这几天一直被一个很烦人的PGP加密问题所困扰。 基本情况如下: 1、我在Solaris上安装了PGP,用来接收加密文件并将其解密; 2、对方在Linux上安装了同版本PGP,用来加密文件并传送给我。 3、PGP key由我产生,并传送给对方,对方将此key导入,并使用此key加密。 整个过程全部由脚本控制,不允许人工干预。 出现的问题如下: 对方在加入我产生的key以后,利用我的key加密过程中,始终提示问题,要求选择输入“Y/n”; 命令:/home/west/pgp-6.5.8/pgp -E $dirname/DIS01_1_1.DAT PGPkeyForHRIS 提示:Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc. Export of this software may be restricted by the U.S. government. Recipients' public key(s) will be used to encrypt. Key for user ID: PGPkeyForHRIS 2048-bit RSA key, Key ID 0xDE24D35F, created 2007/01/18 WARNING: Because this public key is not certified with a trusted signature, it is not known with high confidence that this public key actually belongs to: "PGPkeyForHRIS". Are you sure you want to use this public key (y/N)? 曾经的解决方案如下: 1、对文件test123.DAT进行加密,先在脚本里写一个命令,如下: pgp -E test123.DAT PGPkeyForHRIS
注意此处后面的邮件地址必须带上,否则此key将不可签证。 ④、You need a pass phrase to protect your RSA secret key. Enter your pass phrase. ⑤、Enter your same pass phrase again. ⑥、You need to generate random bits. This is done by measuring the time intervals between your keystrokes. Please enter some random text on your keyboard until you hear the beep. ⑦、The key is OK. 2、散播public key.方法如下: ①、Commands: PGP -KXA ②、输入“使用者识别码”,这时候就不需要Email Address了,例如:PGPkeyForHRIS。 ③、输入一个文件名,这就是 PGP 所产生public key的普通文字档PGPkeyForHRIS.asc 注意:如果在Linux或者Solaris上,最好带上文件的绝对地址,否则public key产生不正确。 ④、把你的public key传给对方,通过Email或者FTP什么的。不要让public key泛滥,否则PGP安全性不能保证。 二、加密方操作步骤: 1、 显示出你的全部key:pgp -KC (可选步骤) 2、 删除你的全部key:pgp -KR userid (可选步骤) 3、 自己新建一个key pair,key name可以自由,但是不能与我的key name重合。方法如下: Commands: pgp -KA publicKeyName Function: Add the public PGP key to local PGP service For example: pgp -KA PGPtestPK.asc 4、 把附件中的新key加入你的服务器:pgp -KA PGPkeyForHRIS 如果提示:One or more of the new keys are not fully certified. Do you want to certify any of these keys yourself (y/N) 输入“y”,回车。 5、 输入:pgp -KS “PGPkeyForHRIS
” 如果提示:READ CAREFULLY: Based on your own direct first-hand knowledge, are you absolutely certain that you are prepared to solemnly certify that the above public key actually belongs to the user specified by the above user ID (y/N)? 输入“y”,回车。 输入密码,回车。 a regular expression to this signature, or press enter for none: 直接回车结束。 6、 输入:pgp -KE "PGPkeyForHRIS
" 输入密码,回车。 其他提示如下: Use this key as an ultimately-trusted introducer (y/N)? y Make this the default signing key (y/N)? y Current user ID: PGPkeyForHRIS
Do you want to add a new user ID (y/N)? n Do you want to change your pass phrase (y/N)? n 如果提示:Would you trust "Chen Tai-Wei
" to act as an introducer and certify other people's public keys to you? (1=I don't know. 2=No. 3=Usually. 4=Yes, always.) ? 输入4,回车结束。 7、 加密文本,方法如下: Commands: pgp -E filename userID Function: Encrypt files using the public key signed by the user ID:”userID” For example: pgp -E testFiles.DAT PGPkeyForHRIS The End~ 总结: 问题主要在产生Key的时候,“使用者识别码 (User ID)”必须为“key name
”格式,如果不加上方括号内的email,会造成对方加入key的时候,签证不正确。 另外,第五步的key签证和第六步的修改“信任参数”必不可少,否则,your added key is invalid.