了解加密、解密的详细过程
文章目录
实验准备
系统发行版本 ip地址 主机名
CentOS6 172.20.3.6 node1
CentOS7 172.20.3.7 node2
CentOS8 172.20.3.8 node3
gpg加密软件
[root@centos6 ~]# yum -y install gnupg2
[root@centos6 ~]# yum info gnupg2
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
Installed Packages
Name : gnupg2
Arch : x86_64
Version : 2.0.14
Release : 8.el6
Size : 5.8 M
Repo : installed
From repo : anaconda-CentOS-201806291108.x86_64
Summary : Utility for secure communication and data
: storage
URL : http://www.gnupg.org/
License : GPLv3+
Description : GnuPG is GNU's tool for secure communication
: and data storage. It can be used to encrypt
: data and to create digital signatures. It
: includes an advanced key management facility
: and is compliant with the proposed OpenPGP
: Internet standard as described in RFC2440 and
: the S/MIME standard as described by several
: RFCs.
:
: GnuPG 2.0 is a newer version of GnuPG with
: additional support for S/MIME. It has a
: different design philosophy that splits
: functionality up into several modules. The
: S/MIME and smartcard functionality is provided
: by the gnupg2-smime package.
gnupg2软件包的主要程序和配置⽂件:
[root@centos6 ~]# rpm -ql gnupg2
/etc/gnupg
/etc/gnupg/gpgconf.conf
/usr/bin/gpg
/usr/bin/gpg-agent
/usr/bin/gpg-connect-agent
/usr/bin/gpg-zip
/usr/bin/gpg2
/usr/bin/gpgconf
/usr/bin/gpgkey2ssh
/usr/bin/gpgparsemail
/usr/bin/gpgsplit
/usr/bin/gpgv
/usr/bin/gpgv2
...
以下内容省略
1.使⽤pgp对某⽂件进⾏加密、解密处理
在node1服务器上编辑⽂件file1.txt,并使⽤gpg加密
[root@centos6 gnupg.dir]# echo "Nanjing_Bokebi" > file1.txt
[root@centos6 gnupg.dir]# cat file1.txt
Nanjing_Bokebi
#回车后设定⼀个加密⼝令,并确认密码
[root@centos6 gnupg.dir]# gpg -c file1.txt
生成了加密文件file1.txt.gpg
[root@centos6 gnupg.dir]# ll
total 8
-rw-r--r-- 1 root root 15 Nov 7 13:01 file1.txt
-rw-r--r-- 1 root root 63 Nov 7 13:03 file1.txt.gpg
#加密后的文件无法查看真实内容
[root@centos6 gnupg.dir]# cat file1.txt.gpg
Pͼ𫈗ǮZÿMͥ0𩺡:¨M"Q6L¿>=
使用scp将加密文件file1.txt.gpg发至node2,并在node2使用gpg解密
[root@centos6 gnupg.dir]# scp file1.txt.gpg 172.20.3.7:/root/The authenticity of host '172.20.3.7 (172.20.3.7)' can't be established.
RSA key fingerprint is ce:d0:eb:ab:cc:eb:6c:f9:a1:74:b0:c8:73:fc:6d:ee.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.20.3.7' (RSA) to the list of known hosts.
root@172.20.3.7's password:
file1.txt.gpg 100% 63 0.1KB/s 00:00
[root@centos7 ~]# ls file1.txt.gpg
file1.txt.gpg
#回车后输入加密⼝令,进行解密
[root@centos7 ~]# gpg -o file1.txt -d file1.txt.gpg
2.使用gpg生成公钥
⾸先,安装熵池补充服务rng-tools,⽅便实验操作,否则⽣成密码时会卡主
#下载安装
[root@centos6 gnupg.dir]# yum -y install rng-tools
#重启rngd服务
[root@centos6 gnupg.dir]# service rngd restart
Stopping rngd: [ OK ]
Starting rngd: Unable to open file: /dev/tpm0
[ OK ]
使⽤ gpg --gen-key ⽣成公私钥
[root@centos6 gnupg.dir]# gpg --gen-key
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
#选择key的类型,1为默认表示rsa
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
#选择密钥的长度,默认2048
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
#选择密钥过期时间,默认0表示无期限
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
#用户确定
Key does not expire at all
Is this correct? (y/N) y
#填写用户名称
GnuPG needs to construct a user ID to identify your key.
