Linux操作系统安全-使用gpg实现对称加密

                                          作者:尹正杰

版权声明:原创作品,谢绝转载!否则将追究法律责任。

一.gpg工具包概述

1>.什么是gpg

  GnuPG是GNU负责安全通信和数据存储的主席。它可以用于加密数据和创建数字签名。

2>.查看gpg的安装包

[root@node101.yinzhengjie.org.cn ~]# which gpg
/usr/bin/gpg
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# rpm -qf /usr/bin/gpg
gnupg2-2.0.22-5.el7_5.x86_64
[root@node101.yinzhengjie.org.cn ~]#

3>.查看gpg的软件包详细信息

[root@node101.yinzhengjie.org.cn ~]# rpm -qi gnupg2
Name : gnupg2
Version : 2.0.22
Release : 5.el7_5
Architecture: x86_64
Install Date: Mon 08 Jul 2019 04:23:21 PM CST
Group : Applications/System
Size : 6637796
License : GPLv3+
Signature : RSA/SHA256, Fri 13 Jul 2018 11:56:02 PM CST, Key ID 24c6a8a7f4a80eb5
Source RPM : gnupg2-2.0.22-5.el7_5.src.rpm
Build Date : Fri 13 Jul 2018 09:06:54 PM CST
Build Host : x86-01.bsys.centos.org
Relocations : (not relocatable)
Packager : CentOS BuildSystem <http://bugs.centos.org>
Vendor : CentOS
URL : http://www.gnupg.org/
Summary : Utility for secure communication and data storage
Description :
GnuPG is GNU's tool for secure communication and data storage. It can
be used to encrypt data and to create digital signatures. It includes
an advanced key management facility and is compliant with the proposed
OpenPGP Internet standard as described in RFC2440 and the S/MIME
standard as described by several RFCs. GnuPG 2.0 is a newer version of GnuPG with additional support for
S/MIME. It has a different design philosophy that splits
functionality up into several modules. The S/MIME and smartcard functionality
is provided by the gnupg2-smime package.
[root@node101.yinzhengjie.org.cn ~]#

 4>.创建测试文件用于加密和解密

[root@node101.yinzhengjie.org.cn ~]# echo "尹正杰到此一游" > f1.txt
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll
total 4
-rw-r--r-- 1 root root 22 Dec 20 14:49 f1.txt
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat f1.txt
尹正杰到此一游
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#

二.gpg实现对称加密实战案例

1>.在node101.yinzhengjie.org.cn节点使用gpg工具对称加密文件并拷贝到node108.yinzhengjie.org.cn节点上

[root@node101.yinzhengjie.org.cn ~]# ll
total 4
-rw-r--r-- 1 root root 22 Dec 20 14:49 f1.txt
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# gpg -c f1.txt                            #执行该命令时会弹出一个如下图所示的对话框,需要我们交互式输入一个对称加密的密码,这个密码别忘记了,一会用到它。
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll                                   #上述命令执行成功后,会多出来一个名为f1.txt.gpg的文件,源文件不变。
total 8
-rw-r--r-- 1 root root 22 Dec 20 14:49 f1.txt
-rw-r--r-- 1 root root 70 Dec 20 14:53 f1.txt.gpg
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# scp f1.txt.gpg root@node108.yinzhengjie.org.cn:~        #将加密后的文件拷贝到另外一台服务器上去。
f1.txt.gpg 100% 70 88.3KB/s 00:00
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#

2>.在node108.yinzhengjie.org.cn解密文件内容

[root@node108.yinzhengjie.org.cn ~]# ll
total 4
-rw-r--r-- 1 root root 70 Dec 20 14:57 f1.txt.gpg
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]# gpg -o f1.txt -d f1.txt.gpg           #对gpg加密的文件进行解密操作,会弹出一个如下图所示的对话框,输入我们上面加密时的密码即可。
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]# ll                          #解密成功后,会生成一个新的文件,这个新的文件是我们上面使用"-o"参数指定的哟~
total 8
-rw-r--r-- 1 root root 22 Dec 20 15:01 f1.txt
-rw-r--r-- 1 root root 70 Dec 20 14:57 f1.txt.gpg
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]# cat f1.txt                      #发现解密后的数据是成功的
尹正杰到此一游
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]#

