gpg命令的使用
一, linux环境
挂载linux光盘安装gnupg-1.4.5-14.i386.rpm
这个是redhat5.4 x86安装光盘下的包,其它版本的系统包名的版本号不一样。
[root@localhost ~]# mount /dev/cdrom /mnt
mount: block device /dev/cdrom is write-protected, mounting read-only
[root@localhost ~]# cd /mnt/Server/
[root@localhost Server]# rpm -ivh pinentry-0.7.3-3.el5.i386.rpm
warning: pinentry-0.7.3-3.el5.i386.rpm: Header V3 DSA signature: NOKEY, key ID 37017186
Preparing... ########################################### [100%]
1:pinentry ########################################### [100%]
[root@localhost Server]#
执行gpg --gen-key命令生成密钥对:
[root@localhost ~]# gpg --gen-key
gpg (GnuPG) 1.4.5; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection? //选择加密算法,默认回车
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) //选择加密长度,长度越长加密越安全,加密速度越慢,默认回车
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
--
Key is valid for? (0) //指定密钥过期时间,0为永不过期,默认回车
Key does not expire at all
Is this correct? (y/N) y //输入y确认
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <[email protected]>"
Real name: //指定密钥id,长度需要超过6个字符
Email address:
Comment:
You selected this USER-ID:
"jerry"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O //按o,输入密码,生成密钥
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy. //这个时候需要任意敲键盘,或者移动鼠标,获取随机数
++++++++++..+++++.+++++++++++++++++++++++++.+++++.++++++++++.++++++++++++++++++++++++++++++++++++++++.+++++.+++++...+++++++++++++++++++++++++.+++++..................+++++
djsalfjd lasjf dlja ldfjal;jfdlasjfldjsalfjdaslfjdalkjfdklasjfldjaslkfjdlkasjfldjaslfjdlasjfldjasfljdaslfjdlasjflkdjaslfjdlaskjfldskajfldjsalfkjdlaskfjldksjaflkjdaslkjfldksjaflkjdslafjdkljsaflkjslkajfldasjflkjldjsafljdaslfjldsjafljdaslfjldkasjflkjdlasfjdlskajfkljdslakjflksajflkjdslakjfdlkajfdlkasjfldkjaslfjdasljfldjsafljdaslfjldjasfljdslafjldjsalfjdlasjfldjaslfjlasdjfljdsalfjdlasjflsdjafljdlasjfldjlafjldjlafkjdlkasjWe need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
+++++.fl+++++++++++++++..+++++...+++++.++++++++++++++++++++..+++++++++++++++...+++++++++++++++++++++++++..++++++++++...+++++.+++++..++++++++++++++++++++.+++++.+++++++j+++>.+++++.+++++>+++++d..l.a......>+++++......................<..+++++.+++++^^^^
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 8831F866 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024D/8831F866 2013-07-04
Key fingerprint = 7D85 BF3A 25CF B97C 139A F17D D4BD 8E36 8831 F866
uid jerry
sub 2048g/F439A572 2013-07-04
上面命令成功执行后,会在当前用户下创建一个.gnupg的隐藏目录,secring.gpg为私钥,pubring.gpg为公钥
查看刚才生成的密钥对:
[root@localhost ~]# gpg �CK //查看私钥
/root/.gnupg/secring.gpg
------------------------
sec 1024D/8831F866 2013-07-04
uid jerry
ssb 2048g/F439A572 2013-07-04
[root@localhost ~]# gpg �Ck //查看公钥
/root/.gnupg/pubring.gpg
