对称加密
- 加密一个文件
[root@localhost ~]# gpg -c passwd #-c 指定加密的文件
x 请输入密码 x
x x
x x
x Passphrase *******_________________________________ x 输入对称的密码“123.com” 回车后再输入一次
x x
x <OK> <Cancel> x
[root@localhost ~]# ls
anaconda-ks.cfg gh hg hg.gpg mariadb-5.5.57-linux-x86_64.tar.gz passwd原文件 passwd.gpg 加密后的文件
[root@localhost ~]# scp passwd.gpg 192.168.75.5: 把加密后的文件使用scp传输到192.168.75.5root的家目录下
root@192.168.75.5's password:
passwd.gpg 100% 521 0.5KB/s 00:00
到192.168.75.5的主机上解密passwd.gpg文件
[root@root ~]# gpg -o fr -d passwd.gpg #-o指定输出的文件 -d指定解密的文件
x 请输入密码 x
x x
x x
x Passphrase *******_________________________________ x 输入对称的秘钥回车
x x
x <OK> <Cancel> x
[root@root ~]# gpg -o fr -d passwd.gpg
gpg: CAST5 加密过的数据
can't connect to `/root/.gnupg/S.gpg-agent': 没有那个文件或目录
gpg: 以 1 个密码加密
gpg: 警告:报文未受到完整的保护
[root@root ~]# ls
anaconda-ks.cfg fr hg.gpg install.log install.log.syslog mariadb-5.5.57-linux-x86_64.tar.gz passwd.gpg rt
[root@root ~]# cat fr 查看解密的文件
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-bus-proxy:x:999:997:systemd Bus Proxy:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:998:996:User for polkitd:/:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
chrony:x:997:995::/var/lib/chrony:/sbin/nologin
mysql:x:36:36::/app/data:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
[root@root ~]#
hash 算法保证数据的完整性
[root@root ~]# sha
sha1sum sha224sum sha256sum sha384sum sha512sum 支持的hash算法
[root@root ~]# sha1sum fr > fr.hash
[root@root ~]# sha1sum --check fr.hash 表示fr文件没有被更改过
fr: 确定
[root@root ~]# echo 1 >> fr 在fr文件追加一个数字1
[root@root ~]# sha1sum --check fr.hash 在次使用该命令检查文件他就会有提示
fr: 失败
sha1sum: 警告:1/1 生成的校验和不匹配
[root@root ~]# vim fr
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-bus-proxy:x:999:997:systemd Bus Proxy:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:998:996:User for polkitd:/:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
chrony:x:997:995::/var/lib/chrony:/sbin/nologin
mysql:x:36:36::/app/data:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
~
-- 插入 --
[root@root ~]# sha1sum --check fr.hash 在检查就会恢复正常
fr: 确定
[root@root ~]# cat op op文件的内容
123456789
987654321
[root@root ~]# sha1sum op >> fr.hash 同时检查多个文件
[root@root ~]# echo "0" >> op 修改op文件
[root@root ~]# sha1sum --check fr.hash
fr: 确定
op: 失败
sha1sum: 警告:1/2 生成的校验和不匹配
[root@root ~]# cat op 恢复op文件
123456789
987654321
[root@root ~]# sha1sum --check fr.hash
fr: 确定
op: 确定
非对称加密
A主机创建秘钥对
[root@localhost ~]# gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foun
dation, Inc.This is free software: you are free to change and redistr
ibute it.There is NO WARRANTY, to the extent permitted by law.
请选择您要使用的密钥种类:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (仅用于签名)
(4) RSA (仅用于签名)
您的选择? 1
RSA 密钥长度应在 1024 位与 4096 位之间。
您想要用多大的密钥尺寸?(2048)1024
您所要求的密钥尺寸是 1024 位
请设定这把密钥的有效期限。
0 = 密钥永不过期
<n> = 密钥在 n 天后过期
<n>w = 密钥在 n 周后过期
<n>m = 密钥在 n 月后过期
<n>y = 密钥在 n 年后过期
密钥的有效期限是?(0) 2
密钥于 2017年08月03日 星期四 07时55分15秒 CST 过期
以上正确吗?(y/n)y
You need a user ID to identify your key; the software con
structs the user IDfrom the Real Name, Comment and Email Address in this for
m: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.
