Aşağıda bulabileceğiniz örnekte dosya şifreleme işleminin nasıl yapılması gerektiği detaylandırılmıştır. Daha fazla bilgi için GnuPG sitesini ziyaret edebilirsiniz. ( https://www.gnupg.org/ )
Installation:
Platform: Oracle Enterprise Linux 6.5 x86_64rngd donanım kaynaklı rasgele veri oluşturma için kullanılan bir uygulamamdır. pinentry paketi ise bağımlılık olduğu için kuruyoruz.
yum install rng-tools pinentry-gtk.x86_64 gpg |
sed -r -i 's#(^EXTRAOPTIONS=).*$#\1"-r /dev/urandom"#' /etc/sysconfig/rngd |
Start the service:
chkconfig rngd on service rngd start |
gpg-agent --daemon --enable-ssh-support --write-env-file "${HOME}/.gpg-agent-info" if [ -f "${HOME}/.gpg-agent-info" ]; then . "${HOME}/.gpg-agent-info" export GPG_AGENT_INFO export SSH_AUTH_SOCK export SSH_AGENT_PID fi |
Generate keys:
[root@keyserver~]# gpg --gen-key gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: keyring `/root/.gnupg/secring.gpg' created gpg: keyring `/root/.gnupg/pubring.gpg' created Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y GnuPG needs to construct a user ID to identify your key. Real name: okantest Email address: Comment: You selected this USER-ID: "okantest" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a Passphrase to protect your secret key. You don't want a passphrase - this is probably a *bad* idea! I will do it anyway. You can change your passphrase at any time, using this program with the option "--edit-key". We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: /root/.gnupg/trustdb.gpg: trustdb created gpg: key 37048976 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 2048R/37048976 2014-12-03 Key fingerprint = 42AE 65B4 5307 A17F D562 F2F0 179B 43C0 3704 8976 uid okantest sub 2048R/ED8D052F 2014-12-03 |
List your Keys (now with my key details)
[root@keyserver~]# gpg --list-keys /root/.gnupg/pubring.gpg ------------------------ pub 2048R/37048976 2014-12-03 uid okantest sub 2048R/ED8D052F 2014-12-03 |
Sign the Repo:
gpg --detach-sign --armor repodata/repomd.xml |
Export the key for clients:
gpg -a --export 80A79AD1 > Swissunix.gpg |
Symmetric encryption (simetrik şifreleme):
Bu yöntemde passphrase belirtmeniz zorunludur. Passphrase'i extraction için kullanıyoruz. Belirtmezseniz aşağıdaki şekilde hata alırsınız.[root@keyserver~]# gpg -c test.file gpg: error creating passphrase: Invalid passphrase gpg: symmetric encryption of `test.file' failed: Invalid passphrase |
Çözüm:
Aşağıdaki ifadede sifre dosyası içinde saklı şifre kullanılarak simetrik şifreleme yapılmıştır.
[root@pacenode1 ~]# time gpg --batch --yes --passphrase-fd 0 -c test-0-187.el6.x86_64.rpm < sifre real 0m16.519s user 0m9.462s sys 0m0.189s [root@pacenode1 ~]# ls -alh test-0-187.el6.x86_64.rpm* -rw-rw-r-- 1 1000 1000 106M Eyl 1 10:30 test-0-187.el6.x86_64.rpm -rw-r--r-- 1 root root 107M Ara 3 21:47 test-0-187.el6.x86_64.rpm.gpg |
Örnek dosya şifreleme senaryosu:
Amaç dosyanın A makinasında sadece B makinasında (has secret key) okunabilecek şekilde şifrelenerek A makinasında saklanmasının sağlanması. Böylece A makinasına erişim sağlayan herhangi bir kişi dosya bu makina da şifrelenip saklansa dahi secret key'e sahip değil ise bu dosyayı okuyamayacak.Aşağıda detaylarını bulabileceğiniz örnek işlemde özetle; key türettiğimiz makinadaki (keyserver) sadece public key'i export edip ayrı bir makinaya taşıdık ve ayrı makinada import işlemi yaptık. Sonrasında bu makinada test.file dosyasını şifreledik. ve test.file.gpg dosyası oluştu. public_key ile şifrelediğimiz bu dosyayı şifreleme yaptığımız makinada açamadık. (Çünkü private key'e sahip değil)
Bu dosyayı private key'i içeren key türetme işlemi yaptığımız makinaya (keyserver) taşıdık ve sorunsuz şekilde açıldığını gördük. Örnekde asimetrik şifreleme yöntemi kullanılmıştır.
