Linux加密和安全-練習

時間 2020-10-06

標籤 redis 數據庫 centos bash 服務器 dom ide this 加密欄目 Linux 简体版

原文原文鏈接

一、在 CentOS7 中使用 gpg 建立 RSA 非對稱密鑰對

#建立
[root@centos7s ~]#gpg --gen-key
gpg (GnuPG) 2.0.22; Copyright (C) 2013 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 
Requested keysize is 2048 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: centos7
Email address: 
Comment: 
You selected this USER-ID:
    "centos7"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key EC635E2E marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   2048R/EC635E2E 2020-09-06
      Key fingerprint = 4304 0303 8192 181F 235C  1DE4 5442 7B4A EC63 5E2E
uid                  centos7
sub   2048R/63E3FC1A 2020-09-06
#查看
[root@centos7s ~]#ll .gnupg
total 28
-rw-------. 1 root root 7680 Sep  6 18:07 gpg.conf
drwx------. 2 root root    6 Sep  6 18:09 private-keys-v1.d
-rw-------. 1 root root 1167 Sep  6 18:16 pubring.gpg
-rw-------. 1 root root 1167 Sep  6 18:16 pubring.gpg~
-rw-------. 1 root root  600 Sep  6 18:16 random_seed
-rw-------. 1 root root 2543 Sep  6 18:16 secring.gpg
srwxr-xr-x. 1 root root    0 Sep  6 18:09 S.gpg-agent
-rw-------. 1 root root 1280 Sep  6 18:16 trustdb.gpg

[root@centos7s ~]#gpg --list-key
/root/.gnupg/pubring.gpg
------------------------
pub   2048R/EC635E2E 2020-09-06
uid                  centos7
sub   2048R/63E3FC1A 2020-09-06

二、將 CentOS7 導出的公鑰，拷貝到 CentOS8 中，在 CentOS8 中使用 CentOS7 的公鑰加密一個文件

#導出公鑰
[root@centos7s ~]#gpg -a --export -o centos7.pub
[root@centos7s ~]#ll -a
total 36
dr-xr-x---.  3 root root  184 Sep  6 18:23 .
dr-xr-xr-x. 18 root root  236 Jul 28 11:20 ..
-rw-------.  1 root root 1605 Jul 28 11:20 anaconda-ks.cfg
-rw-r--r--.  1 root root 1687 Sep  6 18:23 centos7.pub
drwx------.  3 root root  162 Sep  6 18:20 .gnupg
...
#拷貝centos7公鑰到centos8的/data/下
[root@centos7s ~]#scp centos7.pub 10.0.0.115:/data/
The authenticity of host '10.0.0.115 (10.0.0.115)' can't be established.
ECDSA key fingerprint is SHA256:DH3mR2juONfIxB8Zgcjh3NsTfMNDICkMbMejXchDnnA.
ECDSA key fingerprint is MD5:59:67:77:62:fc:4c:09:33:fc:db:3c:a8:1d:40:76:92.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.0.0.115' (ECDSA) to the list of known hosts.
root@10.0.0.115's password: 
centos7.pub   
#把centos7公鑰導入到centos8
[root@centos82s data]#gpg --import centos7.pub 
gpg: directory '/root/.gnupg' created
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 54427B4AEC635E2E: public key "centos7" imported
gpg: Total number processed: 1
gpg:               imported: 1
#查看導入的centos7公鑰
[root@centos82s data]#gpg --list-keys
/root/.gnupg/pubring.kbx
------------------------
pub   rsa2048 2020-09-06 [SC]
      430403038192181F235C1DE454427B4AEC635E2E
uid           [ unknown] centos7
sub   rsa2048 2020-09-06 [E]
#給文件加密
[root@centos82s data]#gpg -e -r centos7 file.txt
gpg: C532858263E3FC1A: There is no assurance this key belongs to the named user
sub  rsa2048/C532858263E3FC1A 2020-09-06 centos7
 Primary key fingerprint: 4304 0303 8192 181F 235C  1DE4 5442 7B4A EC63 5E2E
      Subkey fingerprint: 8D7A 65C2 8780 0AEA 982F  E5CA C532 8582 63E3 FC1A

It is NOT certain that the key belongs to the person named
in the user ID.  If you *really* know what you are doing,
you may answer the next question with yes.

