gpg加密实践

gpg文件加密

测试环境 linux ubuntu

1.创建秘钥

root@ubuntu:~# gpg --gen-key
gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <[email protected]>"

Real name: fczlm
Email address: [email protected]
Comment: gpg test
You selected this USER-ID:
    "fczlm (gpg test) <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

如果报错

Not enough random bytes available. Please do some other work to give
the OS a chance to collect more entropy! (Need 100 more bytes)

执行

apt-get install rng-tools

rng -r /dev/urandom

gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 1A9A90CB marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/1A9A90CB 2023-08-22
      Key fingerprint = E5D3 F137 B2F9 6BFB 0B85  EA08 CE08 06B1 1A9A 90CB
uid                  fczlm (gpg test) <[email protected]>
sub   2048R/FAD977B7 2023-08-22

/root/.gnupg

-rw------- 1 root root 9398 Aug 22 18:03 gpg.conf
-rw------- 1 root root 2384 Aug 22 18:19 pubring.gpg
-rw------- 1 root root 2384 Aug 22 18:19 pubring.gpg~
-rw------- 1 root root  600 Aug 22 18:19 random_seed
-rw------- 1 root root 5172 Aug 22 18:19 secring.gpg
-rw------- 1 root root 1360 Aug 22 18:19 trustdb.gpg

公钥：pubring.gpg，私钥：secring.gpg

公钥的密钥ID 1A9A90CB

私钥密码是解密时需要的，密钥ID是对文件进行加密需要的。

2. 生成撤销证书

可选，以备密钥作废时，请求外部的公钥服务器撤销公钥。

root@ubuntu:~/.gnupg# gpg --gen-revoke 7FF3CFEC

sec  2048R/7FF3CFEC 2023-08-22 fczlm (gpg test) <[email protected]>

Create a revocation certificate for this key? (y/N) y
Please select the reason for the revocation:
  0 = No reason specified
  1 = Key has been compromised
  2 = Key is superseded
  3 = Key is no longer used
  Q = Cancel
(Probably you want to select 1 here)
Your decision? 0
Enter an optional description; end it with an empty line:
> 
Reason for revocation: No reason specified
(No description given)
Is this okay? (y/N) y

You need a passphrase to unlock the secret key for
user: "fczlm (gpg test) <[email protected]>"
2048-bit RSA key, ID 7FF3CFEC, created 2023-08-22

ASCII armored output forced.
Revocation certificate created.

Please move it to a medium which you can hide away; if Mallory gets
access to this certificate he can use it to make your key unusable.
It is smart to print this certificate and store it away, just in case
your media become unreadable.  But have some caution:  The print system of
your machine might store the data and make it available to others!
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
Comment: A revocation certificate should follow

iQEfBCABAgAJBQJk5JjPAh0AAAoJEKP7Mkd/88/s4rwH/13808TQiv5MuYcitYZl
htvn3wBvz86/bL5tsNNMeiPhtgETNM3wBSKIDe+KOiq97Ow1rGZcEkgUbM/GAoRm
3mBXwOROBsZAEFfK52tp*****e1SEnXNvEePpOqDfVSY
IoLlIxiKoB937wZb52kZ5+wI1stRkrYOxQHfri9W9pDocZ+CQcYCIbgM5fUxtYik
cf5j47sM8rkBio6fn1fsLCeYfV8gKUyZ3BiUpvt4983tFVnQIppCiS31LCDmHqQ3
Px3FOAvqdj7ndjMJdsbNWG/x/yu/0wYt/jzGx12ykN/LMP979bbEu4sT0a+9H/y0
2rk=
=5m9j
-----END PGP PUBLIC KEY BLOCK-----

3.秘钥管理

列出秘钥

gpg -k 或者 gpg --list-keys 　　        //列举公钥
gpg -K 或者 gpg --list-secret-keys　　　//列举私钥

删除秘钥

gpg --delete-key [用户ID] 　　　　　　  # 删除公钥
gpg --delete-secret-keys [用户ID] 　　 # 删除私钥

导出秘钥

gpg --armor  --export [用户ID] --output public-key.txt

gpg --armor  --export-secret-keys --output private-key.txt

4.加解密

加密text.txt

gpg --recipient [用户ID] --output test.txt.gpg --encrypt test.txt

解密

gpg --output test2.txt --decrypt test.txt.gpg 

输入密码即可