GPG 생성해보기!
GnuPG(GNU Privacy Guard)는 PGP(Pretty Good Privacy)를 대체하는 암호화/복보화 프로그램이다. 완전히 무료이고, OpenPG 표준인 RFC4880을 따른다.
자세한 사항은 https://www.gnupg.org/ 에서 확인 할 수 있다.
GnuPG Key 생성
GPG 개인키(private key)를 생성해보자.
gpg --gen-key 생성한 결과는 아래와 같다.
root@python:/home# gpg --gen-key
gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: kmkim
Email address: kwangmyung.kim@gmail.com
Comment: kmkim
You selected this USER-ID:
"kmkim (kmkim) <kwangmyung.kim@gmail.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
passphrase not correctly repeated; try again.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.......+++++
...+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
.........+++++
.+++++
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 3C86E014 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 2048R/3C86E014 2017-08-08
Key fingerprint = B6D2 95AF D537 6616 F4D2 E33D 5BA8 7888 3C86 E014
uid kmkim (kmkim) <kwangmyung.kim@gmail.com>
sub 2048R/5A4B24B5 2017-08-08GnuPG Key 목록 보기
gpg –gen-key로 키를 생성하고 난 뒤 키는 ~/.gnupg/ 디렉토리에 만들어진다. 생성된 키를 확인하기 위해서는 다음과 같이 확인할 수 있다
공개키(public key)를 확인하기 위해서는 –list-keys 옵션으로 확인할 수 있다.
gpg –list-keys
개인키(private key)를 확인하기 위해서는 –list-secret-keys 옵션으로 확인할 수 있다.
root@python:/home# gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub 2048R/3C86E014 2017-08-08
uid kmkim (kmkim) <kwangmyung.kim@gmail.com>
sub 2048R/5A4B24B5 2017-08-08gpg –list-secret-keys
root@python:/home# gpg --list-secret-keys
/root/.gnupg/secring.gpg
------------------------
sec 2048R/3C86E014 2017-08-08
uid kmkim (kmkim) <kwangmyung.kim@gmail.com>
ssb 2048R/5A4B24B5 2017-08-08gpg Key를 사용하여 파일 암호화하기
개인키를 생성했으니 이제 키 기반으로 파일을 암호화해보자. 예제를 위해 /home/seed/ test.data 파일을 만들었다.
root@python:/home/seed# cat test.data
Have an awesome day!gpg –encrypt 명령어를 사용하여 파일을 암호화 한다. 이때 –recipient 옵션에 키를 생성할 때 입력한 ID를 입력한다.
gpg --output <암호화될파일이름> --encrypt --recipient <ID> <암호화할파일이름>나의 경우는 kmkim 이다. 위에서 확인 가능
gpg --output /home/seed/test.data.gpg --encrypt --recipient kmkim /home/seed/test.data아래와 같이 gpg 파일이 생성된것을확인 할 수 있다.
root@python:/home/seed# ls
test.data test.data.gpg암호화된것을 볼 수 있다.
root@python:/home/seed# cat test.data.gpg
�
��.oZK$��S<�!��ɶm����� (��i�����v,!?����x�2
ڽ�&��N���Y�1�j�߲���$E0�k0�
�;�;U�/�Fˉ���I�g�7��.4~_^uT�!�/�kJ�Ʊ~�j8_;m�w�� ��0}5$����+�eu����5�Po@#�
�a�Ͻ�,�ďyWsp"a��;�hE�"=�{�����Y�{؈��mՠ�"�4bi&t��o��%���8��Aݮ�j,K��qO�f ^,A�N�Ѧ`�h%���"&�K
Y1�[(�gpg Key를 사용하여 파일 복호화하기
암호화된 파일을 복호화해보자. 기존의 원본파일은 test.data.backup 으로 변경후 복호화해보겠다.
