当前位置:   article > 正文

gpg加密解密_如何在Linux上使用GPG加密和解密文件

linux use asc pgp encrypt
gpg加密解密

gpg加密解密

Linux terminal window on a laptop
Fatmawati Achmad Zaenuri/Shutterstock.com Fatmawati Achmad Zaenuri / Shutterstock.com

Protect your privacy with the Linux gpg command. Use world-class encryption to keep your secrets safe. We’ll show you how to use gpg to work with keys, encrypt files, and decrypt them.

使用Linux gpg命令保护您的隐私。 使用世界一流的加密来保护您的秘密安全。 我们将向您展示如何使用gpg来处理密钥,加密文件和解密它们。

GnuPrivacy Guard (GPG) allows you to securely encrypt files so that only the intended recipient can decrypt them. Specifically, GPG complies with the OpenPGP standard. It is modeled on a program called Pretty Good Privacy (PGP). PGP was written in 1991 by Phil Zimmerman.

GnuPrivacy Guard( GPG )允许您安全地加密文件,以便只有目标收件人才能解密它们。 具体来说,GPG符合OpenPGP标准。 它以称为“很好的隐私”( PGP )的程序为模型。 PGP由Phil Zimmerman于1991年撰写。

GPG relies on the idea of two encryption keys per person. Each person has a private key and a public key. The public key can decrypt something that was encrypted using the private key.

GPG依靠每人两个加密密钥的想法。 每个人都有一个私钥公钥 。 公钥可以解密使用私钥加密的内容。

To send a file securely, you encrypt it with your private key and the recipient’s public key. To decrypt the file, they need their private key and your public key.

为了安全地发送文件,请使用私钥收件人的公钥对其进行加密。 要解密文件,他们需要其私钥您的公钥。

You’ll see from this that public keys must be shared. You need to have the public key of the recipient in order to encrypt the file, and the recipient needs your public key to decrypt it. There is no danger in making your public keys just that—public. In fact, there are Public Key Servers for that very purpose, as we shall see. Private keys must be kept private. If your public key is in the public domain, then your private key must be kept secret and secure.

从中您将看到必须共享公共密钥。 您需要具有收件人的公共密钥才能加密文件,而收件人需要您的公共密钥才能解密文件。 仅公开公开密钥就没有危险。 实际上,正如我们将看到的,有一些专用于此目的的公钥服务器。 私钥必须保持私密。 如果您的公共密钥在公共域中,那么您的私有密钥必须保密。

There are more steps involved in setting up GPG than there are in using it. Thankfully, you usually need only set it up once.

设置GPG涉及的步骤比使用GPG涉及的步骤更多。 值得庆幸的是,您通常只需要设置一次即可。

生成密钥 (Generating Your Keys)

The gpg command was installed on all of the Linux distributions that were checked, including Ubuntu, Fedora, and Manjaro.

gpg命令已安装在所有检查过Linux发行版中,包括Ubuntu,Fedora和Manjaro。

You don’t have to use GPG with email. You can encrypt files and make them available for download, or pass them physically to the recipient. You do need to associate an email address with the keys you generate, however, so choose which email address you are going to use.

您不必通过电子邮件使用GPG。 您可以加密文件并使它们可供下载,或将其物理传递给收件人。 但是,您确实需要将电子邮件地址与生成的密钥相关联,因此请选择要使用的电子邮件地址。

Here is the command to generate your keys. The --full-generate-key option generates your keys in an interactive session within your terminal window. You will also be prompted for a passphrase. Make sure you remember what the passphrase is. Three or four simple words joined together with punctuation is a good and robust model for passwords and passphrases.

这是生成密钥的命令。 --full-generate-key选项在终端窗口内的交互式会话中生成密钥。 还将提示您输入密码。 确保记住密码是什么。 将三个或四个简单的单词与标点符号结合在一起,是一个很好且健壮的密码和密码短语模型

gpg --full-generate-key
gpg --full-generate-key in a terminal window

You will be asked to pick an encryption type from a menu. Unless you have a good reason not to, type 1 and press Enter.

