使用GPG进行端到端的加密传输文件
作者Lou Xiao创建时间2022-06-10 17:40:00更新时间2022-06-10 18:15:00
GPG是什么?
GNU Privacy Guard是一个密码学软件,用于加密、签名通信内容及管理非对称密码学的密钥。GnuPG 是自由软件,遵循 IETF 订定的OpenPGP 技术标准设计,并与PGP 保持兼容。 GnuPG 是自由软件基金会的 GNU 计划的一部分,曾受德国政府资助。维基百科
GPG工作模式
主流的Linux发行版均有gpg软件包,可以直接使用(或从软件仓库进行安装)。macos和windows也有第三方安装包可用。本文以Linux操作系统(CentOS7)为实验环境进行讲解。
gpg加密方式有两种:
- 对称加密,即加密、解密使用相同的密码(或密码文件)
- 非对称加密,即加密、解密使用不同的密码(或密钥文件)
对称式加密方法
对称加密,加密、解密使用相同的密码。有两个不足之处:
- 交换文件的双方,甲和乙,必须采用某种安全的途径进行密钥交换;很容易泄漏给第三方。
- 加密的文件也有可能被第三者(丙)截获,采用暴力的方式进行破解;此时破解难度与加密算法、密钥强度、文件特征有关。
[d1] 加密(encryption)
假设加密密钥是 MyPassword,采用加密算法 AES256,待加密的文件是 xxx.bin。
1.双击鼠标左键复制此行;2.单击复制所有代码。
1
gpg -v --symmetric --cipher-algo AES256 --batch --yes --passphrase 'MyPassword' xxx.bin
然后在相同目录得到加密的文件 xxx.bin.gpg
[d2] 解密(decryption)
解密的密钥是 MyPassword, 待解密的文件是 xxx.bin.gpg,解密后的文件是 xxx.bin.new。
1.双击鼠标左键复制此行;2.单击复制所有代码。
1
gpg -v -d --batch --yes --passphrase 'MyPassword' -o 'xxx.bin.new' xxx.bin.gpg
非称式加密方法(端到端的加密传输)
非称式加密是GPG的主打功能,相比于 对称式加密 有如下优点:
- 交换文件的双方,可以采用公开的方式交换 公钥(public key);不同担心密钥的泄漏,因为私钥(private key)永远不会(也不应该)输到任何其他的计算机(或电子设备)。公钥交换只需要保证公钥不被第三者篡改,可以采用任何方式传输。
- 被加密的文件不能被第三者(和发送者)解密,由于计算的复杂度,被暴力破解的概率几乎为0。
现在 以 甲 -> 乙 发送 加密文件为例:
[d1] 甲和乙分别创建各自的密钥对(key pair)
[(a)] 甲在自己电脑上创建密钥对
1.双击鼠标左键复制此行;2.单击复制所有代码。
1
gpg --gen-key
1.双击鼠标左键复制此行;2.单击复制所有代码。
1
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
2
This is free software: you are free to change and redistribute it.
3
There is NO WARRANTY, to the extent permitted by law.
4
5
Please select what kind of key you want:
6
(1) RSA and RSA (default)
7
(2) DSA and Elgamal
8
(3) DSA (sign only)
9
(4) RSA (sign only)
10
Your selection? 1
11
RSA keys may be between 1024 and 4096 bits long.
12
What keysize do you want? (2048) 4096
13
Requested keysize is 4096 bits
14
Please specify how long the key should be valid.
15
0 = key does not expire
16
<n> = key expires in n days
17
<n>w = key expires in n weeks
18
<n>m = key expires in n months
19
<n>y = key expires in n years
20
Key is valid for? (0) 1y
21
Key expires at Sat 10 Jun 2023 05:01:23 PM CST
22
Is this correct? (y/N) y
23
24
GnuPG needs to construct a user ID to identify your key.
25
26
Real name: Jia
27
Name must be at least 5 characters long
28
Real name: Jia_Test
29
Email address: Jia@Test
30
Comment: Jia@Test
31
You selected this USER-ID:
32
"Jia_Test (Jia@Test) <Jia@Test>"
33
34
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
35
You need a Passphrase to protect your secret key.
36
37
We need to generate a lot of random bytes. It is a good idea to perform
38
some other action (type on the keyboard, move the mouse, utilize the
39
disks) during the prime generation; this gives the random number
40
generator a better chance to gain enough entropy.
41
We need to generate a lot of random bytes. It is a good idea to perform
42
some other action (type on the keyboard, move the mouse, utilize the
43
disks) during the prime generation; this gives the random number
44
generator a better chance to gain enough entropy.
45
gpg: /home/Test/.gnupg/trustdb.gpg: trustdb created
46
gpg: key AFF31EB4 marked as ultimately trusted
47
public and secret key created and signed.