de>"
真实姓名:chenxi
电子邮件地址:
注释:
您选定了这个用户标识:
“chenxi”
更改姓名(N)、注释(C)、电子邮件地址(E)或确定(O)/退出(Q)?o 后回车
x 请输入密码 x
x x
x x
x Passphrase *******_________________________________ x 输入私钥加密口令;回车后需要再次确认
x x
x <OK> <Cancel> x
- 查看公钥
[root@centos6 ~]# gpg --list-key
/root/.gnupg/pubring.gpg
------------------------
pub 1024R/E03121EF 2017-07-31 [expires: 2017-08-03]
uid chenxi
sub 1024R/46DE5C3F 2017-07-31 [expires: 2017-08-03]
- 导出公钥
[root@centos6 ~]# gpg -a --export -o chenxi.pubkey
把公钥传到另一台主机上
[root@centos6 ~]# scp chenxi.pubkey 192.168.75.5:
The authenticity of host '192.168.75.5 (192.168.75.5)' ca
n't be established.RSA key fingerprint is a9:ad:42:ec:d4:20:cd:a2:ee:67:98:0
c:f9:79:74:f8.Are you sure you want to continue connecting (yes/no)? ye
sWarning: Permanently added '192.168.75.5' (RSA) to the li
st of known hosts.root@192.168.75.5's password:
Permission denied, please try again.
root@192.168.75.5's password:
chenxi.pubkey 100% 1000 1.0KB/s 00:00
[root@centos6 ~]#
在B主机上导入公钥
[root@root ~]# gpg --import chenxi.pubkey
gpg: /root/.gnupg/trustdb.gpg:建立了信任度数据库
gpg: 密钥 E03121EF:公钥“chenxi”已导入
gpg: 合计被处理的数量:1
gpg: 已导入:1 (RSA: 1)
查看公钥
[root@root ~]# gpg --list-key
/root/.gnupg/pubring.gpg
------------------------
pub 1024R/E03121EF 2017-07-31 [有效至:2017-08-03]
uid chenxi
sub 1024R/46DE5C3F 2017-07-31 [有效至:2017-08-03]
使用对应公钥加密
[root@root ~]# gpg -e -r chenxi yuer 加密yuer文件
gpg: 46DE5C3F:没有证据表明这把密钥真的属于它所声称的持有
者
pub 1024R/46DE5C3F 2017-07-31 chenxi
主钥指纹: F271 527F 283A 201F D0A1 3210 88FC D9E7 E031
21EF 子钥指纹: BA78 90A6 44C9 B0E0 98DB AA7F 87E6 0E24 46DE
5C3F
这把密钥并不一定属于用户标识声称的那个人。如果您真的知道
自己在做什么,您可以在下一个问题回答 yes。
无论如何还是使用这把密钥吗?(y/N)y
[root@root ~]# ls
anaconda-ks.cfg fr hg.gpg install.log.syslog op rt yuer.gpg 加密后的文件
chenxi.pubkey fr.hash install.log mariadb-5.5.57-linux-x86_64.tar.gz passwd.gpg yuer
传到A主机上
[root@root ~]# scp yuer.gpg 192.168.75.131:
The authenticity of host '192.168.75.131 (192.168.75.131)' can't be established.
RSA key fingerprint is 9b:e7:15:49:df:42:db:e4:40:9d:74:b2:71:b9:f5:40.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.75.131' (RSA) to the list of known hosts.
root@192.168.75.131's password:
yuer.gpg 100% 227 0.2KB/s 00:00
[root@root ~]#
到a主机解密
[root@centos6 ~]# gpg -o sed -d yuer.gpg 回车后需要输入私钥密码才能使用私钥解开
You need a passphrase to unlock the secret key for
user: "chenxi"
1024-bit RSA key, ID 46DE5C3F, created 2017-07-31 (main key ID E03121EF)
can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory
(pinentry-gtk-2:3282): GLib-GObject-CRITICAL **: Object class GtkSecureEntry doesn't implement property 'editing-canceled
' from interface 'GtkCellEditable'gpg: encrypted with 1024-bit RSA key, ID 46DE5C3F, created 2017-07-31
"chenxi"
[root@centos6 ~]# ls
anaconda-ks.cfg Desktop Downloads install.log.syslog Pictures sed Videos
chenxi.pubkey Documents install.log Music Public Templates yuer.gpg
[root@centos6 ~]# cat sed 查看解开的文件
123456789
987654321
[root@centos6 ~]#
删除私钥
[root@centos6 ~]# gpg --delete-secret-keys chenxi
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
sec 1024R/E03121EF 2017-07-31 chenxi
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
[root@centos6 ~]#
删除公钥
[root@centos6 ~]# gpg --delete-keys chenxi
gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub 1024R/E03121EF 2017-07-31 chenxi
Delete this key from the keyring? (y/N) y
