有的同学认为邮件、邮箱是很保密的东东,没有我的密码,别人怎么能够打开我的邮箱,或者查看我的邮件呢?这是非常错误的,我告诉你们,不管你们邮箱的密码有多复杂,邮件在服务器上一般都是明文存储的,在服务器上有文件读取权限的人一般都可以查看到。另外邮件在传输过程中要经过很多邮件服务器(邮件头中就有邮件经过的所有邮件服务器的记录),每个邮件服务器都是可以拷贝一份放在自己这里的,更不用说离你更近的采用sniffer嗅探器的黑客了。所以,要想邮件不泄密,就必须对邮件进行加密。
邮件加密方式有很多种,有人可能会把文件用压缩工具带密码压缩作为加密,虽然可行但仍然需要告诉别人密码,而基于对称密钥算法的pgp加密就方便多了,你公开你的公钥,别人给你发送邮件的时候用这个公钥加密,这样信件就只有用你自己持有的私钥才能打开了。pgp是一个商业软件,不过GNU为我们提供了它的免费替代品——gnupg。
另外pgp加密并不是每个邮箱或者邮件客户端软件都支持,比如web的gmail和客户端的foxmail就都不支持,不过在这种情况下,可以使用pgp加密所要传输的内容(文件形式),再把加密的结果用"明文"方式传输就可以了。本文中,我的使用环境是ubuntu edgy 6.06,客户端软件为Mutt 1.5.12 (2006-07-14)。
Gnupg
首先,我们要使用gnupg软件生成我们的密钥对:
root@fwolf:~/.gnupg$ gpg –gen-key
gpg (GnuPG)
1.4.2.2; Copyright (C) 2005 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
Please select what kind of key you want:(选择密钥的类型,2和5只能用来数字签名,不能用来加密)
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits. (DSA密钥的长度是固定的1024位)
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096 (ELG-E密钥的长度是可变的,这里我选择最长的,越长意味着越难以破解)
Requested keysize is 4096 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0) 0 (设置密钥不过期)
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and E-mail Address in this form:
"Heinrich Heine (Der Dichter) "
(下面要输入密钥所有人的信息,邮箱一定要输对,不然怎么签名啊,名字也不要输错,不然签名的时候签的是别人,comment就随意了)
Real name: Fwolf
E-mail address: fwolf's mailbox@gmail.com
Comment: Fwolf MaGod
You selected this USER-ID:
"Fwolf (Fwolf MaGod) "
Change (N)ame, (C)omment, (E)-mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.
(为私钥再设置一个密码,双重保护,可以选择不用,除非你的电脑很"安全",還是建议设个密码的好)
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, use the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
++++++++++..++++++++++++++++++++++++++++++.+++++++++++++++++++++++++++++++++++.+++++..++++++++++++++++++++++++++++++.++++++++++..++++++++++>+++++…+++++…………………………………….+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, use the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
..+++++…+++++++++++++++.+++++.+++++…+++++.+++++++++++++++.++++++++++.+++++.++++++++++…+++++..++++++++++..+++++..+++++++++++++++++++++++++++++++++++.+++++++++++++++++++++++++++++++++++>.+++++.++++++++++++++++++++.+++++.+++++++++++++++.+++++>+++++>..+++++>.+++++………………………………………………………………………..+++++^^^^
gpg: key B7D37EE7 marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024D/B7D37EE7 2007-01-08