Key export işlemi:
[root@keyserver~]# gpg --armor --export "okantest" > public_key.asc [root@keyserver~]# cat public_key.asc -----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.14 (GNU/Linux) mQENBFR/AisBCADEPmYrhXVRO0Ze7Abokrr4kg5iwXvHnh4ImH193LiUvs+YmRYk 1DK/pywzA4N9kLXF75rmRdCrZJpCwqqInv8zfd0aYA25a8ouSAfWBFDTmVHKHubR 2YW2CpTqTUaedSEgryAyepw/Pi3R3xcl5WMkVQqZCUoVzA0fFMKU+p0Z69GqsB/h OqS/RjfvSXvcCT5buEGC+oWOPgz0ObX0Nb5qo25wUhNshYrBDK2qdjWapy4Dtawt VD2zuahTKybYVKd6jvgUHzqo0aykBXRkL4Me2acW4P2fmwnTEMF5iPCxQUuEgwAe B9J1sFNhfSxY3544f6q1I5Q2Z+mCNlkmf8WdABEBAAG0EEluc2VwdHJhIFN5c3Rl bXOJATgEEwECACIFAlR/AisCGwMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJ EBebQ8A3BIl2cu0H/Rubnd/sBHezgmevX6diE7C+m2RhgcBuVggdWxbMpCUpYqL3 xKzv43vK6Liq1lWSwVKrlIzKHw+BiTe+PdR0aLEQAFzhi4iG4lXmZspctjAvbu6B M/zNHoHYIDnTqKuBIn0UVep7tx1gMEMlWz0dqNAitTyHLYX/mEEcom/xFu4LDysI 7LmFfnprJAKULIdTEOFjDoF0DA2/UB4sKJYEZ+WCCVrexo6A/69ozvjEUJCx05ZL S5YgAjHkYxKAFCPp712rFQVuXVeyf/hFe/mO8NmSFOBfgpim/3oJn1O1Amai/SqD qNYs54OP4NNaEZgl7Hj99+pXVwO9sBWTLrs6l2u5AQ0EVH8CKwEIAKYOqnZnV+tN 8SqQmfz8BQViKwUQuYwMmkz+flNWE0ljFFw9keOas6end7jrbcs5c4JQ/lOWtU/i xy3mrlErmp1GnnFaPlgPuaNYeG4RV9Wr4f1teJfwS2KRcRobJg3pq9PlFQ25kaqG xt1SvljjCBpBIvFRSxnQQu3Gphr4FPvbTQas4Q+MtzVGcZQVNdPuLUm5wcphb/8O f3TdjTOMfBRaRJcip6HjoEZTws2awwqT2GiJtLtOvntd5nUDvNhWzLgvow0hO3JJ qZNbszJjmfANtgdKEvCO0P36do+xuJAvFndtpCuVRIJ+VFc4HJ33Pm2vuJAzu930 ACxr2m6JIhUAEQEAAYkBHwQYAQIACQUCVH8CKwIbDAAKCRAXm0PANwSJdpRwB/9G WjkvC5lJuQuKPlTAdRAjG9zvFdNKHfxWqf04GfZJ6T8q1z0wWh5N9ogr/MM3P5uA nF7pZD1MglgGDMvhlNjiq9MkYE9SHXIX8ikgZKTwML9pgIL2Dk1LhcZesZ+0qMHQ U7aCFINIV189JRCEncCd2FcgRttwKKgoOi+5aD9uPVrPIQXgzuoU8SrWZrERRSkN N7KRv89QOKDrsemE7248TtLz/bDVc3+k7Ir7KGhpqEVE3zrSlW/DppOSOyC2PfcN pzrMOfEA2g5X7Y80c46lwMCzvGzLKNDPhl3hSpjdbn+cE8fWKxy60JAWnvE1pIzJ 5L/+YNmnYtffngHhtVU1 =H57Y -----END PGP PUBLIC KEY BLOCK----- |
Key import işlemi:
Bu işlem keyserver makinasında değil tamamen ayrı bir makinada gerçekleşti. Amacımız keyserver'da oluşturup export'unu aldığımız public_key.asc sertifika dosyasını bu makinaya yüklemek. Böylece şifrelerken bu public_key'i kullanabileceğiz.[root@A~]# gpg --import public_key.asc |
Key silme işlemi
Key silme işlemini yapmanıza gerek yok, bu kısım sadece örneklendirme için paylaşıldı.[root@A ~]# gpg --list-keys gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 3 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 3u /root/.gnupg/pubring.gpg ------------------------ pub 2048R/4D0A0CEC 2014-12-03 uid okantest sub 2048R/89AD3BFA 2014-12-03 pub 2048R/7BFD8F15 2014-12-03 uid okantest sub 2048R/98436A06 2014-12-03 pub 2048R/3C2FF0FB 2014-12-03 uid okantest sub 2048R/3EC03EB3 2014-12-03 [root@A ~]# gpg --delete-secret-keys 4D0A0CEC && gpg --delete-keys 4D0A0CEC gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. sec 2048R/4D0A0CEC 2014-12-03 okantest Delete this key from the keyring? (y/N) y This is a secret key! - really delete? (y/N) y gpg (GnuPG) 2.0.14; Copyright (C) 2009 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. pub 2048R/4D0A0CEC 2014-12-03 okantest Delete this key from the keyring? (y/N) y [root@A ~]# gpg --list-keys gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u /root/.gnupg/pubring.gpg ------------------------ pub 2048R/7BFD8F15 2014-12-03 uid okantest sub 2048R/98436A06 2014-12-03 pub 2048R/3C2FF0FB 2014-12-03 uid okantest sub 2048R/3EC03EB3 2014-12-03 |
