문서 암호화/복호화 - Gnupg

gnupg - Private & Public Key


-------------------------------------------------------------------

http://www.gnupg.org/

http://www.gnupg.org/download/index.en.html

-------------------------------------------------------------------


1. 설치 확인 - 기본적으로 설치되어 있다.

[root@server3 ~]# rpm -qa | grep gnupg gnupg-1.4.5-13 [root@server3 ~]# rpm -ql gnupg /usr/bin/gpg /usr/bin/gpg-zip /usr/bin/gpgsplit /usr/bin/gpgv /usr/bin/lspgpot /usr/lib/gnupg - 중략 /usr/share/man/man1/gpg.1.gz /usr/share/man/man1/gpg.ru.1.gz /usr/share/man/man1/gpgv.1.gz /usr/share/man/man7/gnupg.7.gz [root@server3 ~]# rpm -qi gnupg Name        : gnupg                        Relocations: (not relocatable) Version     : 1.4.5                             Vendor: CentOS Release     : 13                            Build Date: Install Date:       Build Host: builder4.centos.org Group       : Applications/System           Source RPM: gnupg-1.4.5-13.src.rpm Size        : 4696639                          License: GPL Signature   : DSA/SHA1, 2007년 04월 11일 (수) 오후 09시 06분 36초, Key ID a8a447dce8562897 URL         : http://www.gnupg.org/ Summary     : 의사 소통과 데이타 저장을 안전하게 하는 GNU 유틸리티. Description : GnuPG (GNU Privacy Guard)는 데이터를 암호화하고 디지털 서명을 생성하는데 사용되는 GNU 유틸리티입니다. GnuPG는 향상된 키 관리기능과 RFC2440에서 명기된 제안적인 OpenPGP 인터넷 표준과 호환됩니다. GnuPG는 어떠한 특허받은 알고리즘도 사용하지 않기 때문에 PGP2의 어떠한 버젼과도 호환되지 않습니다. (PGP2.x는 세계적으로 특허가 등록된 대칭 키 암호 기술을 위한 IDEA를 사용합니다.)

2. 각각의 서버에 Private key , Public key 생성

[root@server3 ~]# gpg --gen-key - key 를 생성한다. gpg (GnuPG) 1.4.5; Copyright (C) 2006 Free Software Foundation, Inc. This program comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. See the file COPYING for details. gpg: directory `/root/.gnupg' created gpg: new configuration file `/root/.gnupg/gpg.conf' created gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run gpg: keyring `/root/.gnupg/secring.gpg' created gpg: keyring `/root/.gnupg/pubring.gpg' created Please select what kind of key you want: - 암호화 방식 선택    (1) DSA and Elgamal (default)    (2) DSA (sign only)    (5) RSA (sign only) Your selection? enter(default) DSA keypair will have 1024 bits. - 키의 사이즈를 설정 ELG-E keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) enter(default) Requested keysize is 2048 bits - 키 값의 유효기간 설정 Please specify how long the key should be valid.          0 = key does not expire       <n>  = key expires in n days       <n>w = key expires in n weeks       <n>m = key expires in n months       <n>y = key expires in n years Key is valid for? (0) enter(default) Key does not expire at all Is this correct? (y/N) y - 다시 한번더 확인 You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form:     "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" Real name: server3 - 키 값의 주인을 설정 Email address: root@server3.co.kr Comment: server3 You selected this USER-ID:     "server3 (server3) <root@server3.co.kr>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key. Enter passphrase: - 비밀키의 암호 설정으로 2번을 입력하게 되어 있고 입력하면 화면에서 사라지고 키를 생성하는 메뉴가 나타나게 된다. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. +++++.+++++.+++++++++++++++..++++++++++++++++++++++++++++++.+++++.++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++>++++++++++....>+++++.................................................+++++ Not enough random bytes available.  Please do some other work to give the OS a chance to collect more entropy! (Need 243 more bytes) We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. .++++++++++++++++++++.+++++++++++++++.++++++++++.+++++.+++++++++++++++++++++++++++++++++++..+++++++++++++++++++++++++++++++++++..+++++++++++++++++++++++++>..++++++++++>..+++++>+++++.......................>.+++++...............................................................................................................+++++^^^^^^^^^^^ gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key A5848724 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u pub   1024D/A5848724 2009-02-05       Key fingerprint = 56F8 A598 0D3A 98FB 1951  E890 416F 2670 A584 8724 uid                  server3 (server3) <root@server3.co.kr> sub   2048g/E96020AA 2009-02-05 [root@server3 ~]# ls -la drwx------  2 root root      4096  2월  5 09:37 .gnupg [root@server3 ~]# cd .gnupg [root@server3 .gnupg]# pwd /root/.gnupg [root@server3 .gnupg]# ls gpg.conf  pubring.gpg  pubring.gpg~  random_seed  secring.gpg  trustdb.gpg

