使用GPG

Manage public private key

How to generate a key pair? / 怎樣生成公私鑰對？

gpg --gen-key

請選擇您要使用的密鑰種類：
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (僅用於簽名)
(4) RSA (僅用於簽名)
您的選擇？

DSA and RSA are algorithm.
DSA和RSA是算法名子。

• Choice 1 means creating two key pairs, both use RSA algorithm, one for signing, one for encrypting.
  選項1表示製做兩對公私鑰，都使用RSA算法，一個公私鑰用於簽名，一個公私鑰用於加密。
• Choice 2 means creating two key pairs, one uses DSA algorithm, for signing, one uses Elgamal algorithm, for encrypting.
  選項2表示製做兩對公私鑰，一個公私鑰用DSA算法，用於簽名，一個公私鑰用Elgamal算法，用於加密。
• Choice 3 means creating one key pair, use DSA algorithm, for both signing and encrypting.
  選項3表示製做一對公私鑰，使用DSA算法，用於簽名和加密。
• Choice 4 means creating one key pair, use RSA algorithm, for both signing and encrypting.
  選項4表示製做一對公私鑰，使用RSA算法，用於簽名和加密。

Just follow the hints, do choices, at last it will output:
根據提示填，最後會獲得輸出：

gpg: 正在檢查信任度數據庫
gpg: 須要 3 份勉強信任和 1 份徹底信任，PGP 信任模型
gpg: 深度：0 有效性：  4 已簽名：  0 信任度：0-，0q，0n，0m，0f，4u
pub   2048D/84A0D639 2018-03-01
密鑰指紋 = A46D 469C 051B 9EA0 F5FE  C4CA 799D A3DC 84A0 D639
uid       [ 絕對 ] abc (Address) <archimedes_newton@163.com>
sub   2048g/50A8A3AA 2018-03-01

Fourth line, that '84A0D639', and seventh line, that '50A8A3AA', are IDs of the key pairs.
第四行那個84A0D639，第七行那個50A8A3AA，是生成的公私鑰對的ID。

How to list your key pairs? / 怎樣列出你擁有的公私鑰對

List public keys:

gpg --list-public-keys

List private keys:

gpg --list-secret-keys

What is key pair? Where is your key pair? 什麼是公私鑰對，你生成的公私鑰對在哪？

A 'key pair' consists of a public key and a private key.
公私鑰對包含公鑰和私鑰。
but in GPG, a 'key pair' consists of a primary key pair and a subordinate key pair.
可是在GPG裏，公私鑰對包含一個主鑰對和一個副鑰對。

In cryptography, who is public, who is private is not important, these two roles are equal, and can be exchanged. If we say one key is a public key, then it is public key, and the other key is a private key.
密碼學中，誰是公，誰是私不是必定的，這兩個角色是平等的，可交換的。咱們能夠說其中一個是公鑰，誰就是公鑰，另外一個鑰就是私鑰。

But in GPG, 'public key' what we said consists of:

• the public portion of the master signing key,
  主鑰對的公鑰部分。
• the public portions of the subordinate signing and encryption subkeys,
  副鑰對的公鑰部分。
• a set of user IDs used to associate the public key with a real person,
  和公鑰關聯的，用於指示真人的用戶id。

By default, GPG put its data under ~/.gnupg, this directory may has these files:
GPG把文件放在~/.gnupg下面，這個目錄可能有這些文件：

.
├── openpgp-revocs.d
│   └── D4CE087C2A16C3EF81BEB9A0A1691041C934895B.rev
├── private-keys-v1.d
│   ├── 0DBEE5E9C5C25E304FC88AA8FFF38EEEB7826311.key
│   └── 8A5B9A60C63E11881D9C778477163BC4FD271B2B.key
├── pubring.kbx
├── pubring.kbx~
├── random_seed
└── trustdb.gpg

That 'pubring.kbx' is where your key pairs are.

How to generate a revocation certificate / 怎樣生成撤回證書（用於對外宣佈做廢一個公私鑰對）

If you forget your passphrase or if your private key is compromised or lost, a revocation certificate may be published to notify others that the public key should no longer be used.
若是你忘了私鑰的密碼或私鑰泄漏了，能夠公佈 撤回證書 以通知你們不要再使用那個公鑰。
So after your keypair is created you should immediately generate a revocation certificate for the primary public key.
因此公私鑰對做成後，你應該當即主公鑰生成撤回證書。

gpg --gen-revoke --output revoke.asc BB2B8D466C53DBC559EABBA1D083B71756A6D115

• --gen-revoke
  means generating a 'revocation certificate'.
• --output revoke.asc
  means the output file is 'revoke.asc'.
• BB2B80... is the id of the public key.