Key fingerprint = 0C5F AD53 05B3 E1D8 8D33 B6A8 4970 34B8 B7D3 7EE7
uid Fwolf (Fwolf MaGod)
sub 4096g/D4CF3DF0 2007-01-08
现在密钥就生成好了,并且自动存为了你本机的可信任密钥(自己给自己发信当然是"信任"了),上面的1024D/B7D37EE7和4096g/D4CF3DF0分别是两种形式公钥的长度和号码,DSA公钥的Key fingerprint(就是那一长串像windows注册码的东东)是公钥的指纹,和号码一样可以用来下载你的公钥。从哪里下载?原来网上有很多gnupg的公钥存储服务器,很多人都把自己的公钥上传上去,让别人给自己发信的时候可以从那里下载,而不是直接向收信人索取。更好的是,这些公钥存储服务器是全球联网同步的,你只要上传到其中一个服务器,就可以在其他任何服务器上下载了。
要把我们刚才生成的公钥上传到公钥存储服务器,首先编辑一下$HOME/.gnupg/gpg.conf文件,增加一行:
这里我指定的是荷兰的服务器,不过不重要,反正会自动同步到其他服务器的,常用的keyserver还有:
有些keyserver上还可以用web界面来查询、下载别人的公钥。指定了keyserver之后,我们可以先查查上面有没有自己的公钥:
root@fwolf:~/.gnupg$ gpg –search-keys fwolf's
mailbox@gmail.com gpg: searching for "fwolf's mailbox@gmail.com" from hkp server
wwwkeys.nl.pgp.net gpg: key "fwolf's mailbox@gmail.com" not found on keyserver
没有找到,因为我们还没有上传嘛,现在上传:
root@fwolf:~/.gnupg$ gpg –keyserver hkp://wwwkeys.nl.pgp.net –send-keys B7D37EE7
gpg: sending key B7D37EE7 to hkp server
wwwkeys.nl.pgp.net 上传很简单也很快的,传完之后再查询一下:
root@fwolf:~/.gnupg$ gpg –search-keys fwolf's
mailbox@gmail.com gpg: searching for "fwolf's mailbox@gmail.com" from hkp server
wwwkeys.nl.pgp.net (1) Fwolf (Fwolf MaGod)
1024 bit DSA key B7D37EE7, created: 2007-01-08
Keys 1-1 of 1 for "fwolf's mailbox@gmail.com". Enter number(s), N)ext, or Q)uit > 1
gpg: requesting key B7D37EE7 from hkp server
wwwkeys.nl.pgp.net gpg: key B7D37EE7: "Fwolf (Fwolf MaGod) " not changed
gpg: Total number processed: 1
gpg: unchanged: 1
服务器会先查出有几个符合条件的key,然后选择显示哪一个。在本机管理key的主要命令有:
列出我的私钥(可以多于一个)
$gpg –list-secret-keys
私钥文件为:~/.gnupg/secring.gpg
公钥文件为:~/.gnupg/pubring.gpg
导出公钥
$ gpg –export –armor Fwolf
导出私钥
$ gpg –export-secret-keys –armor Fwolf
–armor参数是把密钥内容用ascii形式显示出来,不然屏幕上会全是怪字符的。
导入私钥:
gpg –allow-secret-key-import –import [filename]
–allow-secret-key-import 参数在文档中已经说明为过时,应该可以去掉,gpg自动判断是否私钥的导入。
Mutt
gnupg这边基本上就搞好了,下面来配置mutt,首先把gpg的例子配置拷贝一份到自己的mutt配置目录:
cp /usr/share/doc/mutt/examples/gpg.rc ~/.mutt/
然后在mutt的配置文件~/.muttrc中添加引用这个gpg.rc的命令:
source ~/.mutt/gpg.rc
最后编辑gpg.rc,添加如下内容:
# Signature every outgoing mail by pgp
set pgp_autosign=yes
set pgp_sign_as=0xB7D37EE7
# During these time you will not needed to enter passparse again
set pgp_timeout=1800
# Let you see pgp signature infomation
set pgp_verify_sig=yes
这样,再次启动mutt,在发信的时候,在显示发信人、主题等信息的那个界面,按"p"就可以打开pgp菜单了,内容大体为:
PGP (e)ncrypt, (s)ign, sign (a)s, (b)oth, (i)nline, or (c)lear?