三.gpg实现非对称加密案例

1>.node101.yinzhengjie.org.cn生成密钥(该步骤可以在图形界面操作体验度会好点,使用字符界面也可以操作)

[root@node101.yinzhengjie.org.cn ~]# gpg --list-keys                  #目前没有管理的密钥
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# gpg --gen-key                   #我们使用该命令会生成私钥和公钥
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. gpg: keyring `/root/.gnupg/secring.gpg' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?                                         #我们在这里可以选择加密算法,默认使用RSA算法
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024                            #我们可以可以指定加密的位数,默认是1024位
Requested keysize is 1024 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 10                                    #设置密钥的有效期,默认未0,表示不过其,我这里输入的数字10,表示有效期是10天,我们也可以输入10w表示10个星期,也可输入10m表示10个月,还可以输入10y表示10年。
Key expires at Tue 31 Dec 2019 02:56:15 PM CST
Is this correct? (y/N) y                                    #这是一个确认提示,我们输入"y"即可,默认为"N",接下来就全是图像界面操作了,如下图所示。 GnuPG needs to construct a user ID to identify your key. Real name: yinzhengjie
Email address:
Comment:
You selected this USER-ID:
"yinzhengjie" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key. You don't want a passphrase - this is probably a *bad* idea!
I will do it anyway. You can change your passphrase at any time,
using this program with the option "--edit-key". We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 9A039AE7 marked as ultimately trusted
public and secret key created and signed. gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2019-12-31
pub 1024R/9A039AE7 2019-12-21 [expires: 2019-12-31]
Key fingerprint = FD59 DEBF 5278 6E06 5919 243A B0FB 8C5A 9A03 9AE7
uid yinzhengjie
sub 1024R/559B2D3F 2019-12-21 [expires: 2019-12-31] [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll ~/.gnupg/                     #经过一系列操作后会有以下文件
total 28
-rw-------. 1 root root 7680 Dec 21 14:55 gpg.conf
drwx------. 2 root root 6 Dec 21 14:58 private-keys-v1.d
-rw-------. 1 root root 667 Dec 21 15:05 pubring.gpg                  #存放公钥文件路径
-rw-------. 1 root root 667 Dec 21 15:05 pubring.gpg~
-rw-------. 1 root root 600 Dec 21 15:05 random_seed
-rw-------. 1 root root 1331 Dec 21 15:05 secring.gpg                  #存放私钥文件路径
srwxr-xr-x. 1 root root 0 Dec 21 14:58 S.gpg-agent
-rw-------. 1 root root 1280 Dec 21 15:05 trustdb.gpg
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# gpg --list-keys                    #查看当前主机管理的密钥
/root/.gnupg/pubring.gpg
------------------------
pub 1024R/9A039AE7 2019-12-21 [expires: 2019-12-31]
uid yinzhengjie
sub 1024R/559B2D3F 2019-12-21 [expires: 2019-12-31] [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#

2>.以文本方式导出公钥并将公钥拷贝到node108.yinzhengjie.org.cn

[root@node101.yinzhengjie.org.cn ~]# gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub 1024R/45A32BE2 2019-12-20 [expires: 2019-12-30]
uid yinzhengjie
sub 1024R/83CADF8A 2019-12-20 [expires: 2019-12-30] [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll ~/.gnupg/
total 28
-rw------- 1 root root 7680 Dec 20 14:50 gpg.conf
drwx------ 2 root root 6 Dec 20 14:50 private-keys-v1.d
-rw------- 1 root root 667 Dec 20 15:41 pubring.gpg
-rw------- 1 root root 667 Dec 20 15:41 pubring.gpg~
-rw------- 1 root root 600 Dec 20 15:41 random_seed
-rw------- 1 root root 1331 Dec 20 15:41 secring.gpg
srwxr-xr-x 1 root root 0 Dec 20 15:28 S.gpg-agent
-rw------- 1 root root 1280 Dec 20 15:41 trustdb.gpg
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll
total 0
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# gpg -a --export -o ~/yinzhengjie_pubkey
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll
total 4
-rw-r--r-- 1 root root 1008 Dec 20 19:28 yinzhengjie_pubkey
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# scp yinzhengjie_pubkey root@node108.yinzhengjie.org.cn:~
yinzhengjie_pubkey 100% 1008 1.3MB/s 00:00
[root@node101.yinzhengjie.org.cn ~]#

