在 CentOS7 中使用 gpg 创建 RSA 非对称密钥对

1、生成公钥私钥对

[19:40:34 root@localhost ~]#gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: mageyp
Email address: [email protected]
Comment: yp
You selected this USER-ID:
    "mageyp (yp) <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

过程中需要对服务器进行操作，生成随机码

#!/bin/bash

while true;do
    dd if=/dev/urandom of=/data/1.txt bs=1 count=50
    rm -rf /data/1/txt
done      

[19:47:07 root@localhost .gnupg]#gpg --list-key
/root/.gnupg/pubring.gpg
------------------------
pub   2048R/4F1E41EE 2020-09-05
uid                  mageyp (yp) <[email protected]>
sub   2048R/23D8FCD0 2020-09-05

将 CentOS7 导出的公钥，拷贝到 CentOS8 中，在 CentOS8 中使用 CentOS7 的公钥加密一个文件

从centos7上导出公钥

[19:49:00 root@localhost ~]#gpg -a --export -o yp.pubkey
[19:49:14 root@localhost ~]#ls
anaconda-ks.cfg  a.out  for.sh  reset_pro.sh  yp.pubkey  sh.sh

将公钥拷贝至centos8

[19:53:34 root@localhost ~]#rsync yp.pubkey 10.0.0.8:/root/
The authenticity of host '10.0.0.8 (10.0.0.8)' can't be established.
ECDSA key fingerprint is SHA256:B4GojTG9L1h2MUkoY950+2OuTNePsXfMQMtcFn6Z3YE.
ECDSA key fingerprint is MD5:67:05:02:31:bc:fc:06:c5:a3:6e:77:49:d9:41:55:98.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.8' (ECDSA) to the list of known hosts.
[email protected]'s password: 

在centos8上导入centos7公钥

[19:59:29 root@localhost ~]#gpg --import yp.pubkey 
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key B28657F84F1E41EE: public key "mageyp (yp) <[email protected]>" imported
gpg: Total number processed: 1
gpg:               imported: 1
[19:59:51 root@localhost ~]#gpg --list-key
/root/.gnupg/pubring.kbx
------------------------
pub   rsa2048 2020-09-05 [SC]
      23C54C1023BEDCFC154D922BB28657F84F1E41EE
uid           [ unknown] mageyp (yp) <[email protected]>
sub   rsa2048 2020-09-05 [E]

利用centos7公钥加密文件

[20:02:24 root@localhost ~]#gpg -e -r mageyp fstab 
gpg: A7F1902A23D8FCD0: There is no assurance this key belongs to the named user
sub  rsa2048/A7F1902A23D8FCD0 2020-09-05 mageyp (yp) <[email protected]>
 Primary key fingerprint: 23C5 4C10 23BE DCFC 154D  922B B286 57F8 4F1E 41EE
      Subkey fingerprint: B9C3 A877 E2CC 0047 238A  8FAE A7F1 902A 23D8 FCD0

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) y
[20:02:46 root@localhost ~]#ls
anaconda-ks.cfg  fstab  fstab.gpg  yp.pubkey

回到 CentOS7 服务器，远程拷贝 file.txt.gpg 文件到本地，使用 CentOS7的私钥解密文件

将加密后的文件拷回centos7

[20:06:05 root@localhost ~]#scp 10.0.0.8:/root/fstab.gpg .
[email protected]'s password: 
fstab.gpg                                                                 100%  736   671.1KB/s   00:00 

解密文件

[20:08:13 root@localhost ~]#ls
anaconda-ks.cfg  a.out  for.sh  fstab.gpg  reset_pro.sh  yp.pubkey  sh.sh
[20:08:13 root@localhost ~]#gpg -o fstab -d fstab.gpg

You need a passphrase to unlock the secret key for
user: "mageyp (yp) <[email protected]>"
2048-bit RSA key, ID 23D8FCD0, created 2020-09-05 (main key ID 4F1E41EE)

gpg: encrypted with 2048-bit RSA key, ID 23D8FCD0, created 2020-09-05
      "mageyp (yp) <[email protected]>"
[20:08:35 root@localhost ~]#cat fstab

#
# /etc/fstab
# Created by anaconda on Tue Jun 16 05:51:09 2020
#
# Accessible filesystems, by reference, are maintained under '/dev/disk/'.
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info.
#
# After editing this file, run 'systemctl daemon-reload' to update systemd
# units generated from this file.
#
UUID=0b1d1b8f-94f6-4836-9d2e-f389285b1712 /                       xfs     defaults        0 0
UUID=b90ac8b3-971f-4aba-9fab-baf955ce8290 /boot                   ext4    defaults        1 2
UUID=7cd49207-7801-4ea9-a208-11c170cfd976 /data                   xfs     defaults        0 0
UUID=d757fe53-a30f-4cc9-9cc7-0a50f835fe56 swap                    swap    defaults        0 0