암호화된 파일을 복호화하기 위해서는 gpg –decrypt 옵션을 사용해야한다. 복호화할 때는 개인키(private key)를 생성할 때 설정한 비밀번호를 입력해야 복호화가 된다. 비밀번호를 잘못 입력하면 당연히 복호화가 안된다.
gpg --output <파일이름> --decrypt <암호화된파일이름>root@python:/home/seed# mv /home/seed/test.data /home/seed/test.data.backup
root@python:/home/seed# gpg --output /home/seed/test.data --decrypt /home/seed/test.data.gpg
You need a passphrase to unlock the secret key for
user: "kmkim (kmkim) <kwangmyung.kim@gmail.com>"
2048-bit RSA key, ID 5A4B24B5, created 2017-08-08 (main key ID 3C86E014)
gpg: gpg-agent is not available in this session
gpg: Invalid passphrase; please try again ...
You need a passphrase to unlock the secret key for
user: "kmkim (kmkim) <kwangmyung.kim@gmail.com>"
2048-bit RSA key, ID 5A4B24B5, created 2017-08-08 (main key ID 3C86E014)
gpg: encrypted with 2048-bit RSA key, ID 5A4B24B5, created 2017-08-08
"kmkim (kmkim) <kwangmyung.kim@gmail.com>"복호화된 파일과 내용을 확인 가능하다.
root@python:/home/seed# ls
test.data test.data.backup test.data.gpg
root@python:/home/seed# cat test.data
Have an awesome day!공개키 배포
생성된 키를 다른 서버에서 작업을 하고 싶으면 공개키(public key)를 배포하여 생성된 공개키 기반으로 작업을 할 수 있다.
공개키 Export
gpg --armor --output <파일이름> --export "<ID>"root@python:/home/seed# gpg --armor --output kmkim-gpg.pub --export "kmkim"생성된 파일과 공개키를 확인 할 수 있다.
root@python:/home/seed# ls
kmkim-gpg.pub test.data test.data.backup test.data.gpg
root@python:/home/seed# cat kmkim-gpg.pub
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQENBFmJ1IwBCADQAdVdoM7MhbSHOSrVRC56uCFGA28iJqeBYFwqrjNQ/0LXHFUv
T3Q9fhCSH6HoeII+TsZ/NnPyOmEgIDBtzhMSsG71NydhqU7GHNnQMZy/a
--중략 --
YX3OSiuUXW3paSkkqNKHKtrPnFh+N02tG
GMcopngeu5RyohHJaOu3n6rWswJ1a8OiH604PC8b6mde7WBREEaSF4iTlFSAKOWQ
7uZHpcAneUB5oqaNjpXTesgwOA29LELLYNGY0hX39HRGuDjNkT1paFtUUfJBnbkH
tjsKcvRG845d/wgCfeUGZdVh/GdMUqhoskSfLOYFvO060Pe1HYsT34xvXeL44XVp
EODeV4757e1f8z5XNLTUSFi8Uhpo02wqlJO+KhJgHa28FWoAPMytI3+MqwMXF4a/
NshgC03PAVPqfTr+84HYi/J2dU0G9MEKbSaDqJpuHwukBiK5Kv72
=SCZk
-----END PGP PUBLIC KEY BLOCK-----공개키 Import
생성한 공개키를 다른 서버에 전송해서 임포트하여 사용할 수 있다.
docker 를 이용해서 home 디랙토리를 붙여서 컨테이너를 하나 생성한다. 만들어진 파일들이 있는것을 볼 수 있다.
$ docker run -it --name gpg -h gpg -v $(pwd)/home:/home xmlangel/base-ubuntu
root@gpg:/# cd home/
root@gpg:/home# cd seed/
root@gpg:/home/seed# ls
kmkim-gpg.pub test.data test.data.backup test.data.gpg
root@gpg:/home/seed#그럼 Import 시켜보겠다.
root@gpg:/home/seed# gpg --import kmkim-gpg.pub
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 3C86E014: public key "kmkim (kmkim) <kwangmyung.kim@gmail.com>" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)키가 Import 된것을 확인 가능하다.
root@gpg:/home/seed# gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub 2048R/3C86E014 2017-08-08
uid kmkim (kmkim) <kwangmyung.kim@gmail.com>
sub 2048R/5A4B24B5 2017-08-08공개키를 가져왔으니 공개키를 가지고 암호화가 가능하다.
