使用GPG

Manage public private key

How to generate a key pair? / 怎样生成公私钥对？

gpg --gen-key

请选择您要使用的密钥种类：
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (仅用于签名)
(4) RSA (仅用于签名)
您的选择？

DSA and RSA are algorithm.
DSA和RSA是算法名子。

• Choice 1 means creating two key pairs, both use RSA algorithm, one for signing, one for encrypting.
  选项1表示制做两对公私钥，都使用RSA算法，一个公私钥用于签名，一个公私钥用于加密。
• Choice 2 means creating two key pairs, one uses DSA algorithm, for signing, one uses Elgamal algorithm, for encrypting.
  选项2表示制做两对公私钥，一个公私钥用DSA算法，用于签名，一个公私钥用Elgamal算法，用于加密。
• Choice 3 means creating one key pair, use DSA algorithm, for both signing and encrypting.
  选项3表示制做一对公私钥，使用DSA算法，用于签名和加密。
• Choice 4 means creating one key pair, use RSA algorithm, for both signing and encrypting.
  选项4表示制做一对公私钥，使用RSA算法，用于签名和加密。

Just follow the hints, do choices, at last it will output:
根据提示填，最后会获得输出：

gpg: 正在检查信任度数据库
gpg: 须要 3 份勉强信任和 1 份彻底信任，PGP 信任模型
gpg: 深度：0 有效性：  4 已签名：  0 信任度：0-，0q，0n，0m，0f，4u
pub   2048D/84A0D639 2018-03-01
密钥指纹 = A46D 469C 051B 9EA0 F5FE  C4CA 799D A3DC 84A0 D639
uid       [ 绝对 ] abc (Address) <archimedes_newton@163.com>
sub   2048g/50A8A3AA 2018-03-01

Fourth line, that '84A0D639', and seventh line, that '50A8A3AA', are IDs of the key pairs.
第四行那个84A0D639，第七行那个50A8A3AA，是生成的公私钥对的ID。

How to list your key pairs? / 怎样列出你拥有的公私钥对

List public keys:

gpg --list-public-keys

List private keys:

gpg --list-secret-keys

What is key pair? Where is your key pair? 什么是公私钥对，你生成的公私钥对在哪？

A 'key pair' consists of a public key and a private key.
公私钥对包含公钥和私钥。
but in GPG, a 'key pair' consists of a primary key pair and a subordinate key pair.
可是在GPG里，公私钥对包含一个主钥对和一个副钥对。

In cryptography, who is public, who is private is not important, these two roles are equal, and can be exchanged. If we say one key is a public key, then it is public key, and the other key is a private key.
密码学中，谁是公，谁是私不是必定的，这两个角色是平等的，可交换的。咱们能够说其中一个是公钥，谁就是公钥，另外一个钥就是私钥。

But in GPG, 'public key' what we said consists of:

• the public portion of the master signing key,
  主钥对的公钥部分。
• the public portions of the subordinate signing and encryption subkeys,
  副钥对的公钥部分。
• a set of user IDs used to associate the public key with a real person,
  和公钥关联的，用于指示真人的用户id。

By default, GPG put its data under ~/.gnupg, this directory may has these files:
GPG把文件放在~/.gnupg下面，这个目录可能有这些文件：

.
├── openpgp-revocs.d
│   └── D4CE087C2A16C3EF81BEB9A0A1691041C934895B.rev
├── private-keys-v1.d
│   ├── 0DBEE5E9C5C25E304FC88AA8FFF38EEEB7826311.key
│   └── 8A5B9A60C63E11881D9C778477163BC4FD271B2B.key
├── pubring.kbx
├── pubring.kbx~
├── random_seed
└── trustdb.gpg

That 'pubring.kbx' is where your key pairs are.

How to generate a revocation certificate / 怎样生成撤回证书（用于对外宣布做废一个公私钥对）

If you forget your passphrase or if your private key is compromised or lost, a revocation certificate may be published to notify others that the public key should no longer be used.
若是你忘了私钥的密码或私钥泄漏了，能够公布 撤回证书 以通知你们不要再使用那个公钥。
So after your keypair is created you should immediately generate a revocation certificate for the primary public key.
因此公私钥对做成后，你应该当即主公钥生成撤回证书。

gpg --gen-revoke --output revoke.asc BB2B8D466C53DBC559EABBA1D083B71756A6D115

• --gen-revoke
  means generating a 'revocation certificate'.
• --output revoke.asc
  means the output file is 'revoke.asc'.
• BB2B80... is the id of the public key.