Real name: bokebi
#邮箱,可留空确认
Email address:
#注释,可留空确认
Comment:
#确认或修改,o是确认
You selected this USER-ID:
"bokebi6"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
看⼀下⽣成的密码对,pubring是公钥,secring私钥,这两个⽂件不可以⽤cat直接查看,会乱码
[root@centos6 .gnupg]# cd ~
[root@centos6 ~]# cd .gnupg/
[root@centos6 .gnupg]# ll
total 36
-rw-------. 1 root root 7856 Oct 19 20:38 gpg.conf
drwx------ 2 root root 4096 Nov 7 13:02 private-keys-v1.d
-rw------- 1 root root 3495 Nov 7 13:37 pubring.gpg
-rw------- 1 root root 3495 Nov 7 13:37 pubring.gpg~
-rw------- 1 root root 600 Nov 7 13:37 random_seed
-rw------- 1 root root 7477 Nov 7 13:37 secring.gpg
-rw-------. 1 root root 1440 Nov 7 13:37 trustdb.gpg
使⽤gpg -armor --export --output magedu.pubkey
#指定文件名导出公钥
[root@centos6 .gnupg]# gpg -a --export -o bokebi6.pubkey
[root@centos6 .gnupg]# cat bokebi6.pubkey
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.14 (GNU/Linux)
mQENBF3DvUkBCACpVwW8oY8GSHpVqbZCuuKnifYNkm9Q0U1jX+sPXOa2pmZii0tM
EeNJD51TP7qim1a0TGRa5lLdVykxaI5fVGDU1H/8MR+YW3+jLUSTBkT9GKFWT+Df
UKQ8U2xvwqfIaPXw6FADXJuQ2YA6U6WjfWyzr343XerUADGwcrlpHIgoUiFFVtsT
...
以下内容省略
3.在node2上使⽤node1的公钥加密数据,然后让node1使⽤私钥解密
拷贝node1的公钥到node2上
[root@centos6 .gnupg]# scp bokebi6.pubkey 172.20.3.7:/root/
root@172.20.3.7's password:
bokebi.pubkey 100% 4815 4.7KB/s 00:00
在node2上使⽤gpg⽣成node2⾃⼰的公私钥对
[root@centos7 ~]rm -rf .gunpg
[root@centos7 ~]yum -y install rng-tools
[root@centos7 ~]systemctl restart rngd
#参考nede1设置数据生成密钥对
[root@centos7 ~]# gpg --gen-key
查看node2的公钥有哪些,然后将node1的公钥导⼊
#查看node2的密钥
[root@centos7 ~]# gpg --list-key
/root/.gnupg/pubring.gpg
------------------------
pub 2048R/45C55C25 2019-11-07
uid bokebi7
sub 2048R/690CF7EF 2019-11-07
#将node1的公钥导入
[root@centos7 ~]# gpg --import bokebi6.pubkey
gpg: key 5DF06D29: public key "bokebi6" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
[root@centos7 ~]# gpg --list-key
/root/.gnupg/pubring.gpg
------------------------
pub 2048R/45C55C25 2019-11-07
uid bokebi7
sub 2048R/690CF7EF 2019-11-07
pub 2048R/5DF06D29 2019-11-07
uid bokebi6
sub 2048R/E5592B42 2019-11-07
使⽤maged公钥加密file2⽂件
[root@centos7 gnupg.dir]# echo "ilinux.io" > file2
[root@centos7 gnupg.dir]# gpg -e -r bokebi6 file2
gpg: E5592B42: There is no assurance this key belongs to the named user
pub 2048R/E5592B42 2019-11-07 bokebi6
Primary key fingerprint: 1F47 3554 E11D B4FB EE40 A6D3 5157 9FEE 5DF0 6D29
Subkey fingerprint: B209 DE86 2A5E EBD7 B14F 4F4F 5A97 1164 E559 2B42
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
[root@centos7 gnupg.dir]# ll
total 8
-rw-r--r-- 1 root root 10 Nov 7 15:23 file2
-rw-r--r-- 1 root root 347 Nov 7 15:24 file2.gpg
将加密后的⽂件拷贝到node1
[root@centos7 gnupg.dir]# scp file2.gpg 172.20.3.6:/root/
root@172.20.3.6's password:
file2.gpg 100% 347 68.0KB/s 00:00
在node1中解密file2.gpg ⽂件
[root@centos6 ~]# gpg -o file2.gpg -d file2.gpg
[root@centos6 ~]# cat file2.gpg
ilinux.io
4.公私钥管理
使⽤命令删除公钥
[root@centos6 ~]# gpg --list-key
/root/.gnupg/pubring.gpg
------------------------
pub 2048R/5DF06D29 2019-11-07
uid bokebi6
sub 2048R/E5592B42 2019-11-07
删除私钥,通过命令只能删除内容不能删除⽂件,最直接的的⽅式直接删除.gnupgmul
#如果你要从密钥列表中删除某个密钥,可以使用delete-key参数
[root@centos6 ~]# gpg --delete-keys [用户ID:列如bokebi6]
输入:确认删除,y
[root@centos6 ~]# gpg --list-keys
[root@centos6 ~]# gpg --delete-secret-keys node2
输入:确认删除,y
输入:再次确认删除,y。
或:
rm -rf .gnugp