GPG(1)

GnuPG Commands – Examples

内容列表
   
加密/解密
   
  • 加密
  • 对称加密
  • 解密
  • “给自己解密”
 
Signing/Verifying
 
 
Combining Commands
 
 
Key Management
 
 
Return to Index

Encryption / Decryption

In This Section 

Return to Table of Contents

Encryption (gpg [–options] –encrypt file)

You encrypt files by using the –encrypt command and specifying the file or data to be encrypted..

D:\TEMP>gpg --encrypt my-file.txt

You did not specify a user ID. (you may use "-r")

Enter the user ID. End with an empty line: bobbone@cowtownu.edu
Added 2048g/AB53B492 2001-11-13 "Bob Bone <bobbone@cowtownu.edu>"

Enter the user ID. End with an empty line:

D:\TEMP>

If you don’t specify a recipient with your command, GPG prompts you to specify a recipient (whose public key must be on your keyring). Once you specify a recipient, GPG encrypts your file (my-file.txt) to a similarly named file with the extension .GPG (my-file.gpg).

You can avoid bring prompted for a recipient by specifying a –recipient as an option.

D:\TEMP>gpg --recipient Bob --encrypt my-file.txt

D:\TEMP>

Notice that the — recipient option comes before the –encrypt command.

In both of the examples we’ve looked at, GPG encrypts the file (my-file.txt) and produces a similarly named file (my-file.gpg) as output. This new output file is an encrypted (ciphertext) version of the original plaintext file, but is is a binary file. The contents of this encrypted binary file will look like gobbledygook when opened with a simple text editor like Notepad. Binary files are perfectly fine to send intact to a recipient "as is," however, they can present problems if you want to send  the encrypted contents (the ciphertext) in the body of an email message.  

If you want to work with the encrypted contents (ciphertext) of your file in text format, there is a solution. GPG allows you to encrypt your file to a special format known as ASCII Armor. You can send the ASCII Armored contents in the body of an email message.

To encrypt your file and produce an ASCII Armored file as the output, use the –armor option. Remember that options precede commands. 

D:\TEMP>gpg --recipient bobbone@cowtownu.edu --armor --encrypt my-file.txt

D:\TEMP>

When encrypting to ASCII Armor, GPG produces an encrypted file with the extension .ASC (instead of .GPG). .GPG files are binary files; .ASC files are ASCII Armored files. In these examples, both are encrypted with the same strong level of encryption.

If you open up an ASCII Armored file, you’ll see that most (but not all) of its contents are gobbledygook. This gobbledygook, however, can be used "as is" in an email because it is simple text  — it is not binary data. The strange looking block of characters in the middle contains the encrypted contents (ciphertext) of your original file in ASCII Armor format. You can send that ASCII Armor text block in the body of an email message.

D:\TEMP>type my-file.asc

-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.0.7 (MingW32)

hQIOA68nz9GqU7SREAgAxWfwvpziO4N6KquxmeuYD/txfTceyXRZGVqAGFUGmOdE
+K9PCLp/+p3cFC8OcOZg8WReI4wlpYzgS3/XsB4LL9MegSHwjjI9jNsnQOr9EeLA
IgDEb1NeXZ499qnSY1ZvCy/VCF1O7H71y77VQTckpfyHgWvzkaaaheMC0r+JGLZO
0w3NCTERFJ8XaXKz/+qw4gA7xxbpT9nXVXMwEwYgiAviJBJhdYw63oTlRYGgGzPh
H2YVNv2TWnpWp816xi+sbM1ZsJJERnAZSADKFYZzYw4E73VhUlrX5YBY4WN7UmQw
yg73zfJYBuJ8+HymPhUUNH7KFqT5T2Cv4TRJgeWvxAgA3/bSCxncZ640z7KlMCMk
IskJkKRau6jeLJZKheZnyBoYiJLuJw+4FeOIkpk3ZKbWzk18kFT47x5kZA051g/p
A300n5ivHauHQz8jVTXBNF800YtkknB4+H9q5lnVYik0JsPLKGX+/sjEJ01iWaWl
wBC3poSYT+l63wNO73CDhx4VbpOzLgzbyNB6O67iuiQm2D9hLwk8L4YPOoMlfwyM
kUmsZUX709sMBHZN/9aniaVBsLxszHw9xu5OuSz/lHkckplcwb94XDLh1KGGO+1Q
LzbpFYPqe3BANLK5xxlQAAti/uk0XYltVJfUOCzyxl282X3Tp/77FtiGGb8RI1HY
hslojkAQa9gK1+f44Y8LwHH5k7fQr+Q+luqP7inoEQWbpWW4hu80Wkafv/bzI/xu
Z1qGcEVcJGJPP7QwQWUp53FbZuIq742CoxNklwvlnjhEaXa5rG2dmHUREawVzz+q
M8RkPBZIBge0SVY=
=WznL
-----END PGP MESSAGE-----

