赞
踩
gpg加密解密
Protect your privacy with the Linux gpg
command. Use world-class encryption to keep your secrets safe. We’ll show you how to use gpg to work with keys, encrypt files, and decrypt them.
使用Linux gpg
命令保护您的隐私。 使用世界一流的加密来保护您的秘密安全。 我们将向您展示如何使用gpg来处理密钥,加密文件和解密它们。
GnuPrivacy Guard (GPG) allows you to securely encrypt files so that only the intended recipient can decrypt them. Specifically, GPG complies with the OpenPGP standard. It is modeled on a program called Pretty Good Privacy (PGP). PGP was written in 1991 by Phil Zimmerman.
GnuPrivacy Guard( GPG )允许您安全地加密文件,以便只有目标收件人才能解密它们。 具体来说,GPG符合OpenPGP标准。 它以称为“很好的隐私”( PGP )的程序为模型。 PGP由Phil Zimmerman于1991年撰写。
GPG relies on the idea of two encryption keys per person. Each person has a private key and a public key. The public key can decrypt something that was encrypted using the private key.
GPG依靠每人两个加密密钥的想法。 每个人都有一个私钥和公钥 。 公钥可以解密使用私钥加密的内容。
To send a file securely, you encrypt it with your private key and the recipient’s public key. To decrypt the file, they need their private key and your public key.
为了安全地发送文件,请使用私钥和收件人的公钥对其进行加密。 要解密文件,他们需要其私钥和您的公钥。
You’ll see from this that public keys must be shared. You need to have the public key of the recipient in order to encrypt the file, and the recipient needs your public key to decrypt it. There is no danger in making your public keys just that—public. In fact, there are Public Key Servers for that very purpose, as we shall see. Private keys must be kept private. If your public key is in the public domain, then your private key must be kept secret and secure.
从中您将看到必须共享公共密钥。 您需要具有收件人的公共密钥才能加密文件,而收件人需要您的公共密钥才能解密文件。 仅公开公开密钥就没有危险。 实际上,正如我们将看到的,有一些专用于此目的的公钥服务器。 私钥必须保持私密。 如果您的公共密钥在公共域中,那么您的私有密钥必须保密。
There are more steps involved in setting up GPG than there are in using it. Thankfully, you usually need only set it up once.
设置GPG涉及的步骤比使用GPG涉及的步骤更多。 值得庆幸的是,您通常只需要设置一次即可。
The gpg
command was installed on all of the Linux distributions that were checked, including Ubuntu, Fedora, and Manjaro.
gpg
命令已安装在所有检查过Linux发行版中,包括Ubuntu,Fedora和Manjaro。
You don’t have to use GPG with email. You can encrypt files and make them available for download, or pass them physically to the recipient. You do need to associate an email address with the keys you generate, however, so choose which email address you are going to use.
您不必通过电子邮件使用GPG。 您可以加密文件并使它们可供下载,或将其物理传递给收件人。 但是,您确实需要将电子邮件地址与生成的密钥相关联,因此请选择要使用的电子邮件地址。
Here is the command to generate your keys. The --full-generate-key
option generates your keys in an interactive session within your terminal window. You will also be prompted for a passphrase. Make sure you remember what the passphrase is. Three or four simple words joined together with punctuation is a good and robust model for passwords and passphrases.
这是生成密钥的命令。 --full-generate-key
选项在终端窗口内的交互式会话中生成密钥。 还将提示您输入密码。 确保记住密码是什么。 将三个或四个简单的单词与标点符号结合在一起,是一个很好且健壮的密码和密码短语模型 。
gpg --full-generate-key
You will be asked to pick an encryption type from a menu. Unless you have a good reason not to, type 1
and press Enter.
系统将要求您从菜单中选择加密类型。 除非有充分的理由,否则键入1
并按Enter。
You must choose a bit-length for the encryption keys. Press Enter to accept the default.
您必须为加密密钥选择一个位长。 按Enter接受默认值。
You need to specify how long the key should last. If you are testing the system, enter a short duration like 5
for five days. If you are going to keep this key, enter a longer duration like 1y for one year. The key will last 12 months and so will need renewing after one year. Confirm your choice with a Y
.
您需要指定密钥应持续多长时间。 如果您要测试系统,请输入5天之类的短时间(例如5
。 如果要保留此密钥,请输入更长的期限(例如1y)一年。 密钥将持续12个月,因此需要在一年后进行更新。 用Y
确认选择。
You must enter your name and your email address. You can add a comment if you wish.