3>.node108.yinzhengjie.org.cn也生成自己的密钥对(字符界面操作版本,和图像界面操作大致相同,字符界面操作可能会有些卡顿,等会就好了)

[root@node108.yinzhengjie.org.cn ~]# gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: yinzhengjie2019
Email address:
Comment:
You selected this USER-ID:
"yinzhengjie2019" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. You don't want a passphrase - this is probably a *bad* idea!
I will do it anyway. You can change your passphrase at any time,
using this program with the option "--edit-key". We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy. gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024R/F20B56D1 2019-12-20
Key fingerprint = 31A2 D20D 499F EAC5 84F2 65E9 C197 A66A F20B 56D1
uid yinzhengjie2019
sub 1024R/80334CCC 2019-12-20 [root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]# ll ~/.gnupg/
total 28
-rw------- 1 root root 7680 Dec 20 15:50 gpg.conf
drwx------ 2 root root 6 Dec 20 15:51 private-keys-v1.d
-rw------- 1 root root 659 Dec 20 17:02 pubring.gpg
-rw------- 1 root root 659 Dec 20 17:02 pubring.gpg~
-rw------- 1 root root 600 Dec 20 17:02 random_seed
-rw------- 1 root root 1323 Dec 20 17:02 secring.gpg
srwxr-xr-x 1 root root 0 Dec 20 15:51 S.gpg-agent
-rw------- 1 root root 1280 Dec 20 17:02 trustdb.gpg
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]# gpg --list-keys                #node108.yinzhengjie.org.cn节点也生成了密钥对啦
/root/.gnupg/pubring.gpg
------------------------
pub 1024R/F20B56D1 2019-12-20
uid yinzhengjie2019
sub 1024R/80334CCC 2019-12-20 [root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]#

4>.node108.yinzhengjie.org.cn导入node101.yinzhengjie.org.cn

[root@node108.yinzhengjie.org.cn ~]# ll ~/.gnupg/
total 28
-rw------- 1 root root 7680 Dec 20 15:50 gpg.conf
drwx------ 2 root root 6 Dec 20 15:51 private-keys-v1.d
-rw------- 1 root root 659 Dec 20 17:02 pubring.gpg            #注意观察该文件大小,一会咱们要导入公钥,该文件大小就会发生变化
-rw------- 1 root root 659 Dec 20 17:02 pubring.gpg~
-rw------- 1 root root 600 Dec 20 17:02 random_seed
-rw------- 1 root root 1323 Dec 20 17:02 secring.gpg
srwxr-xr-x 1 root root 0 Dec 20 15:51 S.gpg-agent
-rw------- 1 root root 1280 Dec 20 17:02 trustdb.gpg
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]# gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub 1024R/F20B56D1 2019-12-20
uid yinzhengjie2019
sub 1024R/80334CCC 2019-12-20 [root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]# ll
total 4
-rw-r--r-- 1 root root 1008 Dec 20 19:29 yinzhengjie_pubkey
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]# gpg --import ~/yinzhengjie_pubkey           #导入node101.yinzhengjie.org.cn的公钥
gpg: key 45A32BE2: public key "yinzhengjie" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]# gpg --list-keys                    #可以看到多了node101.yinzhengjie.org.cn的公钥啦~
/root/.gnupg/pubring.gpg
------------------------
pub 1024R/F20B56D1 2019-12-20
uid yinzhengjie2019
sub 1024R/80334CCC 2019-12-20 pub 1024R/45A32BE2 2019-12-20 [expires: 2019-12-30]
uid yinzhengjie
sub 1024R/83CADF8A 2019-12-20 [expires: 2019-12-30] [root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]# ll ~/.gnupg/
total 28
-rw------- 1 root root 7680 Dec 20 15:50 gpg.conf
drwx------ 2 root root 6 Dec 20 15:51 private-keys-v1.d
-rw------- 1 root root 1326 Dec 20 19:30 pubring.gpg                  #不难发现该文件大小变大了
-rw------- 1 root root 659 Dec 20 17:02 pubring.gpg~
-rw------- 1 root root 600 Dec 20 17:02 random_seed
-rw------- 1 root root 1323 Dec 20 17:02 secring.gpg
srwxr-xr-x 1 root root 0 Dec 20 15:51 S.gpg-agent
-rw------- 1 root root 1280 Dec 20 17:02 trustdb.gpg
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]#