How to exchange public keys? / 怎樣交換公鑰？

If you want to exchange your public key to someone, first you need to 'export' it:
若是你想把你的公鑰給另外一我的，你要先「導出」它：

gpg --export --output my-public-key.gpg D4CE087C2A16C3EF81BEB9A0A1691041C934895B

• --export
  means exporting public key.
  表示導出公鑰。
• --output ...
  the output filename.
  表示輸出文件。

you can use 'file' command to check that file's type:
你能夠用file命令檢查這個文件的類型：

file my-public-key.gpg

my-public-key.gpg: GPG key public ring, created Tue Feb 23 09:50:34 2021

you can also add an argument '--armor' to 'gpg --export' so you will get a plain text output file:

gpg --export --armor --output my-public-key.gpg D4CE087C2A16C3EF81BEB9A0A1691041C934895B

then send 'my-public-key.gpg' to the receiver.
而後把這個文件發給接收者。
then the receiver can 'import' this file:
接收者導入這個文件：

gpg --import my-public-key.gpg

then the receiver check whether he has import your key:
接收者檢查他是否已導入了你的公鑰：

gpg --list-public-keys

that is not the last step, the receiver need to 'trust' your public key:
這還沒完，接收者要「確認」你的公鑰：

gpg --edit-key D4CE087C2A16C3EF81BEB9A0A1691041C934895B

the above command will bring the receiver to an interactive program.
上述命令會帶接收者進入一個交互程序。

then the receiver execute 'fpr' to check its fingerprint, it should have the same result that the sender checked.
接收者執行fpr命令檢查指紋，應該獲得與發送者所作的檢查一致的結果。

gpg> fpr
pub   rsa2048/A1691041C934895B 2021-02-23 iamyou <i@am.you>
 Primary key fingerprint: D4CE 087C 2A16 C3EF 81BE  B9A0 A169 1041 C934 895B

then the receiver execute 'trust' to trust your public key:
接收者執行trust命令以信任你的公鑰：

gpg> trust

you can use 'help' to see all the subcommands:
你能夠用help命令查看全部子命令：

gpg> help

How to exchange private keys? / 怎樣交換私鑰？

gpg --export-secret-key --output my-private-key.gpg D4CE087C2A16C3EF81BEB9A0A1691041C934895B

• --export-secret-key
  means exporting a private key.
  表示導出私鑰。
• --output
  the output filename.
  輸出文件名。

you will be asked for your private key's password.

On the receiver side, he 'import' your private key:

gpg --import my-private-key

then he check private key ring:

gpg --list-secret-keys

How to delete a key? / 怎樣刪除公私鑰？

How to delete a public key?
怎樣刪除公鑰？

gpg --delete-key D4CE087C2A16C3EF81BEB9A0A1691041C934895B

How to delete a private key?
怎樣刪除私鑰？

gpg --delete-secret-key D4CE087C2A16C3EF81BEB9A0A1691041C934895B

How to change private key password? / 怎樣改私鑰密碼？

First execute 'gpg --edit-key':

gpg --edit-key D4CE087C2A16C3EF81BEB9A0A1691041C934895B

then execute subcommand 'passwd':

gpg> passwd

How to use GPG to encrypt a file? / 怎樣用gpg加密文件？

Use public key to encrypt a file / 用公鑰加密文件

If you have a plain text file 'plain.txt', you can use a receiver's public key to encrypt it, of course, you must have import that receiver's public key first.
若是你有一個文本文件plain.txt，你能夠用一個接收者的公鑰加密這個文件，固然，你得先導入那位接收者的公鑰。

On that receiver's side, he exports he's public key:
接收者那邊，他導出他的公鑰：

gpg --export --public ReceiverPublicKey.gpg D4CE087C2A16C3EF81BEB9A0A1691041C934895B

he send 'ReceiverPublicKey.gpg' to you.
他把文件ReceiverPublicKey.gpg發給你。

you import this file:
你導入這個文件：

gpg --import ReceiverPublicKey.gpg

then you choose to trust his public key:
你選擇信任他的公鑰：

gpg --edit-key D4CE087C2A16C3EF81BEB9A0A1691041C934895B
gpg> trust
gpg> quit

then you use his public key to encrypt your file:
你用他的公鑰加密你的文件：

gpg --encrypt --recipient D4CE087C2A16C3EF81BEB9A0A1691041C934895B --output EncryptedByPublicKey.gpg PlainText.txt

