Asymmetric means that the authentication is checked using a public with its private key where both the keys are different.
Firstly we need to generate PKI pairs (Public/Private Key Pair) - Public key has to be sent to the client location through secure session so using that public key your client will be able to decrypt the data or mail sent to them encrypted with the private key on the server machine.
So for example here I have two RHEL 5 machines. I will be transferring data between server1 to server 2. So we need to generate gpg keys on both the machines.
Still confused?
Well you will be clear by the end of this example which I will show you here:
# gpg --gen-key
gpg (GnuPG) 1.4.5; Copyright (C) 2006 Free Software Foundation, Inc.
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions. See the file COPYING for details.
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/secring.gpg' created
gpg: keyring `/root/.gnupg/pubring.gpg' created
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection? [Hit Enter]
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 1024
Requested keysize is 1024 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"
Real name: testing
Email address: test@example.com
Comment:
You selected this USER-ID:
"testing <test@example.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.[Hit Enter for blank passphrase]
You don't want a passphrase - this is probably a *bad* idea!
I will do it anyway. You can change your passphrase at any time,
using this program with the option "--edit-key".
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
++++++++++.++++++++++.++++++++++++++++++++++++++++++..++++++++++++++++++++++++++ +++++++++++++++++++.+++++++++++++++++++++++++++++++++++>++++++++++.............. ..............................+++++
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 6F433F3D marked as ultimately trusted
public and secret key created and signed.
gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub 1024D/6F433F3D 2013-01-31
Key fingerprint = 1ED5 CCDA FDC1 BBBA 4A6B 7224 09CA CABC 6F43 3F3D
uid testing <test@example.com>
sub 1024g/BF74F2FB 2013-01-31
You can follow the same step on server 2 for generating the keys. Once you are done with generating keys you can check the finger print using the command I have shown below.
[root@server1]# gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub 1024D/6F433F3D 2013-01-31
uid testing <test@example.com>
sub 1024g/BF74F2FB 2013-01-31
On server 2
[root@server2]# gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub 1024R/78AC92D1 2013-01-30
uid Deepak Prasad <deepak@example.com>
sub 1024R/2698ECBD 2013-01-30
NOTE: You might get an error while generating gpg keys like
gpg: can't create '/root/.gnupg/random_seed': No such file or directory
- You need a data file to be transferred.
- Encrypt the data file using gpg
- Export the data file so that it can be sent to client location for decrypting purpose
- Change the name of the data file with standard .pub extension.
[root@server1]# echo This is a secret file > test.txt
Now here we will encrypt the file. Here "6F433F3D" is the USERID which has been provided for the key we had generated on server 1 as you can check above followed by the file name.
[root@server1]# gpg -e --armor -r 6F433F3D test.txt
[root@server1]# ls -l
-rw-r--r-- 1 root root 9 Jan 31 16:28 test.txt
-rw-r--r-- 1 root root 571 Jan 31 16:29 test.txt.asc
[root@server1]# cat test.txt.asc
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.5 (GNU/Linux)
hQEOA0yfFJC/dPL7EAP+LBNNlS/OnyO8NDhEViMK3TIVuFjrte0GWIQoWh9eumukXH/ceiIWjXMp3vFpxeU16mFtXFmqy7O90/w7wmYaEprXY5Cg+sg0J6EvXbCBUEQ0VKeWpY+ymkix/iSzboK+V5zhHI94l+ihpg+xs3CsjFH9KAkfADeSCUh/jbkbQPMD/W+lILQ52B8vlO5nV7SoA0M2u7gFp3ODitEDJoVUKKcRnc0ecu0Zp3mDxpqKih/CpPrqUiHRsqOfhIMGkD5pFGpsgWSqiU3WqY8PbjyJk2Kj9jy4OwdO/BRUqd5TUz8
zJWbpdwTw6lRE+z8F/6R4aUK49sz3PuRp076c498LyXc0kwBaxfSyTLEuTOgvLHw
hz040371wx59Xci