e代表加密,s代表签名,a代表使用非默认的签名,b说明又加密又签名,i指定加密或者签名是直接嵌入正文(inline)还是以附件形式(mime)的,推荐使用兼容性比较好的mime形式,c则是取消加密和签名状态,明文发送。
管理公钥
要给别人发送加密邮件的话,要先下载并导入别人的公钥,并用pgpewrap来管理,不过有些系统上pgpewrap的路径不对,手工ln一下就可以了:
sh: pgpewrap: command not found
sudo ln -s /usr/lib/mutt/pgpewrap /usr/bin/pgpewrap
gnupg有一套本机的公钥管理机制,可以对所有导入的公钥设置信任级别,还有一套相关的规则,比如如果一个公钥被3个人信任,那么就把他也设置为信任状态什么的,不过下面只简单演示一下设置已导入公钥的简单功能,更复杂的估计一般很少用到了:
$ gpg –edit-key Justin (指定要编辑哪个公钥)
gpg (GnuPG)
1.4.2.2; Copyright (C) 2005 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
pub 1024D/C9C40C31 created: 2001-05-25 expires: never usage: CSA
trust: unknown validity: unknown
sub 1024g/59FAB546 created: 2001-05-25 expires: never usage: E
[ unknown] (1). Justin R. Miller
[ revoked] (2) Justin R. Miller
[ revoked] (3) Justin R. Miller
Command> 1 (选择1号公钥,2和3都是Justin以前的,现在不用了)
pub 1024D/C9C40C31 created: 2001-05-25 expires: never usage: CSA
trust: unknown validity: unknown
sub 1024g/59FAB546 created: 2001-05-25 expires: never usage: E
[ unknown] (1)* Justin R. Miller
[ revoked] (2) Justin R. Miller
[ revoked] (3) Justin R. Miller
Command> sign (签署这个公钥?我也不知道是什么意思)
pub 1024D/C9C40C31 created: 2001-05-25 expires: never usage: CSA
trust: unknown validity: unknown
Primary key fingerprint: 2231 DFF0 869E E3A5 885A E7D4 F787 7A2B C9C4 0C31
Justin R. Miller
Are you sure that you want to sign this key with your
key "Fwolf (Fwolf MaGod) " (B7D37EE7)
Really sign? (y/N) y (确认,并输入自己私钥的密码)
You need a passphrase to unlock the secret key for
user: "Fwolf (Fwolf MaGod) "
1024-bit DSA key, ID B7D37EE7, created 2007-01-08
Command> trust (设置Justin为我"信任"的人,他的公钥会在可能的情况下默认使用)
pub 1024D/C9C40C31 created: 2001-05-25 expires: never usage: CSA
trust: unknown validity: unknown
sub 1024g/59FAB546 created: 2001-05-25 expires: never usage: E
[ unknown] (1). Justin R. Miller
[ revoked] (2) Justin R. Miller
[ revoked] (3) Justin R. Miller
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 3 (信任的程度或者级别)
pub 1024D/C9C40C31 created: 2001-05-25 expires: never usage: CSA
trust: marginal validity: unknown
sub 1024g/59FAB546 created: 2001-05-25 expires: never usage: E
[ unknown] (1). Justin R. Miller
[ revoked] (2) Justin R. Miller
[ revoked] (3) Justin R. Miller
Please note that the shown key validity is not necessarily correct
unless you restart the program.
Command>save (保存)
Then, when send mail and select PGP encrypt option, mutt will automatic select pubkey according recipient or give you a select menu, select the currect key and press enter, mail will be send out. One more question, if I didn't want to select any pub keys, or want to abort this mail send, how do I exit from the select-pubkey menu ?
现在,如果你发信对方的公钥在本地存储中有的话,就会自动调出来并用上了。
局限性
我已经使用gnupg有一段时间了,大部分情况都是作签名,也有加密发送的,感觉效果还行,就是在mutt中收到又加密又签名的邮件的时候,界面上的显示会比较乱而已。还有一个损失就是,如果再像以前那样把要保密的内容用gnupg加密发送到自己的gmail邮箱中的话,gmail中只能显示一堆乱码——加密了嘛,但是搜索是肯定搜索不出来的了,除了按标题搜索,gnupg一般是不对标题进行加密的。
参考:
Everything You Need To Know To Start Using GnuPG with Mutt,非常好的说明,还重点讲了gpg加密的原理,为什么要使用签名和加密等等。
mutt+gnupg实战
Source:http://www.fwolf.com/blog/post/302