• --encrypt
  means encrypting a file using a public key.
  表示用公鑰加密文件
• --recipient ...
  who is the receiver. who is the receiver, then we use who's public key.
  誰是接收者。誰是接收者，咱們就用誰的公鑰。
• --output ...
  the output filename.
  輸出文件。
• The last argument 'PlainText.txt' is the input file.
  最後一個參數是輸入文件。

You send 'EncryptedByPublicKey.gpg' to the receiver.
你把加密後的文件發給接收者。

On the receiver side, he use his private key to decrypt that file:
接收者那邊，他用他的私鑰解密文件：

gpg --decrypt --output PlainText.txt EncryptedByPublicKey.gpg

• --decrypt
  means decrypt a file.
  表示解密文件。
• --output ...
  the output file.
  輸出文件。
• The last argument is the encrypted file to be decrypted.
  最後一個文件是要解密的被加密的文件。

The receiver do not need to specify his private key in the command, if you has the private key, GPG will automatically find and use it.
接收者不須要在命令裏指定私鑰，若是他有對應的私鑰，gpg會自動找到並使用那個私鑰。

But you can also specify what private key to use:
但你也能夠指定私鑰：

gpg --decrypt --local-user D4CE087C2A16C3EF81BEB9A0A1691041C934895B --output PlainText.txt EncryptedByPublicKey.gpg

• --local-user ...
  use which private key.

Use symmetric password to encrypt a file / 用對稱密碼加密文件

encrypt a file:

gpg --symmetric --output EncryptedByPassword.gpg PlainText.txt

• --symmetric
  means using symmetric password to encrypt a file.
  表示用對稱密碼加密文件。
• --output ...
  the output file.
  輸出文件。
• the last argument is the file to be encrypted.
  最後一個參數是鑰加密的文件。

decrypt the above encrypted file:
解密上面的被加密的文件：

gpg --decrypt --output PlainText.txt EncryptedByPassword.gpg

How to use GPG to sign a file? / 怎樣用gpg對文件簽名？

We use private key for signing, use public key for verifying.
咱們用私鑰簽名，用公鑰確認。

Integrated signature / 簽名與原文件合在一塊兒

To sign a file:
對一個文件簽名：

gpg --sign --output SignedFile --local-user D4CE087C2A16C3EF81BEB9A0A1691041C934895B PlainText.txt

• --sign
  means signing a file.
  表示一個文件簽名。
• --output ...
  the output filename.
  輸出文件。
• --local-user ...
  use which private key.
  用哪一個私鑰。
• the last argument is the file to be signed.
  最後一個參數是要被簽名的文件。

then another man who has your public key, can verify 'SignedFile' and extract the original file:
擁有你的公鑰的人能夠「確認」這個簽名文件，並解壓出原文件：

gpg --decrypt --recipient D4CE087C2A16C3EF81BEB9A0A1691041C934895B --output PlainText.txt SignedFile

• --decrypt
  means decrypting a file, in this situation, we call this operation 'verify'.
• --recipient ...
  use which public key.
  用哪一個公鑰。
• --output ...
  the output file.
  輸出文件。
• the last argument is the signed file to be verified.
  最後一個參數是要被確認的被簽名的文件。

he can also just 'verify' the signature:
他也能夠只確認簽名，不解壓出原文件

gpg --verify --recipient D4CE087C2A16C3EF81BEB9A0A1691041C934895B SignedFile

Detached signature / 單獨的簽名文件

To create a detached signature.
生成一個獨立的簽名文件

gpg --detach-sign --output DetachedSignature --local-user D4CE087C2A16C3EF81BEB9A0A1691041C934895B PlainText.txt

• --detach-sign
  means making a detached signature, the output file contains only signing information.
  表示產生一個獨立的簽名文件，輸出文件只包含簽名信息。
• --output ...
  the output file
  輸出文件。
• --local-user ...
  use which private key.
  用哪一個私鑰。
• the last argument is the file to be signed.
  最後一個參數是要被簽名的文件。

then another man who has your public key , can verify 'DetachedSignature' and original 'PlainText.txt':
擁有你的公鑰的人能夠「確認」這個簽名文件：

gpg --verify DetachedSignFile PlainText.txt

• --verify ... ...
  verify the signature and the original file, it follows two arguments, the first is a detached signature, the second is the original file.
  確認簽名文件和原文件，第一個參數是簽名文件，第二個參數是原文件。

'gpg --verify' can follow one or more argument, if there is only one argument, it is a 'integrated signature', if there are two arguments, the first is a detached signature, the second is the original file.'gpg --verify' 能夠跟一或二個參數，若是隻有一個參數，則這個參數是一個「集成式簽名」，若是有兩個參數，則第一個參數是獨立簽名文件，第二個參數是原文件。