系统运维 非对称密钥实验 实验目的
对文件进行非对称加解密
创新互联坚持“要么做到,要么别承诺”的工作理念,服务领域包括:网站设计制作、网站制作、企业官网、英文网站、手机端网站、网站推广等服务,满足客户于互联网时代的北关网站设计、移动媒体设计的需求,帮助企业找到有效的互联网解决方案。努力成为您成熟可靠的网络建设合作伙伴!实验准备主机:A和B
OS: CentOS7
IP :192.168.172.134
1.在主机A上生成公私钥
[root@hostA ~]# gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and Redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: directory `/root/.gnupg\' created
gpg: new configuration file `/root/.gnupg/gpg.conf\' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf\' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg\' created
gpg: keyring `/root/.gnupg/pubring.gpg\' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1 #选择所要生成的非对称密钥类型
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024 #先择密钥的长度
Requested keysize is 1024 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) #指定密钥的有效期限
Key does not expire at all
Is this correct? (y/N) y #确认密钥有效期为永久有效
GnuPG needs to construct a user ID to identify your key.
Real name: hostA #输入非对称密钥所对应的主机名
Email address:
Comment:
You selected this USER-ID:
hostA
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o #确认密钥信息
You need a Passphrase to protect your secret key.
You don\'t want a passphrase - this is probably a *bad* idea!
I will do it anyway. You can change your passphrase at any time,
using this program with the option --edit-key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 4B9A0B62 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024R/4B9A0B62 2019-04-12
Key fingerprint = E128 AD1F E1D5 5B0D C66C FD45 4786 0C63 4B9A 0B62
uid hostA
sub 1024R/DD37BA59 2019-04-12
#非对称密生成完毕
[root@hostA ~]# cd .gnupg/
[root@hostA .gnupg]# ll
total 28
-rw------- 1 root root 7680 Apr 13 05:36 gpg.conf
drwx------ 2 root root 6 Apr 13 05:37 private-keys-v1.d
-rw------- 1 root root 649 Apr 13 05:37 pubring.gpg #公钥文件
-rw------- 1 root root 649 Apr 13 05:37 pubring.gpg~ #公钥的备份
-rw------- 1 root root 600 Apr 13 05:37 random_seed
-rw------- 1 root root 1313 Apr 13 05:37 secring.gpg #私钥文件
srwxr-xr-x 1 root root 0 Apr 13 05:37 S.gpg-agent
-rw------- 1 root root 1280 Apr 13 05:37 trustdb.gpg
2.B主机上生成公私钥
[root@hostB ~]# gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: directory `/root/.gnupg\' created
gpg: new configuration file `/root/.gnupg/gpg.conf\' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf\' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg\' created
gpg: keyring `/root/.gnupg/pubring.gpg\' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: hostB
Email address:
Comment:
You selected this USER-ID:
hostB
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
You don\'t want a passphrase - this is probably a *bad* idea!
I will do it anyway. You can change your passphrase at any time,
using this program with the option --edit-key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 77A790ED marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024R/77A790ED 2019-04-12
Key fingerprint = 34E9 51E2 0720 1186 FC26 6BED 5FDF ABE5 77A7 90ED
uid hostB
sub 1024R/3108F051 2019-04-12
[root@hostB ~]# ll .gnupg/
total 28
-rw------- 1 root root 7680 Apr 13 05:50 gpg.conf
