份公鑰:
- #gpg -o keyfilename.pub --export 'uid'
備份私鑰:
- #gpg -o keyfilename.sec --export-secret-keys 'uid'
uid的內容爲列出公鑰中的uid 即“tttttt (hhhhhh) <test@126.com>”如果沒有 'uid' ,則是備份所有的私鑰或私鑰,-o表示輸出到文件keyfilename中,如果加上-a的參數則輸出文本格式的信息,否則輸出的是二進制格式信息。
然後在別的機器上導入公鑰。
- gpg --import keyfilename.pub
列出公鈅
- #gpg --list-keys (或 gpg -v --fingerprint)
使用公鑰加密文件,生成'file.gpg'文件.
- #gpg --encrypt --recipient 'tttttt (hhhhhh) <test@126.com>' filename
將文件傳回本機或者將本機生成的私鑰上傳到該機並導入就可以對其解密:
- #gpg --output new-filename --decrypt filename.gpg
- You need a passphrase to unlock the secret key for
- user: "tttttt (hhhhhh) <test@126.com>"
- 2048-bit ELG-E key, ID 61849255, created 2012-03-05 (main key ID 91C9DDA0)
- Enter passphrase:
解密時,不需要指定uid,程序自動查找私鈅,如果私鑰存在則進行解密。需要輸入私鈅的祕密(在生成是輸入的)。