------------------------
pub 1024D/8831F866 2013-07-04
uid jerry
sub 2048g/F439A572 2013-07-04
文件加密:当生成了一对钥匙后就可以对文件加密和签名。
添加两个账号来说明gpg(jerry,summer)命令的具体用法
[root@localhost ~]#useradd jerry
[root@localhost ~]#useradd summer
[root@localhost ~]#passwd jerry
[root@localhost ~]#passwd summer
切换到jerry和summer用户执行gpg --gen-key命令按照前面的步骤生成一对钥匙,下面是密钥对生成后的显示结果
[jerry@localhost ~]$ gpg �Ck //jerry账号
/home/jerry/.gnupg/pubring.gpg
----------------------------------
pub 1024D/C9553897 2013-07-05
uid jerry
sub 2048g/C2B3AABD 2013-07-05
[jerry@localhost ~]$ gpg -K
/home/jerry/.gnupg/secring.gpg
----------------------------------
sec 1024D/C9553897 2013-07-05
uid jerry
ssb 2048g/C2B3AABD 2013-07-05
[summer@localhost ~]$ gpg �Ck //summer 账号
/home/summer/.gnupg/pubring.gpg
----------------------------
pub 1024D/F7348A7C 2013-07-05
uid summer
sub 2048g/881AEA95 2013-07-05
[summer@localhost ~]$ gpg -K
/home/summer/.gnupg/secring.gpg
----------------------------
sec 1024D/F7348A7C 2013-07-05
uid summer
ssb 2048g/881AEA95 2013-07-05
导出jerry的公钥,默认以二进制文件存储,添加-a参数以ascii存储
[jerry@localhost ~]$ gpg --export -a jerry > jerry.key
[jerry@localhost ~]$ ls
jerry.key
加密文件
[jerry@localhost ~]$ cp /etc/passwd
[jerry@localhost ~]$ ls
passwd jerry.key
使用-c参数加密,输入密码,会生成一个以gpg为后缀的文件
[jerry@localhost ~]$ gpg -c passwd
[jerry@localhost ~]$ ls
passwd passwd.gpg jerry.key
这种加密方式只需要知道加密的密码就可以解密,下面是通过summer账号登陆解密
[jerry@localhost ~]$ cp passwd.gpg /tmp
使用-v 参数解密
[summer@localhost ~]$ cp /tmp/passwd.gpg .
[summer@localhost ~]$ gpg -v passwd.gpg
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: original file name='passwd'
gpg: WARNING: message was not integrity protected
[summer@localhost ~]$ ls
passwd passwd.gpg
[summer@localhost ~]$ tail -n 2 passwd
summer:x:503:504::/home/summer:/bin/bash
summer:x:504:505::/home/summer:/bin/bash
可以看到只要通过gpg �Cv和加密密码就可以解密文件,这种不适用
下面通过jerry的私钥对数据进行签名,接受者summer通过jerry的公钥对其信任并使用它验证接受数据的完整性。
[jerry@localhost ~]$ rm -rf passwd.gpg
[jerry@localhost ~]$ gpg --sign passwd //可以通过―output参数生成自定义文件
You need a passphrase to unlock the secret key for
user: "jerry"
1024-bit DSA key, ID C9553897, created 2013-07-05
[jerry@localhost ~]$ ls
passwd passwd.gpg jerry.key
生成了以gpg为后缀的文件,
用summer账号将jerry的公钥导入,并且验证签名
[jerry@localhost ~]$ cp passwd.gpg jerry.key /tmp
导入公钥:
[summer@localhost ~]$ gpg --import /tmp/jerry.key
gpg: key C9553897: public key "jerry" imported
gpg: Total number processed: 1
gpg: imported: 1
[summer@localhost ~]$ gpg �Ck //公钥成功导入
/home/summer/.gnupg/pubring.gpg
----------------------------
pub 1024D/F7348A7C 2013-07-05
uid summer
sub 2048g/881AEA95 2013-07-05
pub 1024D/C9553897 2013-07-05
uid jerry
sub 2048g/C2B3AABD 2013-07-05
[summer@localhost ~]$ cp /tmp/passwd.gpg .