48
49
gpg: checking the trustdb
50
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
51
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
52
gpg: next trustdb check due at 2023-06-10
53
pub 4096R/AFF31EB4 2022-06-10 [expires: 2023-06-10]
54
Key fingerprint = 97D5 6521 E1F3 7159 74E9 A7D1 BD84 9CAA AFF3 1EB4
55
uid Jia_Test (Jia@Test) <Jia@Test>
56
sub 4096R/D91B12AB 2022-06-10 [expires: 2023-06-10]
查看密钥
1.双击鼠标左键复制此行;2.单击复制所有代码。
1
gpg --list-keys
1.双击鼠标左键复制此行;2.单击复制所有代码。
1
/home/Test/.gnupg/pubring.gpg
2
-----------------------------
3
pub 4096R/AFF31EB4 2022-06-10 [expires: 2023-06-10]
4
uid Jia_Test (Jia@Test) <Jia@Test>
5
sub 4096R/D91B12AB 2022-06-10 [expires: 2023-06-10]
导出公钥为文件 Jia@Test.pub,然后将文件 Jia@Test.pub 发送给乙。
1.双击鼠标左键复制此行;2.单击复制所有代码。
1
gpg --export --armor Jia@Test > Jia@Test.pub
[(b)] 乙在自己电脑上创建密钥对
1.双击鼠标左键复制此行;2.单击复制所有代码。
1
gpg --gen-key
1.双击鼠标左键复制此行;2.单击复制所有代码。
1
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
2
This is free software: you are free to change and redistribute it.
3
There is NO WARRANTY, to the extent permitted by law.
4
5
Please select what kind of key you want:
6
(1) RSA and RSA (default)
7
(2) DSA and Elgamal
8
(3) DSA (sign only)
9
(4) RSA (sign only)
10
Your selection? 1
11
RSA keys may be between 1024 and 4096 bits long.
12
What keysize do you want? (2048) 4096
13
Requested keysize is 4096 bits
14
Please specify how long the key should be valid.
15
0 = key does not expire
16
<n> = key expires in n days
17
<n>w = key expires in n weeks
18
<n>m = key expires in n months
19
<n>y = key expires in n years
20
Key is valid for? (0) 1y
21
Key expires at Sat 10 Jun 2023 05:07:45 PM CST
22
Is this correct? (y/N) y
23
24
GnuPG needs to construct a user ID to identify your key.
25
26
Real name: Yi_Test
27
Email address: Yi@Test
28
Comment: Yi@Test
29
You selected this USER-ID:
30
"Yi_Test (Yi@Test) <Yi@Test>"
31
32
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
33
You need a Passphrase to protect your secret key.
34
35
We need to generate a lot of random bytes. It is a good idea to perform
36
some other action (type on the keyboard, move the mouse, utilize the
37
disks) during the prime generation; this gives the random number
38
generator a better chance to gain enough entropy.
39
We need to generate a lot of random bytes. It is a good idea to perform
40
some other action (type on the keyboard, move the mouse, utilize the
41
disks) during the prime generation; this gives the random number
42
generator a better chance to gain enough entropy.
43
gpg: key 4C32DC3E marked as ultimately trusted
44
public and secret key created and signed.
45
46
gpg: checking the trustdb
47
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
48
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
49
gpg: next trustdb check due at 2023-06-10
50
pub 4096R/4C32DC3E 2022-06-10 [expires: 2023-06-10]
51
Key fingerprint = AB8B 1613 790F 081F 765A 8F91 9A49 6FBD 4C32 DC3E
52
uid Yi_Test (Yi@Test) <Yi@Test>
53
sub 4096R/F14BA4E9 2022-06-10 [expires: 2023-06-10]
查看密钥
1.双击鼠标左键复制此行;2.单击复制所有代码。
1
gpg --list-keys
1.双击鼠标左键复制此行;2.单击复制所有代码。
1
/home/Test/.gnupg/pubring.gpg
2
-----------------------------
3
pub 4096R/4C32DC3E 2022-06-10 [expires: 2023-06-10]