5>.在node108.yinzhengjie.org.cn节点对数据进行加密操作并发送给node101.yinzhengjie.org.cn节点

[root@node108.yinzhengjie.org.cn ~]# ll
total 4
-rw-r--r-- 1 root root 1008 Dec 20 19:29 yinzhengjie_pubkey
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]# echo "尹正杰到此一游" > test.log
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]# ll
total 8
-rw-r--r-- 1 root root 22 Dec 20 19:33 test.log
-rw-r--r-- 1 root root 1008 Dec 20 19:29 yinzhengjie_pubkey
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]# cat test.log
尹正杰到此一游
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]# gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub 1024R/F20B56D1 2019-12-20
uid yinzhengjie2019
sub 1024R/80334CCC 2019-12-20 pub 1024R/45A32BE2 2019-12-20 [expires: 2019-12-30]
uid yinzhengjie
sub 1024R/83CADF8A 2019-12-20 [expires: 2019-12-30] [root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]# gpg -e -r yinzhengjie test.log
gpg: D719A354: There is no assurance this key belongs to the named user pub 1024R/D719A354 2019-12-20 yinzhengjie
Primary key fingerprint: 2BFC 4720 67E2 6239 F521 DF69 083B 5C92 ED52 774D
Subkey fingerprint: 4862 316E D296 B6BA 5E71 EE7E 3E9C FD35 D719 A354 It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes. Use this key anyway? (y/N) y
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]# ll
total 12
-rw-r--r-- 1 root root 22 Dec 20 19:33 test.log
-rw-r--r-- 1 root root 236 Dec 20 20:10 test.log.gpg
-rw-r--r-- 1 root root 992 Dec 20 20:07 yinzhengjie_pubkey
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]# scp test.log.gpg root@node101.yinzhengjie.org.cn:~
The authenticity of host 'node101.yinzhengjie.org.cn (172.30.1.101)' can't be established.
ECDSA key fingerprint is SHA256:KEchoZnVBkijeoWfG2nvx2ptthsXv7IjkxIJYule57g.
ECDSA key fingerprint is MD5:52:c8:f5:6e:5f:cf:44:ec:c4:11:60:d2:d0:31:3c:da.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'node101.yinzhengjie.org.cn,172.30.1.101' (ECDSA) to the list of known hosts.
root@node101.yinzhengjie.org.cn's password:
test.log.gpg 100% 236 303.1KB/s 00:00
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]#

6>.node101.yinzhengjie.org.cn节点对node108.yizhengjie.org.cn节点传过来的数据进行解密操作

[root@node101.yinzhengjie.org.cn ~]# ll
total 4
-rw-r--r-- 1 root root 236 Dec 20 20:11 test.log.gpg
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# gpg -d test.log.gpg               #直接解密数据会在当前终端显示
gpg: encrypted with 1024-bit RSA key, ID D719A354, created 2019-12-20
"yinzhengjie"
尹正杰到此一游
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll
total 4
-rw-r--r-- 1 root root 236 Dec 20 20:11 test.log.gpg
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# gpg -o res.log -d test.log.gpg           #将解密后的数据保存到指定文件中
gpg: encrypted with 1024-bit RSA key, ID D719A354, created 2019-12-20
"yinzhengjie"
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll
total 8
-rw-r--r-- 1 root root 22 Dec 20 20:12 res.log
-rw-r--r-- 1 root root 236 Dec 20 20:11 test.log.gpg
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat res.log                     #很显然数据是准确的
尹正杰到此一游
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#

