运行环境:
[root@Shining ~]# uname -a Linux Shining.ACG 3.10.0-327.el7.x86_64 #1 SMP Thu Nov 19 22:10:57 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux [root@Shining ~]# lsb_release -a LSB Version: :core-4.1-amd64:core-4.1-noarch Distributor ID: CentOS Description: CentOS Linux release 7.2.1511 (Core) Release: 7.2.1511 Codename: Core [root@localhost ~]# cat /etc/centos-release CentOS release 6.8 (Final) [root@localhost ~]# uname -a Linux localhost.localdomain 2.6.32-642.el6.x86_64 #1 SMP Tue May 10 17:27:01 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
我们要做的事情大概如下图:
– 在CentOS 6上生成公钥/私钥对
[root@localhost ~]# gpg --gen-key gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 #选择密钥类型 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 1024 #选择密钥长度 Requested keysize is 1024 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 0 # 选择密钥有效期(0为永久有效) Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: shell #输入用户名 Email address: shell@163.com # 输入用户邮箱 Comment: shell # 用户描述 You selected this USER-ID: "shell (shell) <shell@163.com>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key. can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory (pinentry-gtk-2:5831): GLib-GObject-CRITICAL **: Object class GtkSecureEntry doesn't implement property 'editing-canceled' from interface 'GtkCellEditable' (pinentry-gtk-2:5834): GLib-GObject-CRITICAL **: Object class GtkSecureEntry doesn't implement property 'editing-canceled' from interface 'GtkCellEditable' We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key 6D9DAFDF marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u gpg: next trustdb check due at 2019-11-30 pub 1024R/6D9DAFDF 2016-12-01 Key fingerprint = 98B7 E1D8 2F63 6F77 0AC1 D577 FDA1 1AB2 6D9D AFDF uid shell (shell) <shell@163.com> sub 1024R/EA7FC298 2016-12-01
期间需要输入两次密码:
– 将公钥导出
[root@localhost ~]# gpg -a --export -o shell.pubkey
– 将公钥传给CentOS 7
[root@localhost ~]# scp shell.pubkey 172.16.253.159:/root root@172.16.253.159's password: shell.pubkey 100% 1939 1.9KB/s 00:00
– CentOS 7导入公钥
[root@Shining ~]# gpg --import shell.pubkey gpg: key 3A556FDA: "wangcai (wangcai) <wangcai@163.com>" not changed gpg: key 6D9DAFDF: public key "shell (shell) <shell@163.com>" imported gpg: Total number processed: 2 gpg: imported: 1 (RSA: 1) gpg: unchanged: 1
– 显示现在已有的密钥
[root@Shining ~]# gpg --list-key /root/.gnupg/pubring.gpg ------------------------ pub 1024R/1A8CB5B2 2016-11-30 uid shiningacg sub 1024R/6C970F98 2016-11-30 pub 1024R/3A556FDA 2016-11-30 [expires: 2019-11-30] uid wangcai (wangcai) <wangcai@163.com> sub 1024R/5B63A8CB 2016-11-30 [expires: 2019-11-30] pub 1024R/6D9DAFDF 2016-12-01 uid shell (shell) <shell@163.com> sub 1024R/EA7FC298 2016-12-01
– CentOS 7使用公钥加密文件
[root@Shining ~]# gpg -e -r shell shell.pubkey gpg: EA7FC298: There is no assurance this key belongs to the named user pub 1024R/EA7FC298 2016-12-01 shell (shell) <shell@163.com> Primary key fingerprint: 98B7 E1D8 2F63 6F77 0AC1 D577 FDA1 1AB2 6D9D AFDF Subkey fingerprint: D879 559A 7E61 1CA2 ADAB 0AC0 DFE0 ED9B EA7F C298 It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes. Use this key anyway? (y/N) y
– CentOS 7将文件传给CentOS 6
[root@Shining ~]# scp shell.pubkey.gpg 172.16.252.157:/root root@172.16.252.157's password: shell.pubkey.gpg 100% 1691 1.7KB/s 00:00
– CentOS 6解密文件
