GnuPG allows you to verify the supplied signature of the software you are going to install and be sure that the software is original. Also GnuPG does much more than just encryption, it can be used for all kinds of data encryption.
To install GnuPG (under CentOS):
# yum install gnupg2 pinentry
Use GnuPG:
First of all, we must create a new key-pair (public and private) if this is the first time use:
# gpg --gen-key gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: Tony Xu Email address: tonylixu@gmail.com Comment: You selected this USER-ID: "Tony Xu <tony#email.com>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key 4BCB79BD marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 2048R/4BCB79BD 2014-09-18 Key fingerprint = AF16 1623 FD55 115F 1BD2 F0DC 691C E788 4BCB 79BD uid Tony Xu <tonylixu@gmail.com> sub 2048R/49AB981B 2014-09-18
Note: A new key-pair is created (secret and public key) in the “root” home directory ~/root under the .gnupg subdirectory because we issued this GnuPG command as user “root”. If you run the above command under other user into the system, then the generated keys will be located under its home directory on the server.
Exporting GPG key/s:
Once the key-pair is created, you can publish it to the public (NEVER export your private key!!). GnuPG has some useful options to help you publish your public key:
1. Extract public key in ASCII output:
# gpg --export –ao Tony Xu
2. The resulting output will be a file called “Tony”
# vi Tony -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: For info see http://www.gnupg.org mQGiBDzGNQcRBAC+1NrjFMCEtyjcv5lhtFNMLHEQ0VdHObv0CMUdCkiDslJ9QT9v MtVG1d4r3+0RJan23Z+8fc11E7Q0wRjRO13efRGEbxaIushhRc/p11LsEubWMWC7 E1UCsMmniScEdoZLSq9/myjj7IJqAavgL0a7/VkVHjrX1j/pTTK1wUUsRwCgy0jp 0JzY1+dIK4ElfGxAQ7oHop8D/03MkyVhUZh9asLW4tyGlmMN8exqfRoMdeSv0jnz ftAAZ71sn8jDdviccvaJvj2eTdZ7J43BIhxALJZ8KMQdEDWQnW62FfV9uGWcB5HL c869XOD0so9LOJGsgF1XpnMKQhTRXXEIuN0THpGDSLdQtXelBzIusQuSmNBrx7A0 6/5xA/0W3H2NYzvMWnTuENpHUQR8KtIARcmis4bGIH/fEiPQyR7YWIAs9sPOE5Yr 3cQuUpZ3nwGcZ5CGOKm0qRBkhMI49SO25gsoaRVVatNZ1v1o07AaNDimmvE0hhO3 +/LTv9cJYMdm4ijp+XOhssO4zctgdg0bHISsTWqB1AJcSsdAirQpR2VyaGFyZCBN b3VyYW5pIDxzeXNhZG1pbkBkZXYub3Blbm5hLmNvbT6IVwQTEQIAFwUCPMY1BwUL BwoDBAMVAwIDFgIBAheAAAoJEOTyFOEuU3j3OB8AoJcMlZkGYlHBt013kjg6U7Xt e7muAJ9LBfIlSHtmR3aZAn/4yekA8jwkrbkBDQQ8xjULEAQAvA7lwVx/AUga4j3d yo4upmHClk4+rYW9bQQXdMGj9EO2gdrxXzbQ2AlQj0UXgDN8HzXHdcZ4TyGghNVm zq9k2+Ud4Gx0+q34tJI+ljDM7eGhBZbSMGs7kB75/DKIvqONV2JCYJMutrRQPBF1 8ZRf/FgJEtOcjOHu5UfpMresWXsAAwYEAKj2b7LmSfPpm9X/eTEoHAFbR5WPXkRP eNUEgN2nk2rzyA+7IL4Sg9OPz31qhKOCh/NhFHKcg5VCS4bG35p78eb9KHr8CO01 +h1lUmqCf+s9UvHLUGJahnfp3lnFul9qBqK9MXvWd2bXfovHzAObC1kWAXuYmfnw 8RxdVSgFD4VyiEYEGBECAAYFAjzGNQsACgkQ5PIU4S5TePeMrwCgslkWPnwc3aTY xQnMq9ml/PdIhS0An1P917iFxhfP2mneemt4N6ELcF4E =7bvq -----END PGP PUBLIC KEY BLOCK-----
Importing GPG key/s:
When you receive someone's public key (or some trusted third partly keys) you have to add them to your key database in order to be able to use his/her keys for future encryption, verification and authentication.
Assume the GPG public key we retrived is called company.asc
# gpg --import company.asc gpg: key 3487965A: public key imported gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: Total number processed: 1 gpg: imported: 1
Signing GPG key/s:
When you import keys into your public keyring database and are sure that the trusted third party is really the person they claim, you can start signing his/her keys. Signing a key certifies that you know the owner of the keys and this leads to the situation where the signature acknowledges that the user ID mentioned in the key is actually the owner of that key.
# gpg --sign-key company pub 2048D/3487965A created: 2001-07-02 expires: never sub 2048g/0146F594 created: 2001-07-02 expires: never (1). Company Inc. <noc@company.com> pub trust: -/q 2048D/3487965A created: 2001-07-02 expires: never trust: -/q Fingerprint: 7A3D 6871 2DF1 9210 8ABE AF36 D460 86D5 3487 965A Company Inc. <noc@company.com> Are you really sure that you want to sign this key with your key: "Tony Xu <tony@email.com>" Really sign? y You need a passphrase to unlock the secret key for user: "Tony Xu <tony@email.com>" 2048-bit DSA key, ID 2E5378F7, created 2010-04-24 Enter passphrase:
Checking GPG signature:
Once you have signed the key from "company", you can check whether encrypted data from "company" is really signed by "company".
To verify data:
# gpg --verify Data
Encrypting and decrypting GPG files: After installing, importing, signing and configuring everything in the way that we want. To encrypt and sign data for the user company that we have added on our keyring database above, use the following command:
# gpg -sear company Message-to-company.txt You need a passphrase to unlock the secret key for user: "Tony Xu <tony@email.com>" 2048-bit DSA key, ID 2E5378F7, created 2002-04-24 Enter passphrase:
“s” is for signing (To avoid the risk that somebody else claims to be you, it is very useful to sign everything you encrypt), “e” for encrypting, “a” to create ASCII armored output (“.asc” ready for sending by mail), “r” to encrypt the UID name and “file” is the message you want to encrypt.
To decrypt:
# gpg -d Message-from-Tony.asc ou need a passphrase to unlock the secret key for user: "Tony Xu <tony@email.com>" 2048-bit DSA key, ID 2E5378F7, created 2002-04-24 Enter passphrase:
No comments:
Post a Comment