7>.node108.yinzhengjie.org.cn节点删除公钥

[root@node108.yinzhengjie.org.cn ~]# gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub 1024R/ED52774D 2019-12-20
uid yinzhengjie
sub 1024R/D719A354 2019-12-20 [root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]# gpg --delete-keys yinzhengjie
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. pub 1024R/ED52774D 2019-12-20 yinzhengjie Delete this key from the keyring? (y/N) y
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]# gpg --list-keys
[root@node108.yinzhengjie.org.cn ~]#
[root@node108.yinzhengjie.org.cn ~]#

8>.node101.yinzhengjie.org.cn节点删除公钥

[root@node101.yinzhengjie.org.cn ~]# gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub 1024R/ED52774D 2019-12-20
uid yinzhengjie
sub 1024R/D719A354 2019-12-20 [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# gpg --delete-secret-keys yinzhengjie        #要先删除私钥
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. sec 1024R/ED52774D 2019-12-20 yinzhengjie Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub 1024R/ED52774D 2019-12-20
uid yinzhengjie
sub 1024R/D719A354 2019-12-20 [root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# gpg --delete-keys yinzhengjie            #在删除公钥,有私钥存在的情况下直接删除公钥会报错的哟~
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. pub 1024R/ED52774D 2019-12-20 yinzhengjie Delete this key from the keyring? (y/N) y
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# gpg --list-keys
gpg: checking the trustdb
gpg: no ultimately trusted keys found
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# gpg --list-keys
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#

四.使用gpg工具加密方式并不安全

  如下图所示,如果在client和server端有一个中间人攻击就比较麻烦了。

  比如典型的ARP攻击,MAN-IN-MIDDLE可以模拟client和server端的IP地址,当client像server端请求公钥时,MAN-IN-MIDDLE模拟server端,生成一个假公钥发给Client端,与此同时他会模拟client端向server端发送请求获取真的公钥。

  client端得到假的公钥后使用假的公钥对数据继续加密后发送给它以为的server,结果这个加密钥本来就是MAN-IN-MIDDLE生成的,因此自然是可以用自己的私钥去解开并获取到相应的数据。如果不是铭感信息可能MAN-IN-MINDDLE会原样模拟一份发送给server端,当涉及到铭感信息后,很可能被MAN-IN-MIDDLE加以利用。

  因此使用gpg方式加密相对来说是存在安全风险的。为了解决这个问题,引入了证书颁发机构。

  关于证书的申请原理感兴趣的小伙伴可参考我的笔记:https://www.cnblogs.com/yinzhengjie/p/12071167.html

Linux操作系统安全-使用gpg实现对称加密的更多相关文章

  1. Linux操作系统安全-加密和安全扫盲篇

    Linux操作系统安全-加密和安全 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 一.墨菲定律 墨菲定律: 一种心理学效应,是由爱德华·墨菲(Edward A. Murphy)提出 ...

  2. Linux操作系统之grub加密实战案例

    Linux操作系统之grub加密实战案例 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 一.为grub设置明文密码案例 1>.修改"/boot/grub/grub. ...

  3. Linux操作系统安全-OpenSSL工具常用命令介绍

    Linux操作系统安全-OpenSSL工具常用命令介绍 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 一.OpenSSL开源项目有三个组件 openssl: 多用途的命令行工具,包 ...

  4. Linux操作系统安全-证书的申请原理

    Linux操作系统安全-证书的申请原理 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 一.APR的中间人攻击 如下图所示,如果在client和server端有一个中间人攻击就比较麻 ...

