Use gpg to create an RSA asymmetric key pair in CentOS7
1. Generate a public key private key pair
[19:40:34 root@localhost ~]#gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: mageyp
Email address: [email protected]
Comment: yp
You selected this USER-ID:
"mageyp (yp) <[email protected]>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
During the process, the server needs to be operated to generate random codes
#!/bin/bash
while true;do
dd if=/dev/urandom of=/data/1.txt bs=1 count=50
rm -rf /data/1/txt
done
[19:47:07 root@localhost .gnupg]#gpg --list-key
/root/.gnupg/pubring.gpg
------------------------
pub 2048R/4F1E41EE 2020-09-05
uid mageyp (yp) <[email protected]>
sub 2048R/23D8FCD0 2020-09-05
Copy the public key exported by CentOS7 to CentOS8, and encrypt a file in CentOS8 with the public key of CentOS7
Export the public key from centos7
[19:49:00 root@localhost ~]#gpg -a --export -o yp.pubkey
[19:49:14 root@localhost ~]#ls
anaconda-ks.cfg a.out for.sh reset_pro.sh yp.pubkey sh.sh
Copy the public key to centos8
[19:53:34 root@localhost ~]#rsync yp.pubkey 10.0.0.8:/root/
The authenticity of host '10.0.0.8 (10.0.0.8)' can't be established.
ECDSA key fingerprint is SHA256:B4GojTG9L1h2MUkoY950+2OuTNePsXfMQMtcFn6Z3YE.
ECDSA key fingerprint is MD5:67:05:02:31:bc:fc:06:c5:a3:6e:77:49:d9:41:55:98.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.8' (ECDSA) to the list of known hosts.
[email protected]'s password:
Import the centos7 public key on centos8
[19:59:29 root@localhost ~]#gpg --import yp.pubkey
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key B28657F84F1E41EE: public key "mageyp (yp) <[email protected]>" imported
gpg: Total number processed: 1
gpg: imported: 1
[19:59:51 root@localhost ~]#gpg --list-key
/root/.gnupg/pubring.kbx
------------------------
pub rsa2048 2020-09-05 [SC]
23C54C1023BEDCFC154D922BB28657F84F1E41EE
uid [ unknown] mageyp (yp) <[email protected]>
sub rsa2048 2020-09-05 [E]
Encrypt files with centos7 public key
[20:02:24 root@localhost ~]#gpg -e -r mageyp fstab
gpg: A7F1902A23D8FCD0: There is no assurance this key belongs to the named user
sub rsa2048/A7F1902A23D8FCD0 2020-09-05 mageyp (yp) <[email protected]>
Primary key fingerprint: 23C5 4C10 23BE DCFC 154D 922B B286 57F8 4F1E 41EE
Subkey fingerprint: B9C3 A877 E2CC 0047 238A 8FAE A7F1 902A 23D8 FCD0
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
[20:02:46 root@localhost ~]#ls
anaconda-ks.cfg fstab fstab.gpg yp.pubkey
Back to the CentOS7 server, remotely copy the file.txt.gpg file to the local, decrypt the file with the private key of CentOS7
Copy the encrypted file back to centos7
[20:06:05 root@localhost ~]#scp 10.0.0.8:/root/fstab.gpg .
[email protected]'s password:
fstab.gpg 100% 736 671.1KB/s 00:00
Decrypt files
[20:08:13 root@localhost ~]#ls
anaconda-ks.cfg a.out for.sh fstab.gpg reset_pro.sh yp.pubkey sh.sh
[20:08:13 root@localhost ~]#gpg -o fstab -d fstab.gpg
You need a passphrase to unlock the secret key for
user: "mageyp (yp) <[email protected]>"
2048-bit RSA key, ID 23D8FCD0, created 2020-09-05 (main key ID 4F1E41EE)
gpg: encrypted with 2048-bit RSA key, ID 23D8FCD0, created 2020-09-05
"mageyp (yp) <[email protected]>"
[20:08:35 root@localhost ~]#cat fstab
#
# /etc/fstab
# Created by anaconda on Tue Jun 16 05:51:09 2020
#
# Accessible filesystems, by reference, are maintained under '/dev/disk/'.
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info.
#
# After editing this file, run 'systemctl daemon-reload' to update systemd
# units generated from this file.
#
UUID=0b1d1b8f-94f6-4836-9d2e-f389285b1712 / xfs defaults 0 0
UUID=b90ac8b3-971f-4aba-9fab-baf955ce8290 /boot ext4 defaults 1 2
UUID=7cd49207-7801-4ea9-a208-11c170cfd976 /data xfs defaults 0 0
UUID=d757fe53-a30f-4cc9-9cc7-0a50f835fe56 swap swap defaults 0 0