D:\TEMP>

As you’ve seen, when GPG encrypts files it produces similarly named files with the extension .GPG or .ASC as output. You can specify the name of the output file yourself, however, with the –output option.

D:\TEMP>gpg --recipient Bob --armor --output your-file.asc --encrypt my-file.txt

D:\TEMP>

In this example GPG encrypts my-file.txt and produces an ASCII Armored file named your-file.asc.

When using the –encrypt command, you may receive a warning from GPG about the "trust" in a key’s owner:

D:\TEMP>gpg --recipient Bob --encrypt my-file.txt

gpg: checking the trustdb
gpg: checking at depth 0 signed=0 ot(-/q/n/m/f/u)=0/0/0/0/0/4
gpg: AB53B492: There is no indication that this key really belongs to the owner
2048g/AB53B492 2001-11-13 "Bob Bone <bobbone@cowtownu.edu>"
Fingerprint: C8C5 2C0A B2A4 8174 01E8 12C8 F3CC 3233 3FAD 9F1E

It is NOT certain that the key belongs to its owner.
If you *really* know what you are doing, you may answer
the next question with yes

Use this key anyway? Y

D:\TEMP>

This message tells you that you have not yet signed the recipient’s public key in order to establish a level of trust for that key. Although you ought to consider signing the key in order to set the trust level for the key, you can simply answer "yes" when GPG’s confirms that you want to use the key and GPG will encrypt the file or message using that public key. (You can suppress this warning by adding the –always-trust option to your Options file.)  For more information on signing keys and establishing trust levels for keys, see the Understanding Signatures & Trust and Signing Keys sections below.

(For more information on encrypting messages and files, see the GNU Privacy Handbook.)

Symmetric Encryption (gpg [–options] –symmetric file)

You can encrypt files using symmtric encryption (as opposed to public key encryption) with the –symmetric command. You will be prompted for a passphrase to protect the key used to encrypt the file.

D:\TEMP>gpg --symmetric my-file.txt

Enter passphrase: My_31337_Passphrase
Repeat passphrase: My_31337_Passphrase

D:\TEMP>

With symmetric encryption, you encrypt and decrypt files with the same key (which GPG generates and protects with the passphrase you supply). By contrast, the –encryptcommand uses asymmetric encryption: you encrypt files with other people’s public keys, and they decrypt with their secret (or private) keys. (For more information on symmetric vs. asymmetric encryption, see the GNU Privacy Handbook.) Symmetric encryption is useful if you don’t plan to deliver or distribute the files to other people. For example, you may simply want to protect sensitive files on your own hard drive (not distribute them to other people).

You can combine the –symmetric command with the –output or –armor options, just like the –encrypt command.

(For more information on using symmetric encryption, see the GNU Privacy Handbook.)

Decryption (gpg [–options] –decrypt file)

To decrypt an encrypted file, use the –decrypt command. The  –decrypt command should be used no matter whether you have received that file from someone else (who encrypted with the –encrypt command it using your public key), or whether you encrypted the file yourself with symmetric encryption by using the –symmetric command. 

If the file was encrypted to your public key with the –encrypt command, GPG asks you for the passphrase for your secret key (often called a private key).

D:\TEMP>gpg --decrypt my-file.gpg

You need a passphrase to unlock the secret key for
user: "Bob Bone <bobbone@cowtownu.edu>"
2048-bit ELG-E key, ID AB53B492, created 2001-11-13 (main key ID 3FAD9F1E)

Enter passphrase: My_31337_Passphrase

gpg: encrypted with 2048-bit ELG-E key, ID AB53B492, created 2001-11-13
"Bob Bone <bobbone@cowtownu.edu>"

This is my file.