系统将要求您从菜单中选择加密类型。 除非有充分的理由,否则键入1并按Enter。

You must choose a bit-length for the encryption keys. Press Enter to accept the default.

您必须为加密密钥选择一个位长。 按Enter接受默认值。

key generation questions in a terminal window

You need to specify how long the key should last. If you are testing the system, enter a short duration like 5 for five days. If you are going to keep this key, enter a longer duration like 1y for one year. The key will last 12 months and so will need renewing after one year. Confirm your choice with a Y.

您需要指定密钥应持续多长时间。 如果您要测试系统,请输入5天之类的短时间(例如5 。 如果要保留此密钥,请输入更长的期限(例如1y)一年。 密钥将持续12个月,因此需要在一年后进行更新。 用Y确认选择。

You must enter your name and your email address. You can add a comment if you wish.

您必须输入您的姓名和电子邮件地址。 您可以根据需要添加评论。

key generation questions in a terminal window

You will be prompted for your passphrase. You will need the passphrase whenever you work with your keys, so make sure you know what it is.

系统将提示您输入密码。 每当您使用按键时,都将需要密码,因此请确保您知道密码是什么。

gpg passphrase window

Click the OK button when you have entered your passphrase. You’ll see this window as you work with gpg, so make sure you remember your passphrase.

输入密码后,单击“ OK按钮。 使用gpg ,您会看到此窗口,因此请确保记住密码。

The key generation will take place, and you will be returned to the command prompt.

将会生成密钥,并且您将返回到命令提示符。

gpg key generation completed in a terminal window

生成吊销证书 (Generating a Revocation Certificate)

If your private key becomes known to others, you will need to disassociate the old keys from your identity, so that you can generate new ones. To do this, you will require a revocation certificate. We’ll do this now and store it somewhere safe.

如果他人知道您的私钥,则需要将旧密钥与您的身份解除关联,以便可以生成新密钥。 为此,您将需要吊销证书。 我们现在将执行此操作并将其存储在安全的地方。

The --output option must be followed by the filename of the certificate you wish to create. The --gen-revoke option causes gpg to generate a revocation certificate. You must provide the email address that you used when the keys were generated.

--output选项后必须跟要创建的证书的文件名。 --gen-revoke选项使gpg生成吊销证书。 您必须提供生成密钥时使用的电子邮件地址。

gpg --output ~/revocation.crt --gen-revoke dave-geek@protonmail.com
gpg --output ~/revocation.crt --gen-revoke dave-geek@protonmail.com in a terminal window

You will be asked to confirm you wish to generate a certificate. Press Y and hit Enter.  You will be asked for the reason you are generating the certificate. As we’re doing this ahead of time, we don’t know for sure. Press 1 as a plausible guess and hit Enter.

系统将要求您确认要生成证书。 按Y然后按Enter。 系统将询问您生成证书的原因。 由于我们提前进行此操作,因此我们不确定。 按1作为合理的猜测,然后按Enter。

You can enter a description if you wish. Press Enter twice to end your description.

您可以根据需要输入描述。 按Enter键两次以结束您的描述。

You will be asked to confirm your settings, press Y and hit Enter.

系统将要求您确认设置,按Y ,然后按Enter。

gpg certificate questions in a terminal window

The certificate will be generated. You will see a message reinforcing the need to keep this certificate safe.

将生成证书。 您将看到一条消息,强调需要确保此证书的安全。

It mentions someone called Mallory. Cryptography discussions have long used Bob and Alice as the two people communicating. There are other supporting characters. Eve is an eavesdropper, Mallory is a malicious attacker. All we need to know is we must keep the certificate safe and secure.

它提到了一个叫马洛里的人。 密码学的讨论长期以来一直使用鲍勃和爱丽丝作为两个人进行交流。 还有其他辅助字符。 夏娃是个窃听者,马洛里是一个恶意攻击者。 我们需要知道的是,我们必须确保证书的安全。

As a minimum, let’s remove all permissions apart from ours from the certificate.

