gpg简单用法
本文将简单介绍gpg简单用法。
什么是GPG
用一句话总结的话,就是
GPG是GNU众多项目中的一项,作用是为PGP提供一个免费的开源替代,并且完全兼容PGP(PGP是一款商业软件)。
GPG是一个开源的加密软件,提供了加密、解密、签名等众多功能,用于确保数据安全、完整性以及身份认证。
在GPG使用的时候,需要生成一对秘钥,分别是公钥和私钥。
- 公钥用于 加密数据 以及 签名验证,公钥可以公开,并且分发出去。
- 私钥用于 解密数据 以及 签名,私钥需要妥善保管。
对于加密和解密的情况,使用对应的公钥进行加密,对于加密后的数据,只能使用对应私钥进行解密。
对于签名和验证,使用私钥来进行签名,使用公钥来进行签名验证,确保消息并无修改。
目前gpg已经有了2.*版本,在1.*的基础上进行重大改进,但是完全建议1.*。
安装gpg2
在ubuntu系统中,直接使用apt安装即可。
[root@ubuntu]:[~][tty:1]# apt-get install gnupg2
在centos系统重,直接使用yum或者dnf安装即可。
[root@centosServer ~]# yum install gnupg2
秘钥的基本操作
生成秘钥
使用gpg2 --full-generate-key即可开始生成key
[root@debian]:[~][tty:0]# gpg2 --full-generate-key
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 1y
Key expires at Sun 16 Nov 2025 08:03:27 PM CST
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: gpguser
Email address: gpguser@localhost.com
Comment: gpg test
You selected this USER-ID:
"gpguser (gpg test) <gpguser@localhost.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
具体生成的流程如下:
gpg提供了多种秘钥类型,选择选择,默认为RSA and RSA,如果需要选择其他的,直接输入对应的序号即可。- 选择秘钥大小,秘钥越长,会越安全,相应的,解密时间也会越长,推荐选择
4096位。 - 选择过期的时间,如果永不过期,则输入0,反正可以输入 天、周、月、年 等。这里输入的是1年,即,
1y,输入完毕后,需要进行二次确认。 - 输入用户的信息,包括名字、邮箱 已经备注等同样需要二次确认。
- 最后会提示输入秘钥的密码,该密码是用于保护秘钥的安全性的。
如果输入密码后,终端有问题,可以使用
reset命令进行重置。
创建完成后,会输出类似如下创建成功的信息提示,并且会标注创建的key。
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: revocation certificate stored as '/root/.gnupg/openpgp-revocs.d/3678F2332D0A0475A47125050ABA3F7577773A8F.rev'
public and secret key created and signed.
pub rsa4096 2024-11-16 [SC] [expires: 2025-11-16]
3678F2332D0A0475A47125050ABA3F7577773A8F
uid gpguser (gpg test) <gpguser@localhost.com>
sub rsa4096 2024-11-16 [E] [expires: 2025-11-16]
如何,该gpg签名为3678F2332D0A0475A47125050ABA3F7577773A8F。
查看秘钥
使用--list-keys参数可以查看公钥的信息。
[root@ubuntu]:[~][tty:0]# gpg2 --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2025-11-16
/root/.gnupg/pubring.kbx
------------------------
pub rsa2048 2024-11-16 [SC] [expires: 2025-11-16]
3678F2332D0A0475A47125050ABA3F7577773A8F
uid [ultimate] gpguser (gpg test) <gpguser@localhost.com>
sub rsa2048 2024-11-16 [E] [expires: 2025-11-16]
[root@ubuntu]:[~][tty:0]#
其中C57CF88588C503F6B6BFD0802A75FE471D0D8313就是我们的签名。
同样的,使用--list-secert-keys参数也可以查看私钥的信息。
其中,3678F2332D0A0475A47125050ABA3F7577773A8F也是私钥的签名哦。
导出秘钥
导出公钥:
在查询到秘钥的id后,可以使用--export导出公钥,其中--armor是以ascii格式导出,方便共享。
[root@debian]:[~][tty:0]# gpg2 --armor --export 3678F2332D0A0475A47125050ABA3F7577773A8F > public.key
[root@debian]:[~][tty:0]#
如上,会将3678F2332D0A0475A47125050ABA3F7577773A8F的公钥重定向到public.key文件中。
导出私钥:
在查询到秘钥id后,可以使用--export-secret-keys导出私钥,导出时会要求输入密码,私钥要非常妥善保管。
[root@debian]:[~][tty:0]# gpg2 --armor --export-secret-keys 3678F2332D0A0475A47125050ABA3F7577773A8F > private.key
[root@debian]:[~][tty:0]#
如上,会将3678F2332D0A0475A47125050ABA3F7577773A8F的私钥导出到private.key文件中,如果私钥设置有密码,再导入的时候会提示验证密码。
导入秘钥
导入公钥 和 导入私钥 的方法都是一样的,都是使用gpg2 --import进行导入即可。
首先查看本地的公钥。
# gpg2 --list-keys
#
导入公钥,公钥记录在本地的public-key.asc中。
# gpg2 --import public.key
gpg: key 0ABA3F7577773A8F: public key "gpguser (gpg test) <gpguser@localhost.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