[summer@localhost ~]$ ls
passwd.gpg
先将公钥删除,看看是否可以解密
[summer@localhost ~]$ gpg --delete-keys jerry
gpg (GnuPG) 1.4.5; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
pub 1024D/C9553897 2013-07-05 jerry
Delete this key from the keyring? (y/N) y
[summer@localhost ~]$ ls
passwd.gpg
[summer@localhost ~]$ gpg -v passwd.gpg
gpg: original file name='passwd'
gpg: Signature made Fri 05 Jul 2013 07:57:43 PM CST using DSA key ID C9553897
gpg: Can't check signature: public key not found
[summer@localhost ~]$ ls
passwd passwd.gpg
报“public key not found“错误信息,但是依然可以解密文件,但是无法知道解密后文件数据的完整性,因此需要通过公钥验证是否就是jerry发过来的文件
导入公钥
[summer@localhost ~]$ gpg --import /tmp/jerry.key
gpg: key C9553897: public key "jerry" imported
gpg: Total number processed: 1
gpg: imported: 1
导入后首先和对方核对公钥指纹信息是否准确,因为指纹信息唯一 ,防止他人篡改签名
[summer@localhost ~]$ gpg --fingerprint jerry
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 1 signed: 0 trust: 1-, 0q, 0n, 0m, 0f, 0u
pub 1024D/C9553897 2013-07-05
Key fingerprint = 9E63 CADD 286C 1856 E4F7 6128 3BD1 7DEF C955 3897
uid jerry
sub 2048g/C2B3AABD 2013-07-05
[jerry@localhost ~]$ ls
passwd passwd.asc jerry.key
[jerry@localhost ~]$ cp passwd.asc /tmp
[jerry@localhost ~]$ gpg --fingerprint jerry
pub 1024D/C9553897 2013-07-05
Key fingerprint = 9E63 CADD 286C 1856 E4F7 6128 3BD1 7DEF C955 3897
uid jerry
sub 2048g/C2B3AABD 2013-07-05
在成功导入确定这个公钥是可以信任后,就立即对这个公钥进行签名。这样就可以验证该文件的真实性了
[summer@localhost ~]$ gpg --sign-key jerry
pub 1024D/C9553897 created: 2013-07-05 expires: never usage: SC
trust: unknown validity: unknown
sub 2048g/C2B3AABD created: 2013-07-05 expires: never usage: E
[ unknown] (1). jerry
pub 1024D/C9553897 created: 2013-07-05 expires: never usage: SC
trust: unknown validity: unknown
Primary key fingerprint: 9E63 CADD 286C 1856 E4F7 6128 3BD1 7DEF C955 3897
jerry
Are you sure that you want to sign this key with your
key "summer" (F7348A7C)
Really sign? (y/N) y
You need a passphrase to unlock the secret key for
user: "summer"
1024-bit DSA key, ID F7348A7C, created 2013-07-05
验证签名ID是否为jerry
[summer@localhost ~]$ gpg --verify passwd.gpg
gpg --verify passwd.gpg
gpg: Signature made Fri 05 Jul 2013 07:57:43 PM CST using DSA key ID C9553897
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 1 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 1 signed: 0 trust: 1-, 0q, 0n, 0m, 0f, 0u
gpg: Good signature from "jerry"
用下面命令解密
[summer@localhost ~]$ gpg --output verify.txt --decrypt passwd.gpg
gpg: Signature made Fri 05 Jul 2013 07:57:43 PM CST using DSA key ID C9553897
gpg: Good signature from "jerry"
[summer@localhost ~]$ ls
passwd.gpg verify.txt
这个命令需要添加―output参数生成验证后的文件verify.txt 如果使用gpg -decrypt passwd.gpg 只能显示文件内容,同样可以使用gpg -v passwd.gpg解密文件
[summer@localhost ~]$ gpg -v passwd.gpg
gpg: original file name='passwd'
gpg: Signature made Fri 05 Jul 2013 07:57:43 PM CST using DSA key ID C9553897
gpg: using PGP trust model
gpg: Good signature from "jerry"
gpg: binary signature, digest algorithm SHA1
收到jerry的公钥后,就可以使用公钥做数字加密,同时用自己的私钥签名。
[summer@localhost ~]$ ls
passwd passwd.gpg
[summer@localhost ~]$ rm -rf *
[summer@localhost ~]$ cp /etc/group .
