在 CentOS7 中使用 gpg 创建 RSA 非对称密钥对
1、生成公钥私钥对
[19:40:34 root@localhost ~]#gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: mageyp
Email address: [email protected]
Comment: yp
You selected this USER-ID:
"mageyp (yp) <[email protected]>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
过程中需要对服务器进行操作,生成随机码
#!/bin/bash
while true;do
dd if=/dev/urandom of=/data/1.txt bs=1 count=50
rm -rf /data/1/txt
done
[19:47:07 root@localhost .gnupg]#gpg --list-key
/root/.gnupg/pubring.gpg
------------------------
pub 2048R/4F1E41EE 2020-09-05
uid mageyp (yp) <[email protected]>
sub 2048R/23D8FCD0 2020-09-05
将 CentOS7 导出的公钥,拷贝到 CentOS8 中,在 CentOS8 中使用 CentOS7 的公钥加密一个文件
从centos7上导出公钥
[19:49:00 root@localhost ~]#gpg -a --export -o yp.pubkey
[19:49:14 root@localhost ~]#ls
anaconda-ks.cfg a.out for.sh reset_pro.sh yp.pubkey sh.sh
将公钥拷贝至centos8
[19:53:34 root@localhost ~]#rsync yp.pubkey 10.0.0.8:/root/
The authenticity of host '10.0.0.8 (10.0.0.8)' can't be established.
ECDSA key fingerprint is SHA256:B4GojTG9L1h2MUkoY950+2OuTNePsXfMQMtcFn6Z3YE.
ECDSA key fingerprint is MD5:67:05:02:31:bc:fc:06:c5:a3:6e:77:49:d9:41:55:98.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.8' (ECDSA) to the list of known hosts.
[email protected]'s password:
在centos8上导入centos7公钥
[19:59:29 root@localhost ~]#gpg --import yp.pubkey
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key B28657F84F1E41EE: public key "mageyp (yp) <[email protected]>" imported
gpg: Total number processed: 1
gpg: imported: 1
[19:59:51 root@localhost ~]#gpg --list-key
/root/.gnupg/pubring.kbx
------------------------
pub rsa2048 2020-09-05 [SC]
23C54C1023BEDCFC154D922BB28657F84F1E41EE
uid [ unknown] mageyp (yp) <[email protected]>
sub rsa2048 2020-09-05 [E]
利用centos7公钥加密文件
[20:02:24 root@localhost ~]#gpg -e -r mageyp fstab
gpg: A7F1902A23D8FCD0: There is no assurance this key belongs to the named user
sub rsa2048/A7F1902A23D8FCD0 2020-09-05 mageyp (yp) <[email protected]>
Primary key fingerprint: 23C5 4C10 23BE DCFC 154D 922B B286 57F8 4F1E 41EE
Subkey fingerprint: B9C3 A877 E2CC 0047 238A 8FAE A7F1 902A 23D8 FCD0
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
[20:02:46 root@localhost ~]#ls
anaconda-ks.cfg fstab fstab.gpg yp.pubkey
回到 CentOS7 服务器,远程拷贝 file.txt.gpg 文件到本地,使用 CentOS7的私钥解密文件
将加密后的文件拷回centos7
[20:06:05 root@localhost ~]#scp 10.0.0.8:/root/fstab.gpg .
[email protected]'s password:
fstab.gpg 100% 736 671.1KB/s 00:00
解密文件
[20:08:13 root@localhost ~]#ls
anaconda-ks.cfg a.out for.sh fstab.gpg reset_pro.sh yp.pubkey sh.sh
[20:08:13 root@localhost ~]#gpg -o fstab -d fstab.gpg
You need a passphrase to unlock the secret key for
user: "mageyp (yp) <[email protected]>"
2048-bit RSA key, ID 23D8FCD0, created 2020-09-05 (main key ID 4F1E41EE)
gpg: encrypted with 2048-bit RSA key, ID 23D8FCD0, created 2020-09-05
"mageyp (yp) <[email protected]>"
[20:08:35 root@localhost ~]#cat fstab
#
# /etc/fstab
# Created by anaconda on Tue Jun 16 05:51:09 2020
#
# Accessible filesystems, by reference, are maintained under '/dev/disk/'.
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info.
#
# After editing this file, run 'systemctl daemon-reload' to update systemd
# units generated from this file.
#
UUID=0b1d1b8f-94f6-4836-9d2e-f389285b1712 / xfs defaults 0 0
UUID=b90ac8b3-971f-4aba-9fab-baf955ce8290 /boot ext4 defaults 1 2
UUID=7cd49207-7801-4ea9-a208-11c170cfd976 /data xfs defaults 0 0
UUID=d757fe53-a30f-4cc9-9cc7-0a50f835fe56 swap swap defaults 0 0