#
此时再查询一下本地的公钥。
# gpg2 --list-keys
gpg: checking the trustdb
gpg: no ultimately trusted keys found
/root/.gnupg/pubring.kbx
------------------------
pub rsa4096 2024-11-16 [SC] [expires: 2025-11-16]
3678F2332D0A0475A47125050ABA3F7577773A8F
uid [ unknown] gpguser (gpg test) <gpguser@localhost.com>
sub rsa4096 2024-11-16 [E] [expires: 2025-11-16]
#
再来查看下本地的私钥。
root@DESKTOP-CU66GL1:~# gpg2 --list-secret-keys
root@DESKTOP-CU66GL1:~#
导入私钥,私钥记录在本地的private-key.asc中。
# gpg2 --import private.key
gpg: key 0ABA3F7577773A8F: "gpguser (gpg test) <gpguser@localhost.com>" not changed
gpg: key 0ABA3F7577773A8F: secret key imported
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1
#
同样的,在导入过程中,会让我们验证私钥的密码,密码正确后,才可被导入。
再次查看私钥。
# gpg2 --list-secret-keys
/root/.gnupg/pubring.kbx
------------------------
sec rsa4096 2024-11-16 [SC] [expires: 2025-11-16]
3678F2332D0A0475A47125050ABA3F7577773A8F
uid [ unknown] gpguser (gpg test) <gpguser@localhost.com>
ssb rsa4096 2024-11-16 [E] [expires: 2025-11-16]
#
删除密钥
使用--delete-keys可以删除公钥,请注意,当你视图删除掉的公钥仍有对应的私钥的时候,需要先删除私钥,才能删除公钥。
删除公钥报错,提示有对应的私钥。
[root@debian]:[~][tty:0]# gpg2 --delete-keys 3678F2332D0A0475A47125050ABA3F7577773A8F
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: there is a secret key for public key "3678F2332D0A0475A47125050ABA3F7577773A8F"!
gpg: use option "--delete-secret-keys" to delete it first.
[root@debian]:[~][tty:0]#
删除私钥。
可以使用--delete-secret-keys删除私钥。
[root@debian]:[~][tty:0]# gpg2 --delete-secret-keys 3678F2332D0A0475A47125050ABA3F7577773A8F
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
sec rsa4096/0ABA3F7577773A8F 2024-11-16 gpguser (gpg test) <gpguser@localhost.com>
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
[root@debian]:[~][tty:0]#
在删除私钥的时候,会二次确认是否进行删除。
在删除私钥后,就可以删除公钥了。
[root@debian]:[~][tty:0]# gpg2 --delete-keys 3678F2332D0A0475A47125050ABA3F7577773A8F
gpg (GnuPG) 2.2.40; Copyright (C) 2022 g10 Code GmbH
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub rsa4096/0ABA3F7577773A8F 2024-11-16 gpguser (gpg test) <gpguser@localhost.com>
Delete this key from the keyring? (y/N) y
[root@debian]:[~][tty:0]#
此时,再来查看公钥和私钥。
[root@debian]:[~][tty:0]# gpg2 --list-keys
[root@debian]:[~][tty:0]#
[root@debian]:[~][tty:0]# gpg2 --list-secret-keys
[root@debian]:[~][tty:0]#
当然,为了下面的测试,最好是将秘钥重新导入回去。
内容的加密和解密
使用公钥进行加密文件
使用公钥加密文件或者内容。
直接加密字符。
[root@debian]:[~][tty:0]# echo "hello world" | gpg2 --armor --encrypt --recipient 3678F2332D0A0475A47125050ABA3F7577773A8F > encrypt_msg.asc
gpg: D67F66F29079D8A1: There is no assurance this key belongs to the named user
sub rsa4096/D67F66F29079D8A1 2024-11-16 gpguser (gpg test) <gpguser@localhost.com>
Primary key fingerprint: 3678 F233 2D0A 0475 A471 2505 0ABA 3F75 7777 3A8F
Subkey fingerprint: CFBD 3066 E074 10FC EBA1 FF50 D67F 66F2 9079 D8A1
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
[root@debian]:[~][tty:0]#
上述命令,使用echo输出hello world,并且通过管道,使用gpg2进行加密,其中--armor表示使用ascii码输出、--encrypt表示加密操作,--recipient keyid表示使用哪公钥进行加密,最后重定向到encrypt_msg.asc中。