drwx------ 2 root root 6 Apr 13 05:50 private-keys-v1.d
-rw------- 1 root root 649 Apr 13 05:51 pubring.gpg
-rw------- 1 root root 649 Apr 13 05:51 pubring.gpg~
-rw------- 1 root root 600 Apr 13 05:51 random_seed
-rw------- 1 root root 1313 Apr 13 05:51 secring.gpg
srwxr-xr-x 1 root root 0 Apr 13 05:50 S.gpg-agent
-rw------- 1 root root 1280 Apr 13 05:51 trustdb.gpg
公私钥文件已生成
二、主机A、B互换公钥文件1.导出主机A公钥发送给B
[root@hostA .gnupg]# gpg -a --export -o hostA.pubkey #导出公钥文件。
[root@hostA .gnupg]# cat hostA.pubkey
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)
mI0EXLEFGgEEALt/ZGwt9ZnkvzI0Ah0DJMFqYPbeTfLWtckiL/tKdkQShaA8pTqS
ckAdeKRY1NRskKsInek3dD+V32n3PG8tTF8ZIQ6TpK8PgB/E+fKH2ftFQFchU+F8
2lsJ0VKf7ILQ6Yre4mVeGo4HCwrJg+E6gEPspaajCyB4BIgApNzqmxNVABEBAAG0
BWhvc3RBiLkEEwECACMFAlyxBRoCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIX
gAAKCRBHhgxjS5oLYj3RBACFK1NjY29XFnu2ZqpM6bSLLp5sf7fbKvUTUEhitXSo
LB607v88KZoUFdcSQf9v+02KytzC1usW8P0NlevhwCJSRpcaO29GyXKnN07jsQAG
J2TUDR91hgcFZ/j2mcZal+WlgwSQr0Skv4GojTpme/n00DVbZzGGL7QBiTH/45AZ
pbiNBFyxBRoBBAC+rfAizsp3qturv4QXwjguar9HuXWffap7nFaQKUAC8S+a2EyG
RcBvWci0sNXx9HJE4/61ExPF84TR4uc8fRkzWYb6sfPGwBxDFH5e9igPifwyEuqk
QPO3eezRX5bNwLMSXyesUFCeJZ3Qy6BYV6S8vDJbjj6RYwWlLRUJv4rlHwARAQAB
iJ8EGAECAAkFAlyxBRoCGwwACgkQR4YMY0uaC2IkvwP/ckneRcvcYqTCeINVPlqD
ltUC3jn5U1Nu/dZKwt15R7l68Qr0ARBO8SuLlMH7wjBQ/c6grwohfdcXCqZN2gVq
wWl2yamOpeOD4EqwnvaPGtP8t9j2gwGvM905NJRng8Ep+IOlqlNeljKjICLyNzmj
rkRjxcSdDrQgIYZgH84hXZU=
=4MIm
-----END PGP PUBLIC KEY BLOCK-----
[root@hostA .gnupg]# scp hostA.pubkey root@192.168.172.138:/root/.gnupg
The authenticity of host \'192.168.172.138 (192.168.172.138)\' can\'t be established.
ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.
ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added \'192.168.172.138\' (ECDSA) to the list of known hosts.
root@192.168.172.138\'s password:
hostA.pubkey 100% 984 808.9KB/s 00:00
2.导出主机B公钥发送给A
[root@hostB ~]# gpg -a --export -o hostB.pubkey
[root@hostB ~]# cat hostB.pubkey
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)
mI0EXLEIRwEEAJwjA3oD/GMvu7WvBfp6ZOaRnLxkebI0nVQt5PFOukiDxKDMtn4L
dcuja0JlP4F/MJpxx2pacuNODG/gV1Tu+5iOzxp1+/xJXrWjh0e+MCk3ubivQ5gj
L9TOSbePb/gzRR89F2BexKq6dkVYgiWUZ0205p/qBOMT49Xos9JQ02qlABEBAAG0
BWhvc3RCiLkEEwECACMFAlyxCEcCGwMHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIX
gAAKCRBf36vld6eQ7Xb7A/4kpjrW/JC14J0ZuMggFoI340ZZUOlT2f7JKvS+bAQK
FXOgko6RblHo3PdaD+SimHDhzWibr0q05jpT0OlFP9PphgNfzBaUla/9v4heXcA5
Rsg+J7Z5dbblz4Fe9Hn6uuFJX6PEV00SCVZ1JBOesj4JZuufNTpU09iC8gkl2ntj
YLiNBFyxCEcBBACx6zvb6aH3mybpyqR2kdke0sAsof9sPVrv2UeHS5SSLe2qk38V
GmTwuqLhkvhWrPX9jZza17uauWHItjLl2Xx6VKul4pUA9EPih9rOWTsmHQPhEUnW
ZYVgt50Xn4YOjDaQiislS+AuR3XxeD4eaBtRatzMMQO/ibRV4EWXx6JLvQARAQAB
iJ8EGAECAAkFAlyxCEcCGwwACgkQX9+r5XenkO2rFAP/UgUJ3lYn9rKlnNwsgnqL
c38c6BovdzOveiYt+21QBQ5HElhRI/gZkpIiNi8pze1laaRzduTOj/23rNM5i3Cg
uJulPnMBGLx2s57EuevO34mml+A6pBUIe3ETJhtv8/L3XH5wiMzVEyuzIJuLBA4c
tt+3WYpY9rNUVeuLcHVd7vQ=
=/T8O
-----END PGP PUBLIC KEY BLOCK-----
[root@hostB ~]# scp hostB.pubkey root@192.168.172.134:/root/.gnupg/
The authenticity of host \'192.168.172.134 (192.168.172.134)\' can\'t be established.