4
uid Yi_Test (Yi@Test) <Yi@Test>
5
sub 4096R/F14BA4E9 2022-06-10 [expires: 2023-06-10]
导出公钥为文件 Yi@Test.pub,然后将文件 Yi@Test.pub 发送给乙。
1.双击鼠标左键复制此行;2.单击复制所有代码。
1
gpg --export --armor Yi@Test > Yi@Test.pub
[d3] 甲乙交换公钥
[(a)] 乙导入甲的公钥(public key)
1.双击鼠标左键复制此行;2.单击复制所有代码。
1
gpg --import Jia@Test.pub
1.双击鼠标左键复制此行;2.单击复制所有代码。
1
gpg: key AFF31EB4: public key "Jia_Test (Jia@Test) <Jia@Test>" imported
2
gpg: Total number processed: 1
3
gpg: imported: 1 (RSA: 1)
再次查看,将会看到导入的甲的公钥
1.双击鼠标左键复制此行;2.单击复制所有代码。
1
gpg --list-keys
1.双击鼠标左键复制此行;2.单击复制所有代码。
1
/home/louxiao/.gnupg/pubring.gpg
2
--------------------------------
3
4
pub 4096R/AFF31EB4 2022-06-10 [expires: 2023-06-10]
5
uid Jia_Test (Jia@Test) <Jia@Test>
6
sub 4096R/D91B12AB 2022-06-10 [expires: 2023-06-10]
[(b)] 甲导入乙的公钥(public key)
1.双击鼠标左键复制此行;2.单击复制所有代码。
1
gpg --import Yi@Test.pub
1.双击鼠标左键复制此行;2.单击复制所有代码。
1
gpg: key 4C32DC3E: public key "Yi_Test (Yi@Test) <Yi@Test>" imported
2
gpg: Total number processed: 1
3
gpg: imported: 1 (RSA: 1)
再次查看,将会看到导入的的公钥
1.双击鼠标左键复制此行;2.单击复制所有代码。
1
gpg --list-keys
1.双击鼠标左键复制此行;2.单击复制所有代码。
1
/home/louxiao/.gnupg/pubring.gpg
2
--------------------------------
3
4
pub 4096R/4C32DC3E 2022-06-10 [expires: 2023-06-10]
5
uid Yi_Test (Yi@Test) <Yi@Test>
6
sub 4096R/F14BA4E9 2022-06-10 [expires: 2023-06-10]
[d4] 甲向乙发送加密文件
假设发送的文件是 jia.bin,使用甲的私钥进行签名(防止第三方伪造文件),使用乙的公钥进行加密(只有乙才能解密),执行过程会弹出窗口要求输入私钥的密钥。
1.双击鼠标左键复制此行;2.单击复制所有代码。
1
gpg -v -e -r Yi@Test -s -u Jia_Test jia.bin
参数说明:
- -v : 详细输出
- -e : 加密
- -r : 收件人的公钥ID,此处是 Yi@Test
- -s : 进行数字签名
- -u : 数字签名使用的私钥ID,此处是 Jia_Test
- jia.bin : 待加密的文件路径
1.双击鼠标左键复制此行;2.单击复制所有代码。
1
You need a passphrase to unlock the secret key for
2
user: "Jia_Test (Jia@Test) <Jia@Test>"
3
4096-bit RSA key, ID AFF31EB4, created 2022-06-10
4
5
gpg: using PGP trust model
6
gpg: using subkey F14BA4E9 instead of primary key 4C32DC3E
7
gpg: This key belongs to us
8
gpg: writing to `jia.bin.gpg'
9
gpg: RSA/AES256 encrypted for: "F14BA4E9 Yi_Test (Yi@Test) <Yi@Test>"
10
gpg: RSA/SHA256 signature from: "AFF31EB4 Jia_Test (Jia@Test) <Jia@Test>"
[d5] 乙接收文件
乙接收到甲传输的文件,然后使用乙的私钥进行解密、并使用甲的公钥核对签名是否来自甲。
加密的文件是 jia.bin.gpg ,解密后的文件是 jia.bin,执行过程会弹出窗口要求输入私钥的密钥。
1.双击鼠标左键复制此行;2.单击复制所有代码。
1
gpg -v -d -o jia.bin jia.bin.gpg
参数说明:
- -v :详细输出
- -d : 解密(如果有数字签名,则校验数字签名,需要签名者公钥)
- -o : 解密后的输出文件路径,此处是 jia.bin
- jia.bin.gpg 待解密的文件
1.双击鼠标左键复制此行;2.单击复制所有代码。
1
gpg: public key is F14BA4E9
2
gpg: using subkey F14BA4E9 instead of primary key 4C32DC3E
3
4
You need a passphrase to unlock the secret key for
5
user: "Yi_Test (Yi@Test) <Yi@Test>"
6
gpg: using subkey F14BA4E9 instead of primary key 4C32DC3E
7
4096-bit RSA key, ID F14BA4E9, created 2022-06-10 (main key ID 4C32DC3E)
8
9
gpg: encrypted with 4096-bit RSA key, ID F14BA4E9, created 2022-06-10
10
"Yi_Test (Yi@Test) <Yi@Test>"
11
gpg: AES256 encrypted data
12
gpg: original file name='jia.bin'
13
gpg: Signature made Fri 10 Jun 2022 05:31:15 PM CST using RSA key ID AFF31EB4
14
gpg: using PGP trust model
15
gpg: Good signature from "Jia_Test (Jia@Test) <Jia@Test>"
16
gpg: binary signature, digest algorithm SHA256
Good signature from "Jia_Test (Jia@Test) Jia@Test" 这行表明签名无误,该文件确实来自甲。
帮助
1.双击鼠标左键复制此行;2.单击复制所有代码。
1
man gpg
文章目录