Linux下使用GPG加密解密的說明及範例

1、生成金鑰對：gpg --gen-key

為使用者生成新金鑰對。需提供：金鑰型別（預設為RSA/RSA）；金鑰長度（以位為單位，越長越強）；過期時間（以防金鑰損壞）；（通常我都是一路回車過去）接下來的還是要填一填的：名稱、電子郵箱、標識金鑰所有者的注釋；密碼短語（必須提供，如果私鑰被盜，將無法使用）。

2、列出公鑰：gpg --list-keys

列出所擁有的公鑰：他們自己的公鑰以及從與之通訊的其他人那裡匯入的任何公鑰。

3、匯出公鑰：gpg --export --armor key-id -o file.key

將公鑰匯出至檔案，以便於其他人使用。--armor選項以文字形式顯示輸出，而非二進位制格式。key-id是電子郵箱地址或在--list-keys的pub行中列出的八位十六進位制數。

4、匯入公鑰：gpg --import file.key

從傳送給您的金鑰檔案中匯入其他人的公鑰

5、加密檔案：gpg --encrypt --armor -r key-id file

用key-id的公鑰加密訊息。如果未提供-r key-id，命令將提示收件人輸入。預設輸出檔案為file.asc.

6、解密檔案：gpg --decrypt file

用您的私鑰之一解密用公鑰加密的訊息。

範例:

建立屬於您自己的公鑰/ 私鑰對。

[sjx@server1 ~]$ gpg --gen-key

gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:

(1) RSA and RSA (default)

(2) DSA and Elgamal

(3) DSA (sign only)

(4) RSA (sign only)

Your selection?    Enter

RSA keys may be between 1024 and 4096 bits long.

What keysize do you want? (2048)    Enter

Requested keysize is 2048 bits

Please specify how long the key should be valid.

0 = key does not expire

<n> = key expires in n days

<n>w = key expires in n weeks

<n>m = key expires in n months

<n>y = key expires in n years

Key is valid for? (0)    Enter

Key does not expire at all

Is this correct? (y/N)  y

GnuPG needs to construct a user ID to identify your key.

Real name: shangjx

Email address: shangjx13@gmail.com

Comment: Enter

You selected this USER-ID:

"xiyou<sjx@server1.example.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?    o

You need a Passphrase to protect your secret key.

can't connect to `/home/linuxidc/.gnupg/S.gpg-agent': No such file or directory

gpg-agent[2008]: directory `/home/linuxidc/.gnupg/private-keys-v1.d' created

(此時會彈出圖形應用程式,輸入並驗證金鑰)

We need to generate a lot of random bytes. It is a good idea to perform

some other action (type on the keyboard, move the mouse, utilize the

disks) during the prime generation; this gives the random number

generator a better chance to gain enough entropy.

We need to generate a lot of random bytes. It is a good idea to perform

some other action (type on the keyboard, move the mouse, utilize the

disks) during the prime generation; this gives the random number

generator a better chance to gain enough entropy.

gpg: key CA83F5AF marked as ultimately trusted

public and secret key created and signed.

gpg: checking the trustdb

gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model

gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u

pub 2048R/CA83F5AF 2011-08-15

Key fingerprint = F886 17A2 F832 B545 6E27 B424 E539 26BF CA83 F5AF

uid

xiyou<sjx@server1.example.com>

sub 2048R/DB58BFCE 2011-08-15

若要匯出金鑰,請在上面的輸出中查詢金鑰ID 。可以在上面的pub 2048R/ 輸出的後面找到。在給範例中

金鑰ID 是CA83F5AF 。以下範例將顯示使用該金鑰ID 的命令。

●匯出您的公鑰,與合作夥伴共用。

[linuxidc@server1 ~]$ gpg -a -o ~/pub.key --export CA83F5AF

●將匯出的公鑰複製到合作夥伴的server2 上。

[linuxidc@server1 ~]$ scp pub.key server2.example.com:~

●匯入合作夥伴的公鑰。

[linuxidc@server2 ~]$ gpg --import pub.key

gpg: directory `/home/linuxidc/.gnupg' created

gpg: new configuration file `/home/linuxidc/.gnupg/gpg.conf' created

gpg: WARNING: options in `/home/linuxidc/.gnupg/gpg.conf' are not yet active during this run

gpg: keyring `/home/linuxidc/.gnupg/secring.gpg' created

gpg: keyring `/home/linuxidc/.gnupg/pubring.gpg' created

gpg: /home/linuxidc/.gnupg/trustdb.gpg: trustdb created

gpg: key CA83F5AF: public key "westos <linuxidc@server1.example.com>" imported

gpg: Total number processed: 1

gpg:

imported: 1 (RSA: 1)

●建立一個文字檔案,內含供合作夥伴閱讀的訊息。

[linuxidc@server2 ~]$ echo "xi'an university of posts and telecommunications" > encrypt.txt

●用合作夥伴的公鑰加密檔案。www.2cto.com

[linuxidc@server2 ~]$ gpg --encrypt --armor -r CA83F5AF encrypt.txt

gpg: CA83F5AF: There is no assurance this key belongs to the named user

pub 2048R/CA83F5AF 2011-08-15 xiyou <sjx@server1.example.com>

Primary key fingerprint: 7F44 7AE0 A7C2 6E89 6C68 6FE2 5572 8249 3F7B CEB5

Subkey fingerprint: 8FCB BF3E 2D51 563F 1C3F 2440 FC81 0D73 A353 A3BF

It is NOT certain that the key belongs to the person named

in the user ID. If you *really* know what you are doing,

you may answer the next question with yes.

Use this key anyway? (y/N) y

●將加密檔案複製合作夥伴。

[linuxidc@server2 ~]$ scp encrypt.txt.asc server1.example.com:~

●解密合作夥伴已加密的檔案並驗證您可以檢視他們所傳送的訊息。

[linuxidc@server1 ~]$ gpg --decrypt encrypt.txt.asc

You need a passphrase to unlock the secret key for

user: "xiyou <sjx@localhost>"

2048-bit RSA key, ID DB58BFCE, created 2011-08-15 (main key ID CA83F5AF)

can't connect to `/home/linuxidc/.gnupg/S.gpg-agent': No such file or directory

gpg: encrypted with 2048-bit RSA key, ID DB58BFCE, created 2011-08-15

"xiyou<sjx@server1.example.com>"

xi'an university of posts and telecommunications

openSUSE下玩轉GPG圖文詳解  http://www.linuxidc.com/Linux/2015-01/112425.htm

Linux下gpg的簡單應用  http://www.linuxidc.com/Linux/2013-06/85291.htm

GPG作者差點破產，危機已過  http://www.linuxidc.com/Linux/2015-02/113004.htm