您必须输入您的姓名和电子邮件地址。 您可以根据需要添加评论。
You will be prompted for your passphrase. You will need the passphrase whenever you work with your keys, so make sure you know what it is.
系统将提示您输入密码。 每当您使用按键时,都将需要密码,因此请确保您知道密码是什么。
Click the OK
button when you have entered your passphrase. You’ll see this window as you work with gpg
, so make sure you remember your passphrase.
输入密码后,单击“ OK
按钮。 使用gpg
,您会看到此窗口,因此请确保记住密码。
The key generation will take place, and you will be returned to the command prompt.
将会生成密钥,并且您将返回到命令提示符。
If your private key becomes known to others, you will need to disassociate the old keys from your identity, so that you can generate new ones. To do this, you will require a revocation certificate. We’ll do this now and store it somewhere safe.
如果他人知道您的私钥,则需要将旧密钥与您的身份解除关联,以便可以生成新密钥。 为此,您将需要吊销证书。 我们现在将执行此操作并将其存储在安全的地方。
The --output
option must be followed by the filename of the certificate you wish to create. The --gen-revoke
option causes gpg
to generate a revocation certificate. You must provide the email address that you used when the keys were generated.
--output
选项后必须跟要创建的证书的文件名。 --gen-revoke
选项使gpg
生成吊销证书。 您必须提供生成密钥时使用的电子邮件地址。
gpg --output ~/revocation.crt --gen-revoke dave-geek@protonmail.com
You will be asked to confirm you wish to generate a certificate. Press Y
and hit Enter. You will be asked for the reason you are generating the certificate. As we’re doing this ahead of time, we don’t know for sure. Press 1
as a plausible guess and hit Enter.
系统将要求您确认要生成证书。 按Y
然后按Enter。 系统将询问您生成证书的原因。 由于我们提前进行此操作,因此我们不确定。 按1
作为合理的猜测,然后按Enter。
You can enter a description if you wish. Press Enter twice to end your description.
您可以根据需要输入描述。 按Enter键两次以结束您的描述。
You will be asked to confirm your settings, press Y
and hit Enter.
系统将要求您确认设置,按Y
,然后按Enter。
The certificate will be generated. You will see a message reinforcing the need to keep this certificate safe.
将生成证书。 您将看到一条消息,强调需要确保此证书的安全。
It mentions someone called Mallory. Cryptography discussions have long used Bob and Alice as the two people communicating. There are other supporting characters. Eve is an eavesdropper, Mallory is a malicious attacker. All we need to know is we must keep the certificate safe and secure.
它提到了一个叫马洛里的人。 密码学的讨论长期以来一直使用鲍勃和爱丽丝作为两个人进行交流。 还有其他辅助字符。 夏娃是个窃听者,马洛里是一个恶意攻击者。 我们需要知道的是,我们必须确保证书的安全。
As a minimum, let’s remove all permissions apart from ours from the certificate.
至少,让我们从证书中删除除我们之外的所有权限。
chmod 600 ~/revocation.crt
Let’s check with ls
to see what the permission are now:
让我们与ls
一起查看一下现在的权限:
ls -l
That’s perfect. No one apart from the file owner—us—can do anything with the certificate.
那很完美。 除了文件所有者之外,没有人可以使用证书做任何事情。
To encrypt a message that another person can decrypt, we must have their public key.
要加密别人可以解密的消息,我们必须拥有他们的公钥。
If you have been provided with their key in a file, you can import it with the following command. In this example, the key file is called “mary-geek.key.”
如果在文件中提供了他们的密钥,则可以使用以下命令将其导入。 在此示例中,密钥文件称为“ mary-geek.key”。
gpg --import mary-geek.key
The key is imported, and you are shown the name and email address associated with that key. Obviously, that should match the person you received it from.
密钥已导入,并显示与该密钥关联的名称和电子邮件地址。 显然,这应该与您收到它的人相匹配。
There is also the possibility that the person you need a key from has uploaded their key to a public key server. These servers store people’s public keys from all over the world. The key servers synchronize with one another periodically so that keys are universally available.
您可能需要密钥的人也有可能将其密钥上传到了公共密钥服务器。 这些服务器存储来自世界各地的人们的公钥。 密钥服务器定期相互同步,因此密钥是通用的。
The MIT public key server is a popular key server and one that is regularly synchronized, so searching there should be successful. If someone has only recently uploaded a key, it might take a few days to appear.