通过下面命令加密和签名,需要输入summer私钥密码完成签名
-e 参数表示加密文件
-a 以asc存储
-r 指定使用哪个userID的公钥加密,当然要使用对方的公钥(不能使用自己的公钥加密,私钥是本人才持有的,这样对方就没办法解密了)
[summer@localhost ~]$ gpg --sign -ear jerry group
You need a passphrase to unlock the secret key for
user: "summer"
1024-bit DSA key, ID F7348A7C, created 2013-07-05
[summer@localhost ~]$ ls
group group.asc
再生成一个没有签名的文件group2.txt,用来等会验证,因为不用签名所以这条命令直接生成了文件
[summer@localhost ~]$ gpg --output group2.txt -ear jerry group
[summer@localhost ~]$ ls
group group2.txt group.asc
先用jerry解密group2.txt
[summer@localhost ~]$ cp group.asc group2.txt /tmp
[jerry@localhost ~]$ ls
passwd.gpg jerry.key
[jerry@localhost ~]$ rm -rf passwd.gpg
[jerry@localhost ~]$ gpg --output group2 --decrypt /tmp/group2.txt
You need a passphrase to unlock the secret key for
user: "jerry"
2048-bit ELG-E key, ID C2B3AABD, created 2013-07-05 (main key ID C9553897)
gpg: encrypted with 2048-bit ELG-E key, ID C2B3AABD, created 2013-07-05
"jerry"
[jerry@localhost ~]$ ls
group2 jerry.key
解密group.asc
[jerry@localhost ~]$ gpg --output group --decrypt /tmp/group.asc
You need a passphrase to unlock the secret key for
user: "jerry"
2048-bit ELG-E key, ID C2B3AABD, created 2013-07-05 (main key ID C9553897)
gpg: encrypted with 2048-bit ELG-E key, ID C2B3AABD, created 2013-07-05
"jerry"
gpg: Signature made Fri 05 Jul 2013 08:52:00 PM CST using DSA key ID F7348A7C
gpg: Can't check signature: public key not found
这里提示Can't check signature: public key not found,因此我们需要summer的公钥来验证签名
[summer@localhost ~]$ gpg --export -a summer > /tmp/summer.key
[summer@localhost ~]$ ll /tmp/summer.key
-rw-rw-r-- 1 summer summer 1645 Jul 5 21:10 /tmp/summer.key
导入summer的公钥来验证签名,当然这里也要确定对方法过来的公钥是否被篡改,前面已经提到
[jerry@localhost ~]$ gpg --import /tmp/summer.key
gpg: key F7348A7C: public key "summer" imported
gpg: Total number processed: 1
gpg: imported: 1
[jerry@localhost ~]$ gpg -k
/home/jerry/.gnupg/pubring.gpg
----------------------------------
pub 1024D/C9553897 2013-07-05
uid jerry
sub 2048g/C2B3AABD 2013-07-05
pub 1024D/F7348A7C 2013-07-05
uid summer
sub 2048g/881AEA95 2013-07-05
再次解密数字签名的文件group.asc
[jerry@localhost ~]$ gpg --output group --decrypt /tmp/group.asc
You need a passphrase to unlock the secret key for
user: "jerry"
2048-bit ELG-E key, ID C2B3AABD, created 2013-07-05 (main key ID C9553897)
gpg: encrypted with 2048-bit ELG-E key, ID C2B3AABD, created 2013-07-05
"jerry"
gpg: Signature made Fri 05 Jul 2013 08:52:00 PM CST using DSA key ID F7348A7C
gpg: Good signature from "summer"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 9981 7AF0 0068 4CCE 1613 45B3 AF14 4AFA F734 8A7C
验证签名,并且解密成功
二,windows环境
安装包gnupg-1.2.2-w32cli.zip,该软件包不用安装解压即可使用
1, 解压安装包到C盘根目录命令为gnupg
2, 添加c:\gnupg到环境变量,添加完成后可以通过”gpg �Chelp”测试是否添加成功
3, 和linux使用完全一样
需要注意的是生成密钥会放在c:\gnupg目录下,windows下不会自动创建这个目录(也许是版本问题,linux下可以自动创建),因此前面把安装包直接命名为了gnupg,如果没有这个目录会报下面的错误
gpg: no writable public keyring found: eof
Key generation failed: eof
gpg: can't create `c:/gnupg\random_seed': No such file or directory
下面是gpg其它的一些常用命令,具体用法可看帮助
一、生成密钥对
$gpg �Cgen-key
二、查看公钥
$ gpg --list-key
三、查看私钥
$ gpg --list-secret-key
四、公钥删除
$ gpg --delete-keys 标识名
五、私钥删除
$ gpg --delete-secret-keys 标识名
六、公钥导出
$ gpg --export 标识名 > 导出文件名(多以asc为文件后缀)
七、私钥导出
$ gpg --export-secret-key 标识名 > 导出文件名(多以asc为文件后缀)
八、密钥导入
$ gpg --import 密钥文件
九、加密文件
$ gpg --recipient 标识名 --encrypt 文件名
十、解密文件
$ gpg --output 新文件名 --decrypt 加密文件名
十一、修改密钥
$ gpg --edit-key 标识名