I have many such files.

But this is the file I'm working with now.

D:\TEMP>

If you encrypted the file yourself with symmetric encryption (–symmetric), GPG asks for the passphrase that you assigned to the file. 

D:\TEMP>gpg --decrypt my-file.gpg

gpg: CAST5 encrypted data
Enter passphrase: My_31337_Passphrase

This is my file.

I have many such files.

But this is the file I'm working with now.

D:\TEMP>

If you don’t specify an output file for the decrypted (plaintext) contents, GPG merely displays the decrypted contents inline. You can specify an output file for the decrypted contents with the –output option. 

D:\TEMP>gpg --output my-file.txt --decrypt my-file.gpg

You need a passphrase to unlock the secret key for
user: "Bob Bone <bobbone@cowtownu.edu>"
2048-bit ELG-E key, ID AB53B492, created 2001-11-13 (main key ID 3FAD9F1E)

Enter passphrase: My_31337_Passphrase

gpg: encrypted with 2048-bit ELG-E key, ID AB53B492, created 2001-11-13
"Bob Bone <bobbone@cowtownu.edu>"

D:\TEMP>

Once GPG has decrypted the file to my-file.txt, you can open my-file.txt and view the decrypted (plaintext) contents.

(For more information on decrypting messages and files, see the GNU Privacy Handbook.)

"Encrypt-to-Self"

When you encrypt a file or message with the –encrypt command, you are encrypting with someone else’s public key. Strangely enough, even though you encrypted the file or message yourself, you won’t be able to decrypt that encrypted file and access the plaintext. The only person who can decrypt the file is the owner of the secret key that is the partner of the public key used to encrypt the file. That’s the nature of asymmetric, public key encryption: you encrypt with the public key and decrypt with the secret key (private key). If you don’t keep a copy of the plaintext original file yourself (and you probably shouldn’t for security reasons), then you face being locked out of the very files and messages that you have encrypted and sent to other people. Happily, there is a solution: the –encrypt-to option.

You can include the –encrypt-to option in your Options file and specify your own public key. This option is often called the "encrypt-to-self" option, because it tells GPG to encrypt the message with your own public key as well as your recipient’s public key. With an –-encrypt-to key designated in the Options file, GPG automatically encrypts messages and files to the public keys of the recipients you specify with the –recipient option as well as your own public key. The result: both you and your recipients will be able to decrypt the files or messages.

To use the –-encrypt-to option in your Options file, drop the leading dashes ( — ) and specify your own key’s Key ID. (You can get your own Key ID with the –list-keyscommand.) For example, Bob (whose Key ID is 0x3FAD9F1E) could include the following line in his Options file:

encrypt-to 0x3FAD9F1E

(Note that even though Bob’s key includes an encryption subkey with a separate Key ID, he simply uses the Key ID for his master key.)

Now Bob can encrypt a file to his friend Phil, just as he normally would…

D:\TEMP>gpg --recipient Phil --encrypt my-file.txt

D:\TEMP>

…and still turn around and decrypt the file himself.

D:\TEMP>gpg --decrypt my-file.gpg

You need a passphrase to unlock the secret key for
user: "Bob Bone <bobbone@cowtownu.edu>"
2048-bit ELG-E key, ID AB53B492, created 2001-11-13 (main key ID 3FAD9F1E)

Enter passphrase: My_31337_Passphrase

gpg: encrypted with 2048-bit ELG-E key, ID 42F0A0A0, created 1997-04-07
"Philip R. Zimmermann <prz@pgp.com>"
gpg: encrypted with 2048-bit ELG-E key, ID AB53B492, created 2001-11-13
"Bob Bone <bobbone@cowtownu.edu>"

This is my file.

I have many such files.

But this is the file I'm working with now.

D:\TEMP>

Notice GPG reports that the file (my-file.gpg) was encrypted with both Phil’s key and Bob’s key. GPG automatically recognizes that Bob has the secret key for one of the public keys used to encrypt the file and uses that secret key to decrypt.

It would probably be a good idea to use the "encrypt-to-self" option (--encrypt-to) in your Options file, as it can save you a lot of frustration down the line.

Advertisements
This entry was posted in Computers and Internet. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s