信息摘要 MD5
[root@node-0001 ~]# echo dongxia > oschina1.txt
[root@node-0001 ~]# md5sum oschina1.txt #查看校验值
c36d69f447d005e04a962e7f626146be oschina1.txt
[root@node-0001 ~]# cp oschina1.txt oschina2.txt
[root@node-0001 ~]# md5sum oschina* #查看两个文件
c36d69f447d005e04a962e7f626146be oschina1.txt
c36d69f447d005e04a962e7f626146be oschina2.txt #复制的文件和原文件校验值相同
[root@node-0001 ~]# echo linux >> oschina1.txt #更改文件
[root@node-0001 ~]# md5sum oschina*
c08075609fa5c6fdfe85c0e81e82e9f8 oschina1.txt #校验值改变
c36d69f447d005e04a962e7f626146be oschina2.txt
GnuGP 最流行的数据加密 数据签名工具
[root@node-0001 ~]# rpm -q gnupg2 #默认是安装的
gnupg2-2.0.22-5.el7_5.x86_64
[root@node-0001 ~]# gpg --version #查看版本
GPG对称加密
[root@node-0001 ~]# echo dongxia > oschina.txt
[root@node-0001 ~]# cat oschina.txt
dongxia
[root@node-0001 ~]# gpg -c oschina.txt #对文件进行加密
[root@node-0001 ~]# ls
oschina.txt oschina.txt.gpg
[root@node-0001 ~]# scp oschina.txt.gpg 192.168.1.52:/root/ #发送加密后的文件
oschina.txt.gpg
[root@node-0002 ~]# ls
oschina.txt.gpg
[root@node-0002 ~]# gpg -d oschina.txt.gpg > oschina.txt #将文件解密到oschina.txt
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected
[root@node-0002 ~]# ls
oschina.txt oschina.txt.gpg
[root@node-0002 ~]# cat oschina.txt #查看解密内容
dongxia
GPG的非对称加密
方法:生成秘钥对(公钥/私钥),公钥发给对方用于数据加密,私钥自己保存用于数据解密
[root@node-0001 ~]# gpg --gen-key #生成秘钥对
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want: #询问选择哪种加密
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? #回车默认1
RSA keys may be between 1024 and 4096 bits long. #询问秘钥长度
What keysize do you want? (2048) #回车默认2048
Requested keysize is 2048 bits
Please specify how long the key should be valid. #询问秘钥有效期
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) #回车默认永久
Key does not expire at all #是否确认永久
Is this correct? (y/N) y # y 回车确认
GnuPG needs to construct a user ID to identify your key.
Real name: dongxia #名字
Email address: dongxia@oschina.com #邮箱
Comment: myGPG #备注
You selected this USER-ID:
"dongxia (myGPG) <dongxia@oschina.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O #大写O确认
You need a Passphrase to protect your secret key. #设置密码保护秘钥
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
***************************************************************************
注:如果在这个时刻卡住,另开终端执行以下操作
[root@node-0001 ~]# yum install rng-tools.x86_64 -y
[root@node-0001 ~]# rngd -r /dev/urandom
**************************************************************************
gpg: key 1E39314C marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 2048R/1E39314C 2020-04-29
Key fingerprint = 31C1 E9EB 2FDC 0D56 DFD6 9F61 822E 9935 1E39 314C
uid dongxia (mygpg) <dongxia@oschina.com>
sub 2048R/A9536A49 2020-04-29
[root@node-0001 ~]# gpg --list-keys #查看信息
/root/.gnupg/pubring.gpg
------------------------
pub 2048R/1E39314C 2020-04-29
uid dongxia (mygpg) <dongxia@oschina.com>
sub 2048R/A9536A49 2020-04-29
注意:生产密钥后当前终端可能会变的无法使用,执行reset命令即可,或者关闭后再开一个终端。
导出公钥:
[root@node-0001 ~]# gpg -a --export dongxia > dongxia.pub # -a (ASCII码) --export (导出参数)
[root@node-0001 ~]# ls
dongxia.pub
[root@node-0001 ~]# scp dongxia.pub 192.168.1.52:/root/ #发送公钥到需要加密的远程主机
dongxia.pub
对方主机导入公钥
[root@node-0002 ~]# ls
dongxia.pub
[root@node-0002 ~]# gpg --import dongxia.pub #导入公钥
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 1E39314C: public key "dongxia (mygpg) <dongxia@oschina.com>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
[root@node-0002 ~]# echo 'I love oschina' > oschina.txt #创建文件
[root@node-0002 ~]# gpg -e -r dongxia oschina.txt #-e 加密文件 -r 指定公钥名称
...
Use this key anyway? (y/N) y #键入 y 确认
[root@node-0002 ~]# ls
dongxia.pub oschina.txt oschina.txt.gpg
[root@node-0002 ~]# scp oschina.txt.gpg 192.168.1.51:/root/ #将加密后的文件发回
解密文件
[root@node-0001 ~]# ls
dongxia.pub oschina.txt.gpg
[root@node-0001 ~]# gpg -d oschina.txt.gpg > oschina.txt #解密文件到oschina.txt
You need a passphrase to unlock the secret key for
user: "dongxia (mygpg) <dongxia@oschina.com>"
2048-bit RSA key, ID A9536A49, created 2020-04-29 (main key ID 1E39314C)
gpg: encrypted with 2048-bit RSA key, ID A9536A49, created 2020-04-29
"dongxia (mygpg) <dongxia@oschina.com>"
[root@node-0001 ~]# cat oschina.txt #查看
I love oschina
GPG的签名机制
[root@node-0001 ~]# tar -zcf oschina.gz.tar /var/log
tar: Removing leading `/' from member names
[root@node-0001 ~]# gpg -b oschina.gz.tar #创建分离式签名
You need a passphrase to unlock the secret key for
user: "dongxia (mygpg) <dongxia@oschina.com>"
2048-bit RSA key, ID 1E39314C, created 2020-04-29
[root@node-0001 ~]# ls -lh oschina.gz.tar*
-rw-r--r--. 1 root root 370K Apr 29 20:57 oschina.gz.tar
-rw-r--r--. 1 root root 287 Apr 29 20:57 oschina.gz.tar.sig
[root@node-0001 ~]# scp oschina.gz.tar* 192.168.1.52:/root/ #发送文件和签名到对方主机
oschina.gz.tar 100% 370KB 119.2MB/s 00:00
oschina.gz.tar.sig
验证签名
[root@node-0002 ~]# gpg --verify oschina.gz.tar.sig oschina.gz.tar #验证签名
gpg: Signature made Wed 29 Apr 2020 08:57:44 PM CST using RSA key ID 1E39314C
gpg: Good signature from "dongxia (mygpg) <dongxia@oschina.com>" #Good signature完好签名
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 31C1 E9EB 2FDC 0D56 DFD6 9F61 822E 9935 1E39 314C
来源:oschina
链接:https://my.oschina.net/u/4502772/blog/4258692