[root@localhost ~]# gpg -d shell.pubkey.gpg You need a passphrase to unlock the secret key for user: "shell (shell) <shell@163.com>" 1024-bit RSA key, ID EA7FC298, created 2016-12-01 (main key ID 6D9DAFDF) can't connect to `/root/.gnupg/S.gpg-agent': No such file or directory (pinentry-gtk-2:5906): GLib-GObject-CRITICAL **: Object class GtkSecureEntry doesn't implement property 'editing-canceled' from interface 'GtkCellEditable' gpg: encrypted with 1024-bit RSA key, ID EA7FC298, created 2016-12-01 "shell (shell) <shell@163.com>" -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.14 (GNU/Linux) mI0EWD8rmwEEAKRKyQbtk+S6F+fGFKxaVWXeq4wB4pV7y0Ou1/PytbndOutmYlfV aMo2may/9twhmK4+i1O6f/6/Yt/p63rxGE0YqDzx6sn0M/5AnEI872U7/4HAg/UZ FP6a204WqkK/ZJnwq5nnovAmZhSkB0AVIYgm60kJUJZql+nNezKaWO4VABEBAAG0 I3dhbmdjYWkgKHdhbmdjYWkpIDx3YW5nY2FpQDE2My5jb20+iL4EEwECACgFAlg/ K5sCGwMFCQWjmoAGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJEBx0QMI6VW/a Bx0D/0bei2gEgYxXhvoozhTPlM+N+7NjnMpYS5FMy1T7zILOhEawnIyRwi1DyYTA 2HIUVJ556yo98Mg9aXzEL5DVH0CAT2zBDJ8X2EpUDuQ1Dx0VfmpJmL0Kk8DqtL9T AErc/daphn+fjrdurdEL5YKoG3MyEXEQYOVnySDUrbA1bluYuI0EWD8rmwEEALf7 p3HrbOIa+B+Pi0VYTkG/Ahj6j7HslnveJ9HGwnanA1ZAQCGWyJpqnERCnJTTzq+o ZG/51S96ZcixWJlFIwnE6KTxNk2Cz1stPiy9KOFS5hFY2fFN1pxh6VLVFW3lYQM7 Qh5owJ1xDSiXqswkUdCtDhB43jj6PSsFtmzNNLXhABEBAAGIpQQYAQIADwUCWD8r mwIbDAUJBaOagAAKCRAcdEDCOlVv2gA7BACINPR+SFINWHTLXO43Lqi5joUGd5Ao gvXjSNl7zJlp0ZSYj5ss2eVLpxCzBNlZYMVSmCKbfhjyIZCQmEVVRK93YUprDlLs +7fTaGOKW5DkxwU25Ji3yDqtYRjPyUgB3f3KOsFx4tvFKZWiODGYn1042DJ9BcVJ kBbgGjZqtWzMa5iNBFg/iaYBBADKYkzP97x+8z2f8fegLfsflkqOZImgmaH5jYcT QOygxorhH/Ahaaw2icabbSr3rfMgr4ZoPZd7m5gImtJxJUJ1heNj0XBHmYsmfGLb 0HhKWAMPwlUe9Sr/aQaRhCXQ20ROhqv4yqZewiVcTF3/Fte6cCKe4ylJRDGeEUJr 1Fn98QARAQABtB1zaGVsbCAoc2hlbGwpIDxzaGVsbEAxNjMuY29tPoi4BBMBAgAi BQJYP4mmAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRD9oRqybZ2v3/7J A/4mrkdj3FOJoFMjU3PVxNCobLIBt4JRUchdvZrgR9alxktU5wFR0AhzqiK/1kJH BMHF/CN+0UfMavPerl0gAYzL/YkKep9+w9NC61hbZn6ftAK4DVNLnvULQPBlXybr r9ili8m7M2fLW8lUoJJca/NGWww9gkyQRtBaoI/bfbUJbLiNBFg/iaYBBADVjpxC 9HcY81il+jGcAf3d5E30fkRGQ3PHDhM46+EEEcU5EMxoGGnuS8mpyRZhrb7Cf2d1 56BaW36J5KQ4TcT+stsdsSzRWiO9YRezHfYGX9dP+Y0rAiJzNtsPuIjpCxFsrIMP OTlKcLVOPeZkPpBq/Xvtca+wbiNsHiyCz3DXfQARAQABiJ8EGAECAAkFAlg/iaYC GwwACgkQ/aEasm2dr98+OAP/Tu7JEKPcXCNMHaNLcxy+4QukQt5ygZMxtV0DOMmH W4JI6MV4zn19EnsKsTlho5Hw5Cn/OUUQUs7hPZmIYijvT5VZENBA6GlnRVRigX+k LtKia1LtlQjd9JQe5Y/NG9gifnaCxSXiwaMviDZts8ys2LKkP7tYN7jUaThBi3xq Szs= =7Ued -----END PGP PUBLIC KEY BLOCK-----
输入密码
– CentOS 7删除CentOS 6的公钥
[root@Shining ~]# gpg --delete-keys shell gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub 1024R/6D9DAFDF 2016-12-01 shell (shell) <shell@163.com> Delete this key from the keyring? (y/N) y
– CentOS 6删除私钥和公钥
[root@localhost ~]# gpg --delete-secret-keys shell gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. sec 1024R/6D9DAFDF 2016-12-01 shell (shell) <shell@163.com> Delete this key from the keyring? (y/N) y This is a secret key! - really delete? (y/N) y [root@localhost ~]# gpg --delete-keys shell gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub 1024R/6D9DAFDF 2016-12-01 shell (shell) <shell@163.com> Delete this key from the keyring? (y/N) y
显示密钥:
[root@localhost ~]# gpg --list-key /root/.gnupg/pubring.gpg ------------------------ pub 1024R/3A556FDA 2016-11-30 [expires: 2019-11-30] uid wangcai (wangcai) <wangcai@163.com> sub 1024R/5B63A8CB 2016-11-30 [expires: 2019-11-30
总结:
本次操作遇到两个问题:
-
第一次在CentOS 7上导入公钥时提示没有合法的userID,添加完整的userID后问题消失,但是又出现新问题,公钥无法导入,提示没有自签名什么的。第二天重启后问题消失……
-
最初把CA和公私钥搞混了,重新查看ppt没弄明白了。
原创文章,作者:wangshuai,如若转载,请注明出处:http://www.178linux.com/61774