另外pgp加密并不是每个邮箱或者邮件客户端软件都支持,比如web的gmail和客户端的foxmail就都不支持,不过在这种情况下,可以使用pgp加密所要传输的内容(文件形式),再把加密的结果用"明文"方式传输就可以了。本文中,我的使用环境是ubuntu edgy 6.06,客户端软件为Mutt 1.5.12 (2006-07-14)。
root@fwolf:~/.gnupg$ gpg –gen-key
gpg (GnuPG); Copyright (C) 2005 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
Please select what kind of key you want:(选择密钥的类型,2和5只能用来数字签名,不能用来加密)
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits. (DSA密钥的长度是固定的1024位)
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096 (ELG-E密钥的长度是可变的,这里我选择最长的,越长意味着越难以破解)
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 0 (设置密钥不过期)
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and E-mail Address in this form:
"Heinrich Heine (Der Dichter) "
Real name: Fwolf
E-mail address: fwolf's mailbox@gmail.com
Comment: Fwolf MaGod
You selected this USER-ID:
"Fwolf (Fwolf MaGod) "
Change (N)ame, (C)omment, (E)-mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, use the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, use the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key B7D37EE7 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024D/B7D37EE7 2007-01-08
Key fingerprint = 0C5F AD53 05B3 E1D8 8D33 B6A8 4970 34B8 B7D3 7EE7
uid Fwolf (Fwolf MaGod)
sub 4096g/D4CF3DF0 2007-01-08
现在密钥就生成好了,并且自动存为了你本机的可信任密钥(自己给自己发信当然是"信任"了),上面的1024D/B7D37EE7和4096g/D4CF3DF0分别是两种形式公钥的长度和号码,DSA公钥的Key fingerprint(就是那一长串像windows注册码的东东)是公钥的指纹,和号码一样可以用来下载你的公钥。从哪里下载?原来网上有很多gnupg的公钥存储服务器,很多人都把自己的公钥上传上去,让别人给自己发信的时候可以从那里下载,而不是直接向收信人索取。更好的是,这些公钥存储服务器是全球联网同步的,你只要上传到其中一个服务器,就可以在其他任何服务器上下载了。
root@fwolf:~/.gnupg$ gpg –search-keys fwolf's
mailbox@gmail.com gpg: searching for "fwolf's mailbox@gmail.com" from hkp server
wwwkeys.nl.pgp.net gpg: key "fwolf's mailbox@gmail.com" not found on keyserver
root@fwolf:~/.gnupg$ gpg –keyserver hkp://wwwkeys.nl.pgp.net –send-keys B7D37EE7
gpg: sending key B7D37EE7 to hkp server
wwwkeys.nl.pgp.net 上传很简单也很快的,传完之后再查询一下:
root@fwolf:~/.gnupg$ gpg –search-keys fwolf's
mailbox@gmail.com gpg: searching for "fwolf's mailbox@gmail.com" from hkp server
wwwkeys.nl.pgp.net (1) Fwolf (Fwolf MaGod)
1024 bit DSA key B7D37EE7, created: 2007-01-08
Keys 1-1 of 1 for "fwolf's mailbox@gmail.com". Enter number(s), N)ext, or Q)uit > 1
gpg: requesting key B7D37EE7 from hkp server
wwwkeys.nl.pgp.net gpg: key B7D37EE7: "Fwolf (Fwolf MaGod) " not changed
gpg: Total number processed: 1
gpg: unchanged: 1
$gpg –list-secret-keys
$ gpg –export –armor Fwolf
$ gpg –export-secret-keys –armor Fwolf
gpg –allow-secret-key-import –import [filename]
–allow-secret-key-import 参数在文档中已经说明为过时,应该可以去掉,gpg自动判断是否私钥的导入。
cp /usr/share/doc/mutt/examples/gpg.rc ~/.mutt/
source ~/.mutt/gpg.rc
# Signature every outgoing mail by pgp
set pgp_autosign=yes
set pgp_sign_as=0xB7D37EE7
# During these time you will not needed to enter passparse again
set pgp_timeout=1800
# Let you see pgp signature infomation
set pgp_verify_sig=yes
PGP (e)ncrypt, (s)ign, sign (a)s, (b)oth, (i)nline, or (c)lear?
sh: pgpewrap: command not found
sudo ln -s /usr/lib/mutt/pgpewrap /usr/bin/pgpewrap
$ gpg –edit-key Justin (指定要编辑哪个公钥)
gpg (GnuPG); Copyright (C) 2005 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
pub 1024D/C9C40C31 created: 2001-05-25 expires: never usage: CSA
trust: unknown validity: unknown
sub 1024g/59FAB546 created: 2001-05-25 expires: never usage: E
[ unknown] (1). Justin R. Miller
[ revoked] (2) Justin R. Miller
[ revoked] (3) Justin R. Miller
Command> 1 (选择1号公钥,2和3都是Justin以前的,现在不用了)
pub 1024D/C9C40C31 created: 2001-05-25 expires: never usage: CSA
trust: unknown validity: unknown
sub 1024g/59FAB546 created: 2001-05-25 expires: never usage: E
[ unknown] (1)* Justin R. Miller
[ revoked] (2) Justin R. Miller
[ revoked] (3) Justin R. Miller
Command> sign (签署这个公钥?我也不知道是什么意思)
pub 1024D/C9C40C31 created: 2001-05-25 expires: never usage: CSA
trust: unknown validity: unknown
Primary key fingerprint: 2231 DFF0 869E E3A5 885A E7D4 F787 7A2B C9C4 0C31
Justin R. Miller
Are you sure that you want to sign this key with your
key "Fwolf (Fwolf MaGod) " (B7D37EE7)
Really sign? (y/N) y (确认,并输入自己私钥的密码)
You need a passphrase to unlock the secret key for
user: "Fwolf (Fwolf MaGod) "
1024-bit DSA key, ID B7D37EE7, created 2007-01-08
Command> trust (设置Justin为我"信任"的人,他的公钥会在可能的情况下默认使用)
pub 1024D/C9C40C31 created: 2001-05-25 expires: never usage: CSA
trust: unknown validity: unknown
sub 1024g/59FAB546 created: 2001-05-25 expires: never usage: E
[ unknown] (1). Justin R. Miller
[ revoked] (2) Justin R. Miller
[ revoked] (3) Justin R. Miller
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 3 (信任的程度或者级别)
pub 1024D/C9C40C31 created: 2001-05-25 expires: never usage: CSA
trust: marginal validity: unknown
sub 1024g/59FAB546 created: 2001-05-25 expires: never usage: E
[ unknown] (1). Justin R. Miller
[ revoked] (2) Justin R. Miller
[ revoked] (3) Justin R. Miller
Please note that the shown key validity is not necessarily correct
unless you restart the program.
Command>save (保存)
Then, when send mail and select PGP encrypt option, mutt will automatic select pubkey according recipient or give you a select menu, select the currect key and press enter, mail will be send out. One more question, if I didn't want to select any pub keys, or want to abort this mail send, how do I exit from the select-pubkey menu ?
Everything You Need To Know To Start Using GnuPG with Mutt,非常好的说明,还重点讲了gpg加密的原理,为什么要使用签名和加密等等。