Dosya şifreleme işlemi:
-r ifadesi kullanılacak şfireleme profilini ifade eder. Aşağıda private key e sahip olmayan A makina üzerinde şifreleme işlemi yapılıyor.[root@A~]# cat test.file 1234456 [root@hassecretkey~]# gpg -e -r "okantest" test.file gpg: ED8D052F: There is no assurance this key belongs to the named user pub 2048R/ED8D052F 2014-12-03 okantest Primary key fingerprint: 42AE 65B4 5307 A17F D562 F2F0 179B 43C0 3704 8976 Subkey fingerprint: 0192 FE0A BEF6 5C72 B404 6F94 AB0D 479D ED8D 052F It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes. Use this key anyway? (y/N) y |
Dosya boyutlarını kontrol edelim.
[root@A~]# ls -al test.file* -rw-r--r-- 1 root root 8 Dec 3 15:52 test.file -rw-r--r-- 1 root root 349 Dec 3 15:52 test.file.gpg |
Şifreli dosyayı açma (decryption) işlemi
secret key'e sahip olmayan makinada başarısız işlem:
( Bu makinada sadece public key import işlemi yapıldı. Private key yüklü değil )
[root@A~]# gpg -o test.file -d test.file.gpg gpg: encrypted with 2048-bit RSA key, ID ED8D052F, created 2014-12-03 "okantest" gpg: decryption failed: No secret key |
secret key'e sahip olan makinada başarılı işlem:
[root@keyserver ~]# gpg -o test.file -d test.file.gpg gpg: encrypted with 2048-bit RSA key, ID ED8D052F, created 2014-12-03 "okantest" [root@keyserver ~]# cat test.file 1234456 [root@keyserver ~]# ls -al test.file* -rw-r--r-- 1 root root 8 Dec 3 15:56 test.file -rw-r--r-- 1 root root 349 Dec 3 15:56 test.file.gpg |
Onay mesajlarından kurtulma (bypass prompts):
... It is NOT certain that the key belongs to the person named in the user ID. If you *really* know what you are doing, you may answer the next question with yes. Use this key anyway? (y/N) Çözüm: [root@A ~]# gpg --edit-key "okantest" trust ... 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 5 Do you really want to set this key to ultimate trust? (y/N) y |
gpg ile symmetric ve asymmetric file encryption süre kıyaslaması:
symmetric file encryption test:( -c, --symmetric encryption only with symmetric cipher)
[root@hassecretkey ~]# time gpg --batch --yes --passphrase-fd 0 -c --cipher-algo aes128 test-0-187.el6.x86_64.rpm < sifre real 0m8.987s user 0m4.767s sys 0m0.168s [root@hassecretkey ~]# ls -alh test-0-187.el6.x86_64.rpm* -rw-rw-r-- 1 1000 1000 106M Sep 1 10:30 test-0-187.el6.x86_64.rpm -rw-r--r-- 1 root root 107M Dec 4 12:53 test-0-187.el6.x86_64.rpm.gpg |
( -r ifadesi kullanılacak profili belirtir. )
[root@hassecretkey ~]# time gpg -e --cipher-algo aes128 -r "okantest" test-0-187.el6.x86_64.rpm real 0m9.208s user 0m5.298s sys 0m0.200s [root@hassecretkey ~]# ls -alh test-0-187.el6.x86_64.rpm* -rw-rw-r-- 1 1000 1000 106M Sep 1 10:30 test-0-187.el6.x86_64.rpm -rw-r--r-- 1 root root 107M Dec 4 12:52 test-0-187.el6.x86_64.rpm.gpg [root@pacenode1 ~]# rm test-0-187.el6.x86_64.rpm.gpg rm: remove regular file `test-0-187.el6.x86_64.rpm.gpg'? y |
Sonuç:
symmetric 0m8.987s asymmetric 0m9.208s |
2014-12-20, İstanbul - Ali Okan YÜKSEL
No comments:
Post a Comment