MIT公钥服务器是一种流行的密钥服务器,并且定期进行同步,因此在该服务器上搜索应该会成功。 如果某人最近才上传密钥,则可能需要几天时间才能显示出来。
The --keyserver
option must be followed by the name of the key server you wish to search. The --search-keys
option must be followed by either the name of the person you are searching for or their email address. We’ll use the email address:
--keyserver
选项后必须跟要搜索的密钥服务器的名称。 --search-keys
选项之后必须是要搜索的人的姓名或他们的电子邮件地址。 我们将使用以下电子邮件地址:
gpg --keyserver pgp.mit.edu --search-keys mary-geek@protonmail.com
Matches are listed for you and numbered. To import one, type the number and press Enter. In this case, there is a single match, so we type 1
and press Enter.
为您列出了匹配项并编号。 要导入一个,请输入数字,然后按Enter。 在这种情况下,只有一个匹配项,因此我们键入1
并按Enter。
The key is imported, and we are shown the name and email address associated with that key.
密钥已导入,我们将看到与该密钥关联的名称和电子邮件地址。
If you have been handed a public key file by someone known to you, you can safely say it belongs to that person. If you’ve downloaded it from a public key server, you may feel the need to verify that the key belongs to the person it is meant to.
如果您认识的某个人将您的公钥文件交给了您,则可以放心地说它属于该人。 如果您是从公共密钥服务器上下载的,则可能会需要验证该密钥是否属于该对象。
The --fingerprint
option causes gpg
to create a short sequence of ten sets of four hexadecimal characters. You can ask the person to send you the fingerprint of their key.
--fingerprint
选项使gpg
创建由十组四个十六进制字符组成的简短序列。 您可以要求此人向您发送其钥匙的指纹。
You can then use the --fingerprint
option to generate the same fingerprint sequence of hexadecimal characters and compare them. If they match, you know that the key belongs to that person.
然后,您可以使用--fingerprint
选项生成相同的十六进制字符指纹序列并进行比较。 如果它们匹配,则说明密钥属于该人。
gpg --fingerprint mary-geek@protonmail.com
The fingerprint is generated.
指纹已生成。
When you’re satisfied that the key is genuine and is owned by the person it is supposed to be associated with, you can sign their key.
如果您对密钥是真实的并且对应该由其关联的人拥有的密钥感到满意,则可以对其密钥进行签名。
If you don’t do this, you can still use it to encrypt and decrypt messages from and to that person. But gpg
will ask you every time whether you wish to proceed because the key is unsigned. We’ll use the aptly named --sign-key
option and provide the email address of the person, so that gpg
knows which key to sign.
如果您不这样做,您仍可以使用它来加密和解密与该人之间的消息。 但是gpg
每次都会询问您是否要继续,因为密钥是未签名的。 我们将使用恰当命名的--sign-key
选项,并提供此人的电子邮件地址,以便gpg
知道要签名的密钥。
gpg --sign-key mary-geek@protonmail.com
You’ll see information about the key and the person, and will be asked to verify you really want to sign the key. Press Y
and hit Enter to sign the key.
您将看到有关密钥和个人的信息,并会要求您确认您确实要对密钥进行签名。 按Y
然后按Enter键以对密钥进行签名。
To share your key as a file, we need to export it from the gpg
local key store. To do this, we’ll use the --export
option, which must be followed by the email address that you used to generate the key. The --output
option must be followed by the name fo the file you wish to have the key exported into. The --armor
option tells gpg
to generate ASCII armor output instead of a binary file.
要将您的密钥共享为文件,我们需要从gpg
本地密钥存储中导出它。 为此,我们将使用--export
选项,该选项后必须跟用于生成密钥的电子邮件地址。 在--output
选项后面必须加上您希望将密钥导出到的文件的名称。 --armor
选项告诉gpg
生成ASCII装甲输出,而不是二进制文件。
gpg --output ~/dave-geek.key --armor --export dave-geek@protonmail.com
We can take a look inside the key file with less
.
我们可以使用less
来查看密钥文件。
less dave-geek.key
The key is shown in all its glory:
密钥以其所有的荣耀显示:
You can also share your public key on a public key server. The --send-keys
option sends the key to the keyserver. The --keyserver
option must be followed by the web address of the public key server. To identify which key to send, the fingerprint for the key must be provided on the command line. Note there are no spaces between the sets of four characters.