同样的,如果是文件的话,直接在后面跟文件即可,例如:
[root@debian]:[~][tty:0]# echo "hello world2" >> file.txt
[root@debian]:[~][tty:0]# gpg2 --armor --encrypt --recipient 3678F2332D0A0475A47125050ABA3F7577773A8F file.txt
gpg: D67F66F29079D8A1: There is no assurance this key belongs to the named user
sub rsa4096/D67F66F29079D8A1 2024-11-16 gpguser (gpg test) <gpguser@localhost.com>
Primary key fingerprint: 3678 F233 2D0A 0475 A471 2505 0ABA 3F75 7777 3A8F
Subkey fingerprint: CFBD 3066 E074 10FC EBA1 FF50 D67F 66F2 9079 D8A1
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
[root@debian]:[~][tty:0]#
加密的文件会以<filename>.asc存在。
使用私钥进行解密文件
使用--decrypt选项即可解密文件,还可以输出到相应的文件中。
[root@debian]:[~][tty:0]# gpg2 --output file.out --decrypt file.txt.asc
gpg: encrypted with 4096-bit RSA key, ID D67F66F29079D8A1, created 2024-11-16
"gpguser (gpg test) <gpguser@localhost.com>"
[root@debian]:[~][tty:0]#
[root@debian]:[~][tty:0]# cat file.out
hello world2
[root@debian]:[~][tty:0]#
使用--decrypt 加密内容可以解密文件,使用--output可以将文件保存到文件中。
签名与验证
gpg可以对文件和消息进行签名,以确保文件或者消息的完整性。
对文件进行签名
对文件进行签名,使用sign即可。
[root@debian]:[~][tty:0]# echo 'sign_message' > siginMessage
[root@debian]:[~][tty:0]# gpg2 --armor --detach-sign siginMessage
[root@debian]:[~][tty:0]#
--detach-sign:表示对文件分离前面。--armor:表示生成ascii字符。
默认生成的签名文件会被记录到<filename>.asc中。
对消息进行签名
如果相对消息进行签名,使用--clearsign即可。
[root@debian]:[~][tty:0]# echo "hello sign_message" | gpg2 --armor --clearsign > siginMessageHello.txt
[root@debian]:[~][tty:0]#
--clearsign表示在不加密的情况下,将签名嵌入到消息内容中。
对文件进行签名验证
对于分离签名,使用--verify 签名文件 原始文件 进行校验即可,例如:
[root@debian]:[~][tty:0]# gpg2 --verify siginMessage.asc siginMessage
gpg: Signature made Sat 16 Nov 2024 08:17:54 PM CST
gpg: using RSA key 3678F2332D0A0475A47125050ABA3F7577773A8F
gpg: Good signature from "gpguser (gpg test) <gpguser@localhost.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3678 F233 2D0A 0475 A471 2505 0ABA 3F75 7777 3A8F
[root@debian]:[~][tty:0]#
对消息进行签名验证
对于消息签名,直接进行校验即可,例如:
[root@debian]:[~][tty:0]# gpg2 --verify siginMessageHello.txt
gpg: Signature made Sat 16 Nov 2024 08:19:08 PM CST
gpg: using RSA key 3678F2332D0A0475A47125050ABA3F7577773A8F
gpg: Good signature from "gpguser (gpg test) <gpguser@localhost.com>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 3678 F233 2D0A 0475 A471 2505 0ABA 3F75 7777 3A8F
[root@debian]:[~][tty:0]#
对签名输出的解读
上面前面的意思分解一下,可以整理为如下内容:
gpg: Signature made Sat 16 Nov 2024 08:19:08 PM CST
gpg: using RSA key 3678F2332D0A0475A47125050ABA3F7577773A8F
表明是在什么时候进行签名,并且通过哪个秘钥进行签名的。
gpg: Good signature from "gpguser (gpg test) <gpguser@localhost.com>" [unknown]
表明识别到了签名者的信息,后面的unknown表示GPG不知道是否信任这个公钥。
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
这是一条警告信息,表示GPG没有收到关于如上公钥的信任认证,
Primary key fingerprint: 3678 F233 2D0A 0475 A471 2505 0ABA 3F75 7777 3A8F
表示签名者的秘钥指纹。
总结
gpg2是gpg的升级版本,是pgp的开源替代。提供了加密、签名等功能。在使用gpg的时候,需要先生成公钥和私钥,将公钥开放出去,用于数据加密,私钥则需要妥善保管,用以数据解密。
gpg简单用法
https://wangli2025.github.io/2024/11/17/gpg_usage.html
本站均为原创文章,采用 CC BY-NC-ND 4.0 协议。转载请注明出处,不得用于商业用途。