ECDSA key fingerprint is SHA256:YNlH0VBV0kp4lAClVvfMWVx/bHcbKKHXQwyd13d+MME.
ECDSA key fingerprint is MD5:8a:1c:3d:c2:04:b1:be:05:95:33:9e:16:e8:ad:6c:25.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added \'192.168.172.134\' (ECDSA) to the list of known hosts.
root@192.168.172.134\'s password:
hostB.pubkey 100% 984 861.8KB/s 00:00
三、主机A、B分别导入公钥1.主机A导入公钥
[root@hostA .gnupg]# gpg --import hostB.pubkey #导入hostB的公钥
gpg: key 77A790ED: public key hostB imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
[root@hostA .gnupg]# gpg --list-key #查看公钥列表
/root/.gnupg/pubring.gpg
------------------------
pub 1024R/4B9A0B62 2019-04-12
uid hostA
sub 1024R/DD37BA59 2019-04-12
pub 1024R/77A790ED 2019-04-12
uid hostB
sub 1024R/3108F051 2019-04-12
2.主机B导入公钥
[root@hostB ~]# cd .gnupg/
[root@hostB .gnupg]# gpg --import hostA.pubkey
gpg: key 4B9A0B62: public key hostA imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
[root@hostB .gnupg]# gpg --list-key
/root/.gnupg/pubring.gpg
------------------------
pub 1024R/77A790ED 2019-04-12
uid hostB
sub 1024R/3108F051 2019-04-12
pub 1024R/4B9A0B62 2019-04-12
uid hostA
sub 1024R/DD37BA59 2019-04-12
四、测试1.使用主机A对文件进行非对称加密,发送给主机B
[root@hostA data]# echo hello,i am hostA > file1
[root@hostA data]# gpg -e -r hostB file1
gpg: 3108F051: There is no assurance this key belongs to the named user
pub 1024R/3108F051 2019-04-12 hostB
Primary key fingerprint: 34E9 51E2 0720 1186 FC26 6BED 5FDF ABE5 77A7 90ED
Subkey fingerprint: 57FD 2BBD D2B0 8EE4 9BCA 74A5 2091 0199 3108 F051
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
[root@hostA data]# scp file1.gpg root@192.168.172.138:/data
root@192.168.172.138\'s password:
file1.gpg 100% 225 87.2KB/s 00:00
2.解密查看其中内容
[root@hostB data]# gpg -o file1 file1.gpg
gpg: encrypted with 1024-bit RSA key, ID 3108F051, created 2019-04-12
hostB
[root@hostB data]# cat file1
hello,i am hostA
五、关于清除密钥1.清除公钥
[root@hostA data]# gpg --delete-key hostB #删除hostB的公钥
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub 1024R/77A790ED 2019-04-12 hostB
Delete this key from the keyring? (y/N) y
[root@hostA data]# gpg --list-key #查看密钥列表此时已经没有hostB了
/root/.gnupg/pubring.gpg
------------------------
pub 1024R/4B9A0B62 2019-04-12
uid hostA
sub 1024R/DD37BA59 2019-04-12
[root@hostA ~]# ll .gnupg/
total 40
-rw------- 1 root root 649 Apr 13 05:48 192.168.172.138
-rw------- 1 root root 7680 Apr 13 05:36 gpg.conf
-rw-r--r-- 1 root root 984 Apr 13 06:02 hostA.pubkey
-rw-r--r-- 1 root root 984 Apr 13 06:06 hostB.pubkey
drwx------ 2 root root 6 Apr 13 05:37 private-keys-v1.d
-rw------- 1 root root 649 Apr 13 06:32 pubring.gpg
-rw------- 1 root root 1298 Apr 13 06:09 pubring.gpg~ #hostB的密钥虽然被清除但是仍可以用此文件恢复
-rw------- 1 root root 600 Apr 13 06:15 random_seed
-rw------- 1 root root 1313 Apr 13 05:37 secring.gpg
srwxr-xr-x 1 root root 0 Apr 13 05:37 S.gpg-agent
-rw------- 1 root root 1280 Apr 13 05:37 trustdb.gpg
2.删除自己的公钥和私钥
要删除自己的公钥必须先清除私钥
[root@hostA ~]# gpg --delete-secret-key hostA #删除自己的私钥
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
sec 1024R/4B9A0B62 2019-04-12 hostA
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
[root@hostA ~]# gpg --delete-key hostA #删除自己的私钥
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub 1024R/4B9A0B62 2019-04-12 hostA
Delete this key from the keyring? (y/N) y
[root@hostA ~]# rm -rf .gnupg/ #将/root/.gnupg目录删除