Use this key anyway? (y/N) y
[root@centos82s data]#ll
total 8912
-rw-r--r--   1 root    root       6 Sep  6 18:40 file.txt
-rw-r--r--   1 root    root     346 Sep  6 18:40 file.txt.gpg

三、回到 CentOS7 服務器，遠程拷貝 file.txt.gpg 文件到本地，使用 CentOS7的私鑰解密文件

#拷貝centos8的file.txt.gpg到centos7上
[root@centos7s ~]#scp 10.0.0.115:/data/file.txt.gpg /data/
root@10.0.0.115's password: 
file.txt.gpg 
[root@centos7s data]#ll
total 4
-rw-r--r--. 1 root root 346 Sep  6 18:42 file.txt.gpg
#使用centos7私鑰解密文件
[root@centos7s data]#gpg -d file.txt.gpg > test.txt

You need a passphrase to unlock the secret key for
user: "centos7"
2048-bit RSA key, ID 63E3FC1A, created 2020-09-06 (main key ID EC635E2E)

gpg: encrypted with 2048-bit RSA key, ID 63E3FC1A, created 2020-09-06
      "centos7"
[root@centos7s data]#ll
total 8
-rw-r--r--. 1 root root 346 Sep  6 18:42 file.txt.gpg
-rw-r--r--. 1 root root   6 Sep  6 18:46 test.txt

四、在 CentOS7 中使用 openssl 軟件建立 CA

[root@centos7s CA]#ll
total 0
drwxr-xr-x. 2 root root 6 Aug  9  2019 certs
drwxr-xr-x. 2 root root 6 Aug  9  2019 crl
drwxr-xr-x. 2 root root 6 Aug  9  2019 newcerts
drwx------. 2 root root 6 Aug  9  2019 private
#生成證書索引數據庫文件
[root@centos7s ~]#touch /etc/pki/CA/index.txt
#指定第一個頒發證書的序列號
[root@centos7s ~]#echo 01 > /etc/pki/CA/serial
#查看
[root@centos7s ~]#ll /etc/pki/CA/
total 4
drwxr-xr-x. 2 root root 6 Aug  9  2019 certs
drwxr-xr-x. 2 root root 6 Aug  9  2019 crl
-rw-r--r--. 1 root root 0 Sep  6 18:58 index.txt
drwxr-xr-x. 2 root root 6 Aug  9  2019 newcerts
drwx------. 2 root root 6 Aug  9  2019 private
-rw-r--r--. 1 root root 3 Sep  6 18:58 serial
#生成CA私鑰
[root@centos7s CA]#(umask 066;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
.....+++
......................+++
e is 65537 (0x10001)
#生成CA自簽名證書
[root@centos7s CA]#openssl req -new -x509 -key private/cakey.pem -days 3650 -out cacert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:hn
Locality Name (eg, city) [Default City]:zz
Organization Name (eg, company) [Default Company Ltd]:dy
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:www.dy.com
Email Address []:
[root@centos7s CA]#ll
total 8
-rw-r--r--. 1 root root 1273 Sep  6 19:08 cacert.pem
drwxr-xr-x. 2 root root    6 Aug  9  2019 certs
drwxr-xr-x. 2 root root    6 Aug  9  2019 crl
-rw-r--r--. 1 root root    0 Sep  6 18:58 index.txt
drwxr-xr-x. 2 root root    6 Aug  9  2019 newcerts
drwx------. 2 root root   23 Sep  6 19:02 private
-rw-r--r--. 1 root root    3 Sep  6 18:58 serial

五、在 CentOS7 中使用 openssl 軟件建立一個證書申請請求文件，並使用上面的跟證書對其進行簽署

#生成私鑰
[root@centos7s data]#(umask 066;openssl genrsa -out /data/test.key 2048)
Generating RSA private key, 2048 bit long modulus
...............................................+++
........................................................+++
e is 65537 (0x10001)
#生成證書申請文件
[root@centos7s data]#openssl req -new -key /data/test.key -out /data/test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:hn
Locality Name (eg, city) [Default City]:zz
Organization Name (eg, company) [Default Company Ltd]:dy
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:www.dy.com
Email Address []:
#在CA簽署證書並將證書頒發給請求者
[root@centos7s data]#openssl ca -in test.csr -out /etc/pki/CA/certs/test.crt -days 100
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Sep  6 11:27:34 2020 GMT
            Not After : Dec 15 11:27:34 2020 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = hn
            organizationName          = dy
            organizationalUnitName    = it
            commonName                = test.dy.com
...

六、吊銷已經簽署成功的證書

[root@centos7s CA]#cat index.txt
V   201215112734Z       01  unknown /C=CN/ST=hn/O=dy/OU=it/CN=test.dy.com
#在客戶端獲取要吊銷證書信息
[root@centos7s CA]#openssl x509 -in certs/test.crt -noout -serial -subject
serial=01
subject= /C=CN/ST=hn/O=dy/OU=it/CN=test.dy.com
#在CA上，根據客戶提交的serial與subject信息，對比檢驗是否與index.txt文件中的信息一致，吊銷證書
[root@centos7s CA]#openssl ca -revoke newcerts/01.pem 
Using configuration from /etc/pki/tls/openssl.cnf
Revoking Certificate 01.
Data Base Updated
#查看證書狀態
[root@centos7s CA]#openssl ca -status 01
Using configuration from /etc/pki/tls/openssl.cnf
01=Revoked (R)