  5. Linux操作系统-CentOS6启动流程和服务管理

    Linux操作系统-CentOS6启动流程和服务管理 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 一.Linux组成 1>.Linux: kernel+rootfs ker ...

  6. Linux操作系统常用命令合集——第六篇-软件包操作(2个命令)

    一.前言介绍 软件包即程序包 程序包管理 关键词:rpm程序包管理.YUM仓库管理.源码编译安装 程序包管理: 将编译好的应用程序的各组成文件打包一个或几个程序包文件,从而方便快捷地实现程序包的安装. ...

  7. Linux学习66 运维安全-通信加密和解密技术入门

    一.Linux Service and Security 1.OpenSSL(ssl/tls)协议 2.OpenSSH(ssh)协议 3.bind(dns) 4.web(http):httpd(apa ...

  8. C#不对称加密

    对称加密的缺点是双方使用相同的密钥和IV进行加密.解密.由于接收方必须知道密钥和IV才能解密数据,因此发送方需要先将密钥和IV传递给接收方.这就 有一个问题,如果攻击者截获了密钥和IV,也就等于知道了 ...

  9. 如何保护你的linux操作系统

    如何保护你的linux操作系统 导读 在现在这个世道中,Linux操作系统的安全是十分重要的.但是,你得知道怎么干.一个简单反恶意程序软件是远远不够的,你需要采取其它措施来协同工作.那么试试下面这些手 ...

随机推荐

  1. 使用jdk 容器镜像注意默认编码问题

    最近在使用一个开源数据pipeline 处理的工具的时候,发现了jdk容器镜像编码的一些问题 以下是一个简单的描述 问题 使用了streamsets 工具,使用容器运行,默认使用了adoptopenj ...

  2. [ Python入门教程 ] Python的控制语句

    Python控制语句由条件语句.循环语句构成.控制语句根据条件表达式控制程序的流转.本章将介绍Python中控制语句的基本语法. 条件判断语句 (1)if条件语句 if语句用于检测某个条件是否成立.如 ...

  3. impala入门

    一.概述 Impala 是参照google 的新三篇论文Dremel(大批量数据查询工具)的开源实现,功能类似shark(依赖于hive)和Drill(apache),impala 是clouder ...

  4. Web协议详解与抓包实战:HTTP1协议-详解请求行(2)

    一.请求行一 二.请求行二 三.请求行三 四.常见方法(RFC7231) 实际测试截图 五.用于文档管理的 WEBDAV 方法(RFC2518) 六.WEBDAV 验证环境  1.登录  2.Wire ...

  5. python总结十一

    1.python运行速度慢的原因: python不是强类型的语言,所以解释器运行时遇到变量以及数据类型转换,比较操作,引用变量时都需要检查其数据类型 python的编译器启动速度比java快,但几乎每 ...

  6. java8 HashMap源码 详细研读

    HashMap原理 目的: 单纯分析和学习hashmap的实现,不多说与Hashtable.ConcurrentHashMap等的区别. 基于 jdk1.8 在面试中有些水平的公司比较喜欢问HashM ...

  7. pytorch 查看中间变量的梯度

    pytorch 为了节省显存,在反向传播的过程中只针对计算图中的叶子结点(leaf variable)保留了梯度值(gradient).但对于开发者来说,有时我们希望探测某些中间变量(intermed ...

  8. Azure DevOps Server (TFS) 代码库Repo管理培训

    Repo是分布式代码库Git中的一个专用词,用于存储和管理开发团队中特定的源代码. 使用Git,可以协调整个团队的代码更改. 即使您只是一个开发人员,版本控制也可以帮助您在修复错误和开发新功能时保持井 ...

  9. Dictionary不可以迭代修改值

    var buffer = new List<string>(showDict.Keys); foreach (var key in buffer) { if (showDict[key] ...

  10. 使用 Valgrind 检测 C++ 内存泄漏

    Valgrind 的介绍 Valgrind 可以用来检测程序是否有非法使用内存的问题,例如访问未初始化的内存.访问数组时越界.忘记释放动态内存等问题.在 Linux 可以使用下面的命令安装 Valgr ...