root@gpg:/home/seed# gpg --output /home/seed/test.data2.gpg --encrypt --recipient kmkim /home/seed/test.data
gpg: 5A4B24B5: There is no assurance this key belongs to the named user
pub 2048R/5A4B24B5 2017-08-08 kmkim (kmkim) <kwangmyung.kim@gmail.com>
Primary key fingerprint: B6D2 95AF D537 6616 F4D2 E33D 5BA8 7888 3C86 E014
Subkey fingerprint: 1037 E47A 5485 AB3F 4E25 67B8 80B6 2E6F 5A4B 24B5
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
root@gpg:/home/seed# lll
bash: lll: command not found
root@gpg:/home/seed# ls
kmkim-gpg.pub test.data test.data2.gpg하지만 secret key 가 없어 복호화는 안된다.
root@gpg:/home/seed# gpg --output /home/seed/test.data2 --decrypt /home/seed/test.data.gpg
gpg: encrypted with 2048-bit RSA key, ID 5A4B24B5, created 2017-08-08
"kmkim (kmkim) <kwangmyung.kim@gmail.com>"
gpg: decryption failed: secret key not available개인키 Export
개인키(private key)를 배포하여 작업을 할 하려면 개인키를 export 하면된다.
root@python:/home/seed# gpg -armor --output kmkim-gpg.secret --export-secret-keys 'kmkim'
root@python:/home/seed# ls
kmkim-gpg.pub kmkim-gpg.secret개인키 Import
공개키와 마찬가지로 개인키도 Import 하면 된다.
root@gpg:/home/seed# gpg --import kmkim-gpg.secret
gpg: key 3C86E014: secret key imported
gpg: key 3C86E014: "kmkim (kmkim) <kwangmyung.kim@gmail.com>" not changed
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1Import 된것을확인 해본다.
root@gpg:/home/seed# gpg --list-secret-keys
/root/.gnupg/secring.gpg
------------------------
sec 2048R/3C86E014 2017-08-08
uid kmkim (kmkim) <kwangmyung.kim@gmail.com>
ssb 2048R/5A4B24B5 2017-08-08이제 복호화를 진행해보면 정상적으로 복호화가 된다.
root@gpg:/home/seed# gpg --output /home/seed/test.data2 --decrypt /home/seed/test.data.gpg
You need a passphrase to unlock the secret key for
user: "kmkim (kmkim) <kwangmyung.kim@gmail.com>"
2048-bit RSA key, ID 5A4B24B5, created 2017-08-08 (main key ID 3C86E014)
gpg: gpg-agent is not available in this session
gpg: Invalid passphrase; please try again ...
You need a passphrase to unlock the secret key for
user: "kmkim (kmkim) <kwangmyung.kim@gmail.com>"
2048-bit RSA key, ID 5A4B24B5, created 2017-08-08 (main key ID 3C86E014)
gpg: encrypted with 2048-bit RSA key, ID 5A4B24B5, created 2017-08-08
"kmkim (kmkim) <kwangmyung.kim@gmail.com>"
root@gpg:/home/seed# ls
kmkim-gpg.pub kmkim-gpg.secret test.data test.data2 test.data2.gpg test.data.backup test.data.gpg
root@gpg:/home/seed# cat test.data2
Have an awesome day!GPG Key 삭제
생성한 GPG key를 삭제하고 하려면 –delete-secret-key와 –delete-key로 할 수 있다. 키 삭제는 반드시 개인키를 먼저 삭제해야한다.
gpg --delete-secret-key "<ID>"
gpg --delete-key "<ID>"root@gpg:/home/seed# gpg --delete-secret-key "kmkim"
gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
sec 2048R/3C86E014 2017-08-08 kmkim (kmkim) <kwangmyung.kim@gmail.com>
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
root@gpg:/home/seed# gpg --delete-key "kmkim"
gpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub 2048R/3C86E014 2017-08-08 kmkim (kmkim) <kwangmyung.kim@gmail.com>
Delete this key from the keyring? (y/N) y리스트를 확인해보면 삭제된것을확인 가능하다.
root@gpg:/home/seed# gpg --list-secret-keys
root@gpg:/home/seed# gpg --list-keys- 참고자료