至少,让我们从证书中删除除我们之外的所有权限。

chmod 600 ~/revocation.crt
chmod 600 ~/revocation.crt  in a terminal window

Let’s check with ls to see what the permission are now:

让我们与ls一起查看一下现在的权限:

ls -l
http://cryptocouple.com/ in a terminal window

That’s perfect. No one apart from the file owner—us—can do anything with the certificate.

那很完美。 除了文件所有者之外,没有人可以使用证书做任何事情。

导入其他人的公钥 (Importing Someone Else’s Public Key)

To encrypt a message that another person can decrypt, we must have their public key.

要加密别人可以解密的消息,我们必须拥有他们的公钥。

If you have been provided with their key in a file, you can import it with the following command. In this example, the key file is called “mary-geek.key.”

如果在文件中提供了他们的密钥,则可以使用以下命令将其导入。 在此示例中,密钥文件称为“ mary-geek.key”。

gpg --import mary-geek.key
gpg --import mary-geek.key ina terminal window

The key is imported, and you are shown the name and email address associated with that key. Obviously, that should match the person you received it from.

密钥已导入,并显示与该密钥关联的名称和电子邮件地址。 显然,这应该与您收到它的人相匹配。

successfully imported key in a terminal window

There is also the possibility that the person you need a key from has uploaded their key to a public key server. These servers store people’s public keys from all over the world. The key servers synchronize with one another periodically so that keys are universally available.

您可能需要密钥的人也有可能将其密钥上传到了公共密钥服务器。 这些服务器存储来自世界各地的人们的公钥。 密钥服务器定期相互同步,因此密钥是通用的。

The MIT public key server is a popular key server and one that is regularly synchronized, so searching there should be successful. If someone has only recently uploaded a key, it might take a few days to appear.

MIT公钥服务器是一种流行的密钥服务器,并且定期进行同步,因此在该服务器上搜索应该会成功。 如果某人最近才上传密钥,则可能需要几天时间才能显示出来。

The --keyserver option must be followed by the name of the key server you wish to search. The --search-keys option must be followed by either the name of the person you are searching for or their email address.  We’ll use the email address:

--keyserver选项后必须跟要搜索的密钥服务器的名称。 --search-keys选项之后必须是要搜索的人的姓名或他们的电子邮件地址。 我们将使用以下电子邮件地址:

gpg --keyserver pgp.mit.edu --search-keys mary-geek@protonmail.com
gpg --keyserver pgp.mit.edu --search-keys mary-geek@protonmail.com in a terminal window

Matches are listed for you and numbered. To import one, type the number and press Enter. In this case, there is a single match, so we type 1 and press Enter.

为您列出了匹配项并编号。 要导入一个,请输入数字,然后按Enter。 在这种情况下,只有一个匹配项,因此我们键入1并按Enter。

gpg keyserver results in a terminal window

The key is imported, and we are shown the name and email address associated with that key.

密钥已导入,我们将看到与该密钥关联的名称和电子邮件地址。

验证和签名密钥 (Verifying and Signing a Key)

If you have been handed a public key file by someone known to you, you can safely say it belongs to that person. If you’ve downloaded it from a public key server, you may feel the need to verify that the key belongs to the person it is meant to.

如果您认识的某个人将您的公钥文件交给了您,则可以放心地说它属于该人。 如果您是从公共密钥服务器上下载的,则可能会需要验证该密钥是否属于该对象。

The --fingerprint option causes gpg to create a short sequence of ten sets of four hexadecimal characters. You can ask the person to send you the fingerprint of their key.

--fingerprint选项使gpg创建由十组四个十六进制字符组成的简短序列。 您可以要求此人向您发送其钥匙的指纹。

You can then use the --fingerprint option to generate the same fingerprint sequence of hexadecimal characters and compare them. If they match, you know that the key belongs to that person.

然后,您可以使用--fingerprint选项生成相同的十六进制字符指纹序列并进行比较。 如果它们匹配,则说明密钥属于该人。

gpg --fingerprint mary-geek@protonmail.com
gpg --fingerprint mary-geek@protonmail.com in a terminal window

The fingerprint is generated.

