Linux常用命令-gpg

发表于 分类于

命令

gpg

描述

OpenPGP encryption and signing tool
OpenPGP加密和签名工具

用法

1
gpg2 [--homedir dir] [--options file] [options] command [args]

选项

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
Options:
 -a, --armor                以ASCII编码输出,文件后缀为.asc,默认二进制文件后缀为.gpg
 -r, --recipient USER-ID    指定接收者USER-ID
 -u, --local-user USER-ID   指定发送者USER-ID的用户密钥进行签名或解密
 -z N                       设置压缩等级,0表示不压缩
     --textmode             使用标准文本模式
 -o, --output FILE          保存到文件
 -v, --verbose              显示详情
 -n, --dry-run              仅测试不执行
 -i, --interactive          覆盖之前提示
     --openpgp              使用严格的OpenPGP格式

Commands:
 -s, --sign                 签名
     --clearsign            明文签名,生成ASCII编码格式
 -b, --detach-sign          独立签名文件
 -e, --encrypt              加密
 -c, --symmetric            仅使用对称加密
 -d, --decrypt              解密(默认选项)
     --verify               验证签名
 -k, --list-keys            显示公钥
 -K, --list-secret-keys     显示私钥
     --list-sigs            显示公钥和签名
     --check-sigs           显示和检查密钥签名
     --fingerprint          显示密钥和指纹信息
     --gen-key              生成密钥对
     --gen-revoke           生成吊销证书
     --delete-keys          从公钥中删除密钥
     --delete-secret-keys   从私钥中删除密钥
     --sign-key             签名密钥
     --lsign-key            本地签名密钥
     --edit-key             签名或编辑密钥
     --passwd               更改密码
     --export               导出密钥
     --send-keys            发送密钥到公钥服务器
     --recv-keys            从公钥服务器上导入密钥
     --search-keys          从公钥服务器上查找密钥
     --refresh-keys         从公钥服务器上更新所有本地密钥
     --import               导入或合并密钥
     --card-status          显示智能卡状态
     --card-edit            更改智能卡上的数据
     --change-pin           更改智能卡的PIN码
     --update-trustdb       更新信任数据库
     --print-md 算法 文件    显示指定算法的文件信息摘要,类似于md5sum,sha256sum等命令
     --server               运行服务器模式

Examples:
gpg -se -r Bob FILE         指定接收者Bob进行签名和加密
gpg --clearsign FILE        生成明文签名
gpg --detach-sign FILE      生成独立签名
gpg -u USER-ID -sb FILE     生成独立签名并指定本地用户
gpg --list-keys USER-ID     显示密钥
gpg --fingerprint USER-ID   显示指纹
gpg --verify pgpfile        验证加密文件
gpg --verify sigfile        验证签名文件

注意

参考
http://www.ruanyifeng.com/blog/2013/07/gpg.html
https://blog.csdn.net/chunyuan314/article/details/81709159

示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
# 生成密钥,默认密钥保存在~/.gnupg/
$ gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: directory '/root/.gnupg' created
gpg: new configuration file '/root/.gnupg/gpg.conf' created
gpg: WARNING: options in '/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring '/root/.gnupg/secring.gpg' created
gpg: keyring '/root/.gnupg/pubring.gpg' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
# 选择加密算法
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
# 设置密钥长度
What keysize do you want? (2048) 
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
# 设置密钥有效期,0表示永不过期
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.
# 输入用户名和邮箱
Real name: usera
Email address: usera@a.com
Comment: 
You selected this USER-ID:
    "usera <usera@a.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
# 会提示输入两次密码
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 918DDD78 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/918DDD78 2021-03-24
      Key fingerprint = 04F7 AC2E 9044 7279 E2A7  E024 E084 A914 918D DD78
uid                  usera <usera@a.com>
sub   2048R/7E1EDB8D 2021-03-24
# 生成以下文件,secring.gpg是私钥文件,pubring.gpg是公钥文件
$ ll ~/.gnupg/
-rw-------  1 root root 7680 Mar 24 22:09 gpg.conf
drwx------  2 root root    6 Mar 24 22:09 private-keys-v1.d/
-rw-------  1 root root 1179 Mar 24 22:09 pubring.gpg
-rw-------  1 root root 1179 Mar 24 22:09 pubring.gpg~
-rw-------  1 root root  600 Mar 24 22:09 random_seed
-rw-------  1 root root 2557 Mar 24 22:09 secring.gpg
srwxr-xr-x  1 root root    0 Mar 24 22:09 S.gpg-agent
-rw-------  1 root root 1280 Mar 24 22:09 trustdb.gpg
# 显示所有密钥
$ gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub   2048R/918DDD78 2021-03-24
uid                  usera <usera@a.com>
sub   2048R/7E1EDB8D 2021-03-24
# 可以通过以下命令删除指定用户的密钥,如上的918DDD78就是用户ID
$ gpg --delete-key [用户ID]
# 导出公钥
$ gpg --armor --output publickey.txt --export usera@a.com
$ more publickey.txt 
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)
mQENBGBbSCYBCACSO7YvhfEbqHkkxI3pg4g2AgftLWVRq90E06xcWTCbRRSguJZ/
...
-----END PGP PUBLIC KEY BLOCK-----
# 导出私钥
$ gpg --armor --output privatekey.txt --export-secret-keys usera@a.com
$ more privatekey.txt 
-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)
lQO+BGBbSCYBCACSO7YvhfEbqHkkxI3pg4g2AgftLWVRq90E06xcWTCbRRSguJZ
...
-----END PGP PRIVATE KEY BLOCK-----
# 导入密钥
$ gpg --import [密钥文件]

# 加密文件
$ echo aaa > a
$ gpg --recipient usera@a.com --output a.gpg --encrypt a
$ file a*
a:     ASCII text
a.gpg: data
# 解密文件,需要输入密码
$ gpg --output b --decrypt a.gpg 
$ more b
aaa
# 也可以不加任何选项直接跟加密文件,如下重命名解密后的文件名为c
$ gpg a.gpg
You need a passphrase to unlock the secret key for
user: "usera <usera@a.com>"
2048-bit RSA key, ID 7E1EDB8D, created 2021-03-24 (main key ID 918DDD78)
gpg: encrypted with 2048-bit RSA key, ID 7E1EDB8D, created 2021-03-24
      "usera <usera@a.com>"
File 'a' exists. Overwrite? (y/N)
Enter new filename: c
$ more c
aaa

# 对文件进行签名,默认生成二进制文件,后缀为.gpg
$ gpg --output a.sig --local-user usera --sign a
$ file a.sig
a.sig: data
# 也可以生成ASCII编码文件,后缀为.asc
$ gpg --output a.asc --local-user usera --clearsign a
$ file a.asc
a.asc: ASCII text
$ more a.asc
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
aaa
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQEcBAEBAgAGBQJgW08BAAoJEOCEqRSRjd1419wH/3GtR7hLLY+nmUuaGtpjbP1f
...
-----END PGP SIGNATURE-----
# 通过以下命令可以生成独立的签名文件
$ gpg --detach-sign a
$ gpg --armor --detach-sign a
# 验证签名
$ gpg --verify a.asc 
gpg: Signature made Wed 24 Mar 2021 10:48:36 PM CST using RSA key ID 918DDD78
gpg: Good signature from "usera <usera@a.com>"
# 验证并解密文件
$ gpg --decrypt a.asc > aa
$ more aa
aaa