Skip to main content


·507 words·3 mins
Table of Contents

PGP 和 OpenPGP 和 GPG #

  • PGP(Pretty Good Privacy): Phil Zimmermann 开发的加密软件,用于加密、数字签名及产生非对称密钥。PGP 本身是商业应用程序
  • OpenPGP: 使用最广泛的电子邮件加密标准.由 IETF 的 OpenPGP 工作组所定义(RFC 4880)。OpenPGP 最初源 PGP。PGP 及其同类产品均遵守 OpenPGP 加解密标准
  • GnuPG(GNU Privacy Guard,GPG):加密软件,它是 PGP 的满足 GPL 协议的替代物。GnuPG 也遵循 OpenPGP 标准

关于 PGP 的历史可以参考 维基百科 - PGP

GnuPG 目前有两个版本:

  1. GnuPG 1

gpg will stay for embedded and server usage, as it brings less dependencies and smaller binaries.
From man gpg:

This is the standalone version of gpg. For desktop use you should consider using gpg2.

  1. GnuPG 2

gpg2 is a redesigned version of gpg, but changes are mostly on internal level. The newer version is split into multiple modules, for example there are also modules for X.509 (used by S/MIME).
From man gpg2:

In contrast to the standalone version gpg, which is more suited for server and embedded platforms, this version is commonly installed under the name gpg2 and more targeted to the desktop as it requires several other modules to be installed.

引用自 Are GnuPG 1 and GnuPG 2 compatible with each other?

生成 #

执行 gpg --full-generate-key 进行生成,整个过程是交互式的


Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)


RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072) 


Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years


Real name: realname
Email address: [email protected]
Comment: realname's gpg
You selected this USER-ID:
    "realname (realname's gpg) <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? 



public and secret key created and signed.

pub   rsa1024 2019-01-27 [SC]
uid                      realname <[email protected]>
sub   rsa1024 2019-01-27 [E]

其他常用操作 #

  1. 列出本地所有的密钥

gpg --list-keys

  1. 导出

根据 UID [email protected] 导出相应的公钥和私钥

gpg --output public.gpg --armor --export [email protected]  # 公钥
gpg --output private.gpg --armor --export-secret-key [email protected]  # 私钥

P.S. armor 参数可以将其转换为 ASCII 码显示

  1. 导入


gpg --import public.gpg.gpg  # 公钥
gpg --allow-secret-key-import --import private.gpg  # 私钥
  1. 加密和解密
root@/usr/src# echo 'hello world' > plain.txt 
root@/usr/src# gpg -r [email protected] --encrypt plain.txt  # 公钥加密
root@/usr/src# ls  # plain.txt.gpg
plain.txt  plain.txt.gpg
root@/usr/src# gpg plain.txt.gpg  # 私钥解密
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: encrypted with 1024-bit RSA key, ID 9A82DEFFE5376AEA, created 2019-01-27
      "realname <[email protected]>"
File 'plain.txt' exists. Overwrite? (y/N) 


  1. 签名
root@/usr/src# gpg --sign plain.txt  # 二进制形式
root@/usr/src# ls
plain.txt  plain.txt.gpg
root@/usr/src# gpg --clearsign plain.txt  # ASCII 可见形式
root@/usr/src# cat plain.txt
plain.txt      plain.txt.asc  plain.txt.gpg  
root@/usr/src# cat plain.txt.asc 
Hash: SHA256

hello world

root@/usr/src# gpg --detach-sign plain.txt  # 签名和数据分开

6)配置 Git

git config --global user.signingkey [email protected]

设置 Git 全局使用该密钥加密:

git config --global commit.gpgsign true
  1. GitHub

将自己的公钥配置到 GitHub 以获得 buff。参考 GithubHelp - Adding a new GPG key to your GitHub account

遇到的问题 #

因为使用多台笔记本,所以需要导入导出。在一台 Arch Linux 上遇见到过无法签名的问题,参考 gpg: signing failed: Inappropriate ioctl for device #2798。通过 export GPG_TTY=$(tty) 得以解决