指纹已生成。

gpg fingerprint in a terminal window

When you’re satisfied that the key is genuine and is owned by the person it is supposed to be associated with, you can sign their key.

如果您对密钥是真实的并且对应该由其关联的人拥有的密钥感到满意,则可以对其密钥进行签名。

If you don’t do this, you can still use it to encrypt and decrypt messages from and to that person. But gpg will ask you every time whether you wish to proceed because the key is unsigned. We’ll use the aptly named --sign-key option and provide the email address of the person, so that gpg knows which key to sign.

如果您不这样做,您仍可以使用它来加密和解密与该人之间的消息。 但是gpg每次都会询问您是否要继续,因为密钥是未签名的。 我们将使用恰当命名的--sign-key选项,并提供此人的电子邮件地址,以便gpg知道要签名的密钥。

gpg --sign-key mary-geek@protonmail.com
gpg --sign-key mary-geek@protonmail.com in a terminal window

You’ll see information about the key and the person, and will be asked to verify you really want to sign the key. Press Y and hit Enter to sign the key.

您将看到有关密钥和个人的信息,并会要求您确认您确实要对密钥进行签名。 按Y然后按Enter键以对密钥进行签名。

gpg key signing confirmation in a terminal window

如何共享您的公钥 (How To Share Your Public Key)

To share your key as a file, we need to export it from the gpg local key store. To do this, we’ll use the --export option, which must be followed by the email address that you used to generate the key. The --output option must be followed by the name fo the file you wish to have the key exported into. The --armor option tells gpg to generate ASCII armor output instead of a binary file.

要将您的密钥共享为文件,我们需要从gpg本地密钥存储中导出它。 为此,我们将使用--export选项,该选项后必须跟用于生成密钥的电子邮件地址。 在--output选项后面必须加上您希望将密钥导出到的文件的名称。 --armor选项告诉gpg生成ASCII装甲输出,而不是二进制文件。

gpg --output ~/dave-geek.key --armor --export dave-geek@protonmail.com
gpg --output ~/dave-geek.key --armor --export dave-geek@protonmail.com in a terminal window

We can take a look inside the key file with less.

我们可以使用less来查看密钥文件。

less dave-geek.key
public key file in less in a terminal window

The key is shown in all its glory:

密钥以其所有的荣耀显示:

public key file in less in a terminal window

You can also share your public key on a public key server. The --send-keys option sends the key to the keyserver. The --keyserver option must be followed by the web address of the public key server. To identify which key to send, the fingerprint for the key must be provided on the command line. Note there are no spaces between the sets of four characters.

您也可以在公用密钥服务器上共享公用密钥。 --send-keys选项将--send-keys发送到密钥服务器。 --keyserver选项后必须跟公共密钥服务器的网址。 要标识要发送的密钥,必须在命令行上提供密钥的指纹。 请注意,四个字符集之间没有空格。

(You can see the fingerprint for your key by using the --fingerprint option.)

(您可以使用--fingerprint选项查看密钥的指纹。)

gpg --send-keys --keyserver pgp.mit.edu 31A4E3BE6C022830A804DA0EE9E4D6D0F64EEED4
gpg --send-keys --keyserver pgp.mit.edu 31A4E3BE6C022830A804DA0EE9E4D6D0F64EEED4 in a terminal window

You’ll get confirmation that the key has been sent.

您将确认密钥已发送。

confirmation key has been sent to key server in a terminal window

加密文件 (Encrypting FIles)

We’re finally ready to encrypt a file and send it to Mary. The file is called Raven.txt.

我们终于准备好加密文件并将其发送给Mary。 该文件称为Raven.txt。

The --encrypt option tells gpg to encrypt the file, and the --sign option tells it to sign the file with your details. The --armor option tells gpg to create an ASCII file. The -r (recipient) option must be followed by the email address of the person you’re sending the file to.

