【演示环境 Centos 5.7, gpg】
GPG (an open source implementation of the OpenPGP IETF standard crypto system)通过GPG加密,生成公、私钥对,私钥为自己秘密保存,公钥则公开发布。别人通过我的公钥对文件进行加密,我通过私钥对文件进行解密。或者我通过私钥对文件进行签名,对方通过我们的公钥验证文件真伪。
【优点】:1、加密不需要密码,只要系统中有对应公钥即可。2、解密需要私钥及私钥保护密码,双重安全。
创建密钥:
- #gpg --gen-key
- [root@client ~]# gpg --gen-key
- gpg (GnuPG) 1.4.5; Copyright (C) 2006 Free Software Foundation, Inc.
- This program comes with ABSOLUTELY NO WARRANTY.
- This is free software, and you are welcome to redistribute it
- under certain conditions. See the file COPYING for details.
- Please select what kind of key you want:
- (1) DSA and Elgamal (default)
- (2) DSA (sign only)
- (5) RSA (sign only)
- Your selection? 1 (选择加密形式)
- DSA keypair will have 1024 bits.
- ELG-E keys may be between 1024 and 4096 bits long.
- What keysize do you want? (2048)
- Requested keysize is 2048 bits
- Please specify how long the key should be valid.
- 0 = key does not expire
- <n> = key expires in n days
- <n>w = key expires in n weeks
- <n>m = key expires in n months
- <n>y = key expires in n years
- Key is valid for? (0) 1y (选择密钥期限)
- Key expires at Wed 06 Mar 2013 04:47:35 PM CST
- Is this correct? (y/N) y (确认)
- You need a user ID to identify your key; the software constructs the user ID
- from the Real Name, Comment and Email Address in this form:
- "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
- Real name: tttttt (用户名)
- Email address: [email protected] (邮件)
- Comment: hhhhhh (内容)
- You selected this USER-ID:
- "ttttt (hhhhhh) <test@126.com>"
- Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O (保存)
- You need a Passphrase to protect your secret key.
- Enter passphrase: xxxxxx (这不是私钥,是私钥的保护密码,解密时用到)
- We need to generate a lot of random bytes. It is a good idea to perform
- some other action (type on the keyboard, move the mouse, utilize the
- disks) during the prime generation; this gives the random number
- generator a better chance to gain enough entropy.
- +++++++++++++++++++++++++...+++++.++++++++++++++++++++.++++++++++++++++++++++++++++++.++++++++++++++++++++++++++++++++++++++++++++++++++>.++++++++++.....+++++
- We need to generate a lot of random bytes. It is a good idea to perform
- some other action (type on the keyboard, move the mouse, utilize the
- disks) during the prime generation; this gives the random number
- generator a better chance to gain enough entropy.
- ..+++++++++++++++++++++++++...+++++.+++++++++++++++++++++++++++++++++++++++++++++.+++++.+++++++++++++++..+++++++++++++++.+++++++++++++++..+++++++++++++++.+++++>.++++++++++>+++++>+++++.>+++++............................+++++^^^
- gpg: key 6B180A56 marked as ultimately trusted
- public and secret key created and signed.
- gpg: checking the trustdb
- gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
- gpg: depth: 0 valid: 5 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 5u
- gpg: next trustdb check due at 2012-04-04
- pub 1024D/6B180A56 2012-03-06 [expires: 2013-03-06]
- Key fingerprint = CDC4 0517 0772 40DD 9B3A B76D 495C 223C 6B18 0A56
- uid ttttt (hhhhhh) <test@126.com>
- sub 2048g/C453FA82 2012-03-06 [expires: 2013-03-06]
列出密钥公钥列表,(一台主机可以导入若干公私钥,列出列表查看uid)
- #gpg --list-keys (或 gpg -v --fingerprint)
- /root/.gnupg/secring.gpg ------------------------
- sec 1024D/91C9DDA0 2012-03-05 [expires: 2012-04-04]
- uid tttttt (hhhhhh) <test@126.com>
- ssb 2048g/61849255 2012-03-05
备份公钥:
- #gpg -o keyfilename.pub --export 'uid'
备份私钥:
- #gpg -o keyfilename.sec --export-secret-keys 'uid'
uid的内容为列出公钥中的uid 即“tttttt (hhhhhh) <test@126.com>”如果没有 'uid' ,则是备份所有的私钥或私钥,-o表示输出到文件keyfilename中,如果加上-a的参数则输出文本格式的信息,否则输出的是二进制格式信息。
然后在别的机器上导入公钥。
- gpg --import keyfilename.pub
列出公钥
- #gpg --list-keys (或 gpg -v --fingerprint)
使用公钥加密文件,生成'file.gpg'文件.
- #gpg --encrypt --recipient 'tttttt (hhhhhh) <test@126.com>' filename
将文件传回本机或者将本机生成的私钥上传到该机并导入就可以对其解密:
- #gpg --output new-filename --decrypt filename.gpg
- You need a passphrase to unlock the secret key for
- user: "tttttt (hhhhhh) <test@126.com>"
- 2048-bit ELG-E key, ID 61849255, created 2012-03-05 (main key ID 91C9DDA0)
- Enter passphrase:
解密时,不需要指定uid,程序自动查找私钥,如果私钥存在则进行解密。需要输入私钥的秘密(在生成是输入的)。