3. 공개키 확인 및 생성

공개키 확인 [root@server3 .gnupg]# gpg --list-keys /root/.gnupg/pubring.gpg ------------------------ pub   1024D/A5848724 2009-02-05 uid                  server3 (server3) <root@server3.co.kr> sub   2048g/E96020AA 2009-02-05 공개키 생성 [root@server3 .gnupg]# gpg --output server3.gpg --export server3 [root@server3 .gnupg]# ls gpg.conf     pubring.gpg~  secring.gpg  trustdb.gpg pubring.gpg  random_seed   server3.gpg

4. 서로의 공개키 추가

[root@server3 .gnupg]# scp 10.10.33.2:/root/.gnupg/server2.gpg /root/.gnupg/ root@10.10.33.2's password: server2.gpg                                  100% 1162     1.1KB/s   00:00    [root@server3 .gnupg]# ls gpg.conf     pubring.gpg~  secring.gpg  server3.gpg  trustdb.gpg pubring.gpg  random_seed   server2.gpg  [root@server3 .gnupg]# gpg --import server2.gpg gpg: key AD0EEFAE: public key "server2 (server2) <root@server2.co.kr>" imported gpg: Total number processed: 1 gpg:               imported: 1 [root@server3 .gnupg]# gpg --list-keys /root/.gnupg/pubring.gpg ------------------------ pub   1024D/A5848724 2009-02-05 uid                  server3 (server3) <root@server3.co.kr> sub   2048g/E96020AA 2009-02-05 pub   1024D/AD0EEFAE 2009-02-05 uid                  server2 (server2) <root@server2.co.kr> sub   2048g/EE5BF6F2 2009-02-05

5. 문서의 암호화

문서 암호화 [root@server3 .gnupg]# vi test3.txt [root@server3 .gnupg]# cat test3.txt HI!! Good Morning today. [root@server3 .gnupg]# ls gpg.conf     pubring.gpg~  secring.gpg  server3.gpg  trustdb.gpg pubring.gpg  random_seed   server2.gpg  test3.txt [root@server3 .gnupg]# gpg --output en_test3.txt --encrypt --recipient server2 test3.txt gpg: EE5BF6F2: There is no assurance this key belongs to the named user pub  2048g/EE5BF6F2 2009-02-05 server2 (server2) <root@server2.co.kr>  Primary key fingerprint: A092 0537 FBEE 87A8 1900  965B BF01 23A9 AD0E EFAE       Subkey fingerprint: 022A E9D0 0A38 CAFE 94E7  A8C8 5188 6A02 EE5B F6F2 It is NOT certain that the key belongs to the person named in the user ID.  If you *really* know what you are doing, you may answer the next question with yes. Use this key anyway? (y/N) y [root@server3 .gnupg]# ls en_test3.txt  pubring.gpg   random_seed  server2.gpg  test3.txt gpg.conf      pubring.gpg~  secring.gpg  server3.gpg  trustdb.gpg [root@server3 .gnupg]# scp en_test3.txt 10.10.33.2:/root/.gnupg/ root@10.10.33.2's password: test3.txt                                    100%   25     0.0KB/s   00:00    [root@server3 .gnupg]# vi en_test3.txt - 자신이 만든 암호화된 문서파일(server2의 공개키 이용) <85>^B^N^CQ<88>j^Bî[öò^P^Gý^P@2<8c>jFW`<86><9f>^[<94>§<8e><89>ViJ<9f>:<80>Xr^Wàºß3^[v&Èzwo^Tü°è"(ÚÏ7~Ø^ZÈ<94>z<8b>Wàîs©Ï¬`ñæ=­e_Cþ<98>æ]<9e>@76 ^RRÔuK - 중략

6. 문서의 복호화

[root@server3 .gnupg]# vi en_korea.txt - server2 로 부터 받은 암호화된 문서파일 <85>^B^N^C3|n¡é` ª^P^H^@·±^[ò趿öÇ<99>¤6NëÓ<83>Ï"X<8b>2ÕSÔ±?<83>£AßfÒÞZ¢K#<9d><8d>^Q8Û,^Wή<85><85>Ù^^t<82>¶1êêÂ<92>nµäç¿e^R½©<<8f>°<88>^W^S<83>@³â^^k©^T       ^_^SÔ&^EÉÿ7Ë^D<8a>      F<98><97>O`Á^ByÇA»óih^\bn^[ [root@server3 .gnupg]# gpg --output korea.txt --decrypt en_korea.txt You need a passphrase to unlock the secret key for user: "server3 (server3) <root@server3.co.kr>" 2048-bit ELG-E key, ID E96020AA, created 2009-02-05 (main key ID A5848724) Enter passphrase: - 자신의 Private key를 입력한다. gpg: encrypted with 2048-bit ELG-E key, ID E96020AA, created 2009-02-05       "server3 (server3) <root@server3.co.kr>" [root@server3 .gnupg]# ls en_korea.txt  gpg.conf   pubring.gpg   random_seed  server2.gpg  test3.txt en_test3.txt  korea.txt  pubring.gpg~  secring.gpg  server3.gpg  trustdb.gpg [root@server3 .gnupg]# vi korea.txt [root@server3 .gnupg]# cat korea.txt korea fighting