--encrypt选项告诉gpg加密文件,而--sign选项告诉它用您的详细信息签名文件。 --armor选项告诉gpg创建一个ASCII文件。 -r (收件人)选项后必须是要将文件发送给的人的电子邮件地址。

gpg --encrypt --sign --armor -r mary-geek@protonmail.com
gpg --encrypt --sign --armor -r mary-geek@protonmail.com in a terminal window

The file is created with the same name as the original, but with “.asc” appended to the file name. Let’s have a look inside it.

该文件的名称与原始名称相同,但是在文件名后附加了“ .asc”。 让我们看看里面。

less Raven.txt.asc
less Raven.txt.asc in a terminal window

The file is completely illegible, and can only be decrypted by someone who has your public key and Mary’s private key. The only person to have both of those should be Mary.

该文件完全难以辨认,并且只有拥有您的公共密钥和Mary的私钥的人才能解密。 拥有这两者的唯一的人应该是玛丽。

Encrypted content of raven.txt.asc in a terminal window

We can now send the file to Mary confident that no one else can decrypt it.

现在,我们可以将文件发送给Mary,确信其他人都无法解密它。

解密文件 (Decrypting Files)

Mary has sent a reply. It is in an encrypted file called coded.asc. We can decrypt it very easily using the --decrypt option. We are going to redirect the output into another file called plain.txt.

玛丽已回复。 它位于名为coded.asc的加密文件中。 我们可以使用--decrypt选项非常轻松地对其进行解密。 我们将把输出重定向到另一个文件plain.txt。

Note that we don’t have to tell gpg who the file is from. It can work that out from the encrypted contents of the file.

请注意,我们不必告诉gpg文件的来源。 它可以从文件的加密内容中得出结论。

gpg --decrypt coded.asc > plain.txt
gpg --decrypt coded.asc > plain.txt in a terminal window

Let’s look at the plain.txt file:

让我们看一下plain.txt文件:

less plain.txt
less plain.txt in a terminal window

The file has been successfully decrypted for us.

该文件已为我们成功解密。

decrytpted file in less in a terminal window

刷新密钥 (Refreshing Your Keys)

Periodically, you can ask gpg to check the keys it has against a public key server and to refresh any that have changed. You might do this every few months or when you receive a key from a new contact.

您可以定期要求gpg针对公共密钥服务器检查其拥有的密钥,并刷新所有已更改的密钥。 您可能每隔几个月或从新联系人那里收到密钥后就执行一次。

The --refresh-keys option causes gpg to perform the check. The --keyserver option must be followed by the key server of your choice. Once the keys have been synchronized between the public key servers, it shouldn’t matter which one you choose.

--refresh-keys选项使gpg执行检查。 --keyserver选项之后必须是您选择的密钥服务器。 一旦密钥在公共密钥服务器之间同步后,选择哪一个都无所谓。

gpg --keyserver pgp.mit.edu --refresh-keys
gpg --keyserver pgp.mit.edu --refresh-keys in a terminal window

gpg responds by listing the keys it checks and letting you know if any have changed and been updated.

gpg通过列出它检查的密钥并让您知道是否有任何更改和更新来进行响应。

gpg key refreshes in a terminal window

隐私是一个热门话题 (Privacy is a Hot Topic)

Privacy is never far from the news these days. Whatever your reasons for wanting to keep your information secure and private, gpg provides a simple means to apply incredibly strong encryption to your files and communications.

如今,隐私离新闻不远了。 无论出于何种原因想要保持信息的安全性和私密性, gpg提供了一种简单的方法,可以对文件和通信进行难以置信的强大加密。

There are other ways to use gpg. You can get a plugin for Thunderbird called Enigmail. It hooks right into your gpg configuration to allow you encrypt email messages from inside Thunderbird.

还有其他使用gpg 。 您可以为Thunderbird获得一个名为Enigmail的插件。 它直接与您的gpg配置挂钩,使您可以从Thunderbird内部加密电子邮件。

翻译自: https://www.howtogeek.com/427982/how-to-encrypt-and-decrypt-files-with-gpg-on-linux/

gpg加密解密

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/你好赵伟/article/detail/775888
推荐阅读
相关标签
  

闽ICP备14008679号