How to exchange public keys? / 怎样交换公钥？

If you want to exchange your public key to someone, first you need to 'export' it:
若是你想把你的公钥给另外一我的，你要先「导出」它：

gpg --export --output my-public-key.gpg D4CE087C2A16C3EF81BEB9A0A1691041C934895B

• --export
  means exporting public key.
  表示导出公钥。
• --output ...
  the output filename.
  表示输出文件。

you can use 'file' command to check that file's type:
你能够用file命令检查这个文件的类型：

file my-public-key.gpg

my-public-key.gpg: GPG key public ring, created Tue Feb 23 09:50:34 2021

you can also add an argument '--armor' to 'gpg --export' so you will get a plain text output file:

gpg --export --armor --output my-public-key.gpg D4CE087C2A16C3EF81BEB9A0A1691041C934895B

then send 'my-public-key.gpg' to the receiver.
而后把这个文件发给接收者。
then the receiver can 'import' this file:
接收者导入这个文件：

gpg --import my-public-key.gpg

then the receiver check whether he has import your key:
接收者检查他是否已导入了你的公钥：

gpg --list-public-keys

that is not the last step, the receiver need to 'trust' your public key:
这还没完，接收者要「确认」你的公钥：

gpg --edit-key D4CE087C2A16C3EF81BEB9A0A1691041C934895B

the above command will bring the receiver to an interactive program.
上述命令会带接收者进入一个交互程序。

then the receiver execute 'fpr' to check its fingerprint, it should have the same result that the sender checked.
接收者执行fpr命令检查指纹，应该获得与发送者所作的检查一致的结果。

gpg> fpr
pub   rsa2048/A1691041C934895B 2021-02-23 iamyou <i@am.you>
 Primary key fingerprint: D4CE 087C 2A16 C3EF 81BE  B9A0 A169 1041 C934 895B

then the receiver execute 'trust' to trust your public key:
接收者执行trust命令以信任你的公钥：

gpg> trust

you can use 'help' to see all the subcommands:
你能够用help命令查看全部子命令：

gpg> help

How to exchange private keys? / 怎样交换私钥？

gpg --export-secret-key --output my-private-key.gpg D4CE087C2A16C3EF81BEB9A0A1691041C934895B

• --export-secret-key
  means exporting a private key.
  表示导出私钥。
• --output
  the output filename.
  输出文件名。

you will be asked for your private key's password.

On the receiver side, he 'import' your private key:

gpg --import my-private-key

then he check private key ring:

gpg --list-secret-keys

How to delete a key? / 怎样删除公私钥？

How to delete a public key?
怎样删除公钥？

gpg --delete-key D4CE087C2A16C3EF81BEB9A0A1691041C934895B

How to delete a private key?
怎样删除私钥？

gpg --delete-secret-key D4CE087C2A16C3EF81BEB9A0A1691041C934895B

How to change private key password? / 怎样改私钥密码？

First execute 'gpg --edit-key':

gpg --edit-key D4CE087C2A16C3EF81BEB9A0A1691041C934895B

then execute subcommand 'passwd':

gpg> passwd

How to use GPG to encrypt a file? / 怎样用gpg加密文件？

Use public key to encrypt a file / 用公钥加密文件

If you have a plain text file 'plain.txt', you can use a receiver's public key to encrypt it, of course, you must have import that receiver's public key first.
若是你有一个文本文件plain.txt，你能够用一个接收者的公钥加密这个文件，固然，你得先导入那位接收者的公钥。

On that receiver's side, he exports he's public key:
接收者那边，他导出他的公钥：

gpg --export --public ReceiverPublicKey.gpg D4CE087C2A16C3EF81BEB9A0A1691041C934895B

he send 'ReceiverPublicKey.gpg' to you.
他把文件ReceiverPublicKey.gpg发给你。

you import this file:
你导入这个文件：

gpg --import ReceiverPublicKey.gpg

then you choose to trust his public key:
你选择信任他的公钥：

gpg --edit-key D4CE087C2A16C3EF81BEB9A0A1691041C934895B
gpg> trust
gpg> quit

then you use his public key to encrypt your file:
你用他的公钥加密你的文件：

gpg --encrypt --recipient D4CE087C2A16C3EF81BEB9A0A1691041C934895B --output EncryptedByPublicKey.gpg PlainText.txt