您也可以在公用密钥服务器上共享公用密钥。 --send-keys
选项将--send-keys
发送到密钥服务器。 --keyserver
选项后必须跟公共密钥服务器的网址。 要标识要发送的密钥,必须在命令行上提供密钥的指纹。 请注意,四个字符集之间没有空格。
(You can see the fingerprint for your key by using the --fingerprint
option.)
(您可以使用--fingerprint
选项查看密钥的指纹。)
gpg --send-keys --keyserver pgp.mit.edu 31A4E3BE6C022830A804DA0EE9E4D6D0F64EEED4
You’ll get confirmation that the key has been sent.
您将确认密钥已发送。
We’re finally ready to encrypt a file and send it to Mary. The file is called Raven.txt.
我们终于准备好加密文件并将其发送给Mary。 该文件称为Raven.txt。
The --encrypt
option tells gpg
to encrypt the file, and the --sign
option tells it to sign the file with your details. The --armor
option tells gpg to create an ASCII file. The -r
(recipient) option must be followed by the email address of the person you’re sending the file to.
--encrypt
选项告诉gpg
加密文件,而--sign
选项告诉它用您的详细信息签名文件。 --armor
选项告诉gpg创建一个ASCII文件。 -r
(收件人)选项后必须是要将文件发送给的人的电子邮件地址。
gpg --encrypt --sign --armor -r mary-geek@protonmail.com
The file is created with the same name as the original, but with “.asc” appended to the file name. Let’s have a look inside it.
该文件的名称与原始名称相同,但是在文件名后附加了“ .asc”。 让我们看看里面。
less Raven.txt.asc
The file is completely illegible, and can only be decrypted by someone who has your public key and Mary’s private key. The only person to have both of those should be Mary.
该文件完全难以辨认,并且只有拥有您的公共密钥和Mary的私钥的人才能解密。 拥有这两者的唯一的人应该是玛丽。
We can now send the file to Mary confident that no one else can decrypt it.
现在,我们可以将文件发送给Mary,确信其他人都无法解密它。
Mary has sent a reply. It is in an encrypted file called coded.asc. We can decrypt it very easily using the --decrypt
option. We are going to redirect the output into another file called plain.txt.
玛丽已回复。 它位于名为coded.asc的加密文件中。 我们可以使用--decrypt
选项非常轻松地对其进行解密。 我们将把输出重定向到另一个文件plain.txt。
Note that we don’t have to tell gpg
who the file is from. It can work that out from the encrypted contents of the file.
请注意,我们不必告诉gpg
文件的来源。 它可以从文件的加密内容中得出结论。
gpg --decrypt coded.asc > plain.txt
Let’s look at the plain.txt file:
让我们看一下plain.txt文件:
less plain.txt
The file has been successfully decrypted for us.
该文件已为我们成功解密。
Periodically, you can ask gpg
to check the keys it has against a public key server and to refresh any that have changed. You might do this every few months or when you receive a key from a new contact.
您可以定期要求gpg
针对公共密钥服务器检查其拥有的密钥,并刷新所有已更改的密钥。 您可能每隔几个月或从新联系人那里收到密钥后就执行一次。
The --refresh-keys
option causes gpg
to perform the check. The --keyserver
option must be followed by the key server of your choice. Once the keys have been synchronized between the public key servers, it shouldn’t matter which one you choose.
--refresh-keys
选项使gpg
执行检查。 --keyserver
选项之后必须是您选择的密钥服务器。 一旦密钥在公共密钥服务器之间同步后,选择哪一个都无所谓。
gpg --keyserver pgp.mit.edu --refresh-keys
gpg
responds by listing the keys it checks and letting you know if any have changed and been updated.
gpg
通过列出它检查的密钥并让您知道是否有任何更改和更新来进行响应。
Privacy is never far from the news these days. Whatever your reasons for wanting to keep your information secure and private, gpg
provides a simple means to apply incredibly strong encryption to your files and communications.
如今,隐私离新闻不远了。 无论出于何种原因想要保持信息的安全性和私密性, gpg
提供了一种简单的方法,可以对文件和通信进行难以置信的强大加密。
There are other ways to use gpg
. You can get a plugin for Thunderbird called Enigmail. It hooks right into your gpg
configuration to allow you encrypt email messages from inside Thunderbird.
还有其他使用gpg
。 您可以为Thunderbird获得一个名为Enigmail的插件。 它直接与您的gpg
配置挂钩,使您可以从Thunderbird内部加密电子邮件。
翻译自: https://www.howtogeek.com/427982/how-to-encrypt-and-decrypt-files-with-gpg-on-linux/
gpg加密解密
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。