当前位置：文江博客话题详情

使用外部密钥解密加密的 gpg 文件

发布于 2025-01-01 05:51:43 字数 218 浏览 3 评论 0原文

我使用 gpg 加密了一个文件，现在我想解密该文件。

有没有什么方法可以解密文件而不需要导入秘密文件？

我们将密钥保存在名为 key.sec 的文件中；我们能否将秘密文件作为参数传递给 gpg（当我们从 bash 命令行运行 decrypt 命令时）以在解密时使用加密文件？或者我们必须导入密钥然后解密加密文件？

原文

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

—━☆沉默づ 2025-01-08 05:51:43

您必须将密钥添加到密钥环中。从 gpg(1) 文档中：

   --no-default-keyring
          Do not add the default keyrings to the list of
          keyrings. Note that GnuPG will not operate without any
          keyrings, so if you use this option and do not provide
          alternate keyrings via --keyring or --secret-keyring,
          then GnuPG will still use the default public or secret
          keyrings.

您可以 --import --no-default-keyring --secret-keyring tempor 导入密钥，使用 - -secret-keyring temporary.gpg 解密内容时，然后在完成后删除 ~/.gnupg/temporary.gpg 文件。但这只是一种解决方法。

You must add the secret key to a keyring. From the gpg(1) documentation:

   --no-default-keyring
          Do not add the default keyrings to the list of
          keyrings. Note that GnuPG will not operate without any
          keyrings, so if you use this option and do not provide
          alternate keyrings via --keyring or --secret-keyring,
          then GnuPG will still use the default public or secret
          keyrings.

You could --import --no-default-keyring --secret-keyring temporary to import the key, use --secret-keyring temporary when decrypting the content, then delete the ~/.gnupg/temporary.gpg file when you're done. But that's just a work-around.

回复收藏 0 原文

绝不放开 2025-01-08 05:51:43

您必须导入密钥才能使用，但 GnuPG 2.x 版管理密钥的方式已发生变化。有一个 gpg-agent 守护进程处理密钥访问，从 2.1 版本开始强制使用它。

您可以通过以下方法快速创建临时密钥环，以使用文件中包含的密钥进行解密：

$ mkdir -m 700 ~/.gnupg-temp
$ gpg --homedir .gnupg-temp --import key.sec
$ gpg --homedir .gnupg-temp -d an_ecrypted_file

如果您想事后清理，请停止代理并删除目录：

$ gpg-connect-agent --homedir .gnupg-temp KILLAGENT /bye
$ rm -r ~/.gnupg-temp

曾经有一个选项--secret-keyring 关于文档是这样说的：

这是一个过时的选项并被忽略。所有密钥都存储在 GnuPG 主目录下的 private-keys-v1.d 目录中。

private-keys-v1.d 目录（在 --homedir 或 ~/.gnupg 内）由以下人员拥有和运营代理。

You have to import the secret key to use it but the way that secret keys are managed by GnuPG version 2.x has changed. There is a gpg-agent daemon that handles secret keys access and its use is mandatory from version 2.1.

Here is a way that you can quickly create a temporary keyring to decrypt with a secret key that is contained in a file:

$ mkdir -m 700 ~/.gnupg-temp
$ gpg --homedir .gnupg-temp --import key.sec
$ gpg --homedir .gnupg-temp -d an_ecrypted_file

If you want to clean up afterwards, stop the agent and remove the directory:

$ gpg-connect-agent --homedir .gnupg-temp KILLAGENT /bye
$ rm -r ~/.gnupg-temp

There used to be an option --secret-keyring about which the documentation for version 2.1 has this to say:

This is an obsolete option and ignored. All secret keys are stored in the private-keys-v1.d directory below the GnuPG home directory.

The private-keys-v1.d directory (wthin the --homedir or ~/.gnupg) is owned and operated by the agent.

回复收藏 0 原文

情未る 2025-01-08 05:51:43

OP Mohammed 的目标似乎是将他的公开密钥和秘密密钥分开。毕竟，我们想要保留密钥及其用于加密的数据吗？因此，Mohammed 和 10,650 多个其他人（在我撰写本文时）对是否/如何可能感兴趣。 确实如此，这就是您的操作方法：

面向公众的主机只有两个密钥：两者都是公钥

您的GPG用于加密数据的公钥
您的SSH .ssh/authorized_keys 中的公钥，以方便非交互式登录。

使用公钥-秘密密钥分离来往返加密文件：
使用密钥在主机上执行以下 bash 代码段时，将通过 scp 从 DMZ 主机获取加密文件，并将 gpg 解密的标准输出喷回 DMZ host 到文件中，以便可以读取/操作它。此代码经过测试并且已知可以正常工作：

echo "$(gpg -d $(scp [email protected]:/home/myuser/test-gpg.txt.asc .;ls ./test-gpg.txt.asc))" | ssh [email protected] 'cat > /home/myuser/test-gpg.txt'

请注意，一旦解密开始，系统仍会提示您输入密码。但是，一旦提供了密码，脚本就会继续并将解密的 gpg 流注入 DMZ 主机上的文件中。

并且，在要求其内容可读的操作完成后，不要忘记对解密文件执行 rm test-gpg.txt。

所以，是的，非常可以将您的密钥与进行加密的可公开访问的主机分开，并将您的密钥安全地存放在该 DMZ 之外的主机中。 HTH- 泰伦斯·霍拉汉

The objective of the OP Mohammed appears to be keeping his PUBLIC and SECRET key apart. After all, do we want to keep the Secret key with the data it was used to encrypt? Thus, Mohammed's and 10,650+ others (at the time I write this) are interested in if/how it's possible. Indeed it is, and this is how you do it:

The publicly-facing host only has two keys: Both are Public Keys

Your GPG Public key used to encrypt data
Your SSH Public key in .ssh/authorized_keys to facilitate non-interactive logins.

Round-tripping an encrypted file using Public-Secret key separation:
The following bash snippet when executed on the host with the Secret Key will fetch the crypted file from the DMZ host via scp, and squirt the gpg decrypted standard output back onto the DMZ host into a file so it can be read/operated upon. This code is tested and known to work correctly:

echo "$(gpg -d $(scp [email protected]:/home/myuser/test-gpg.txt.asc .;ls ./test-gpg.txt.asc))" | ssh [email protected] 'cat > /home/myuser/test-gpg.txt'

Note that you will still be prompted for a password once decryption begins. But once the password is supplied, the script continues and injects the decrypted gpg stream into a file on DMZ host.

And don't forget to do an rm test-gpg.txt of the decrypted file once the operation that required it's contents to be readable has been completed.

So yes, very possible to keep your secret key apart from the publicly accessible host where encryption occurs and your secret key tucked safely away in a host outside of that DMZ. HTH- Terrence Houlahan

回复收藏 0 原文

~没有更多了~