• --encrypt
  means encrypting a file using a public key.
  表示用公钥加密文件
• --recipient ...
  who is the receiver. who is the receiver, then we use who's public key.
  谁是接收者。谁是接收者，咱们就用谁的公钥。
• --output ...
  the output filename.
  输出文件。
• The last argument 'PlainText.txt' is the input file.
  最后一个参数是输入文件。

You send 'EncryptedByPublicKey.gpg' to the receiver.
你把加密后的文件发给接收者。

On the receiver side, he use his private key to decrypt that file:
接收者那边，他用他的私钥解密文件：

gpg --decrypt --output PlainText.txt EncryptedByPublicKey.gpg

• --decrypt
  means decrypt a file.
  表示解密文件。
• --output ...
  the output file.
  输出文件。
• The last argument is the encrypted file to be decrypted.
  最后一个文件是要解密的被加密的文件。

The receiver do not need to specify his private key in the command, if you has the private key, GPG will automatically find and use it.
接收者不须要在命令里指定私钥，若是他有对应的私钥，gpg会自动找到并使用那个私钥。

But you can also specify what private key to use:
但你也能够指定私钥：

gpg --decrypt --local-user D4CE087C2A16C3EF81BEB9A0A1691041C934895B --output PlainText.txt EncryptedByPublicKey.gpg

• --local-user ...
  use which private key.

Use symmetric password to encrypt a file / 用对称密码加密文件

encrypt a file:

gpg --symmetric --output EncryptedByPassword.gpg PlainText.txt

• --symmetric
  means using symmetric password to encrypt a file.
  表示用对称密码加密文件。
• --output ...
  the output file.
  输出文件。
• the last argument is the file to be encrypted.
  最后一个参数是钥加密的文件。

decrypt the above encrypted file:
解密上面的被加密的文件：

gpg --decrypt --output PlainText.txt EncryptedByPassword.gpg

How to use GPG to sign a file? / 怎样用gpg对文件签名？

We use private key for signing, use public key for verifying.
咱们用私钥签名，用公钥确认。

Integrated signature / 签名与原文件合在一块儿

To sign a file:
对一个文件签名：

gpg --sign --output SignedFile --local-user D4CE087C2A16C3EF81BEB9A0A1691041C934895B PlainText.txt

• --sign
  means signing a file.
  表示一个文件签名。
• --output ...
  the output filename.
  输出文件。
• --local-user ...
  use which private key.
  用哪一个私钥。
• the last argument is the file to be signed.
  最后一个参数是要被签名的文件。

then another man who has your public key, can verify 'SignedFile' and extract the original file:
拥有你的公钥的人能够「确认」这个签名文件，并解压出原文件：

gpg --decrypt --recipient D4CE087C2A16C3EF81BEB9A0A1691041C934895B --output PlainText.txt SignedFile

• --decrypt
  means decrypting a file, in this situation, we call this operation 'verify'.
• --recipient ...
  use which public key.
  用哪一个公钥。
• --output ...
  the output file.
  输出文件。
• the last argument is the signed file to be verified.
  最后一个参数是要被确认的被签名的文件。

he can also just 'verify' the signature:
他也能够只确认签名，不解压出原文件

gpg --verify --recipient D4CE087C2A16C3EF81BEB9A0A1691041C934895B SignedFile

Detached signature / 单独的签名文件

To create a detached signature.
生成一个独立的签名文件

gpg --detach-sign --output DetachedSignature --local-user D4CE087C2A16C3EF81BEB9A0A1691041C934895B PlainText.txt

• --detach-sign
  means making a detached signature, the output file contains only signing information.
  表示产生一个独立的签名文件，输出文件只包含签名信息。
• --output ...
  the output file
  输出文件。
• --local-user ...
  use which private key.
  用哪一个私钥。
• the last argument is the file to be signed.
  最后一个参数是要被签名的文件。

then another man who has your public key , can verify 'DetachedSignature' and original 'PlainText.txt':
拥有你的公钥的人能够「确认」这个签名文件：

gpg --verify DetachedSignFile PlainText.txt

• --verify ... ...
  verify the signature and the original file, it follows two arguments, the first is a detached signature, the second is the original file.
  确认签名文件和原文件，第一个参数是签名文件，第二个参数是原文件。

'gpg --verify' can follow one or more argument, if there is only one argument, it is a 'integrated signature', if there are two arguments, the first is a detached signature, the second is the original file.'gpg --verify' 能够跟一或二个参数，若是只有一个参数，则这个参数是一个「集成式签名」，若是有两个参数，则第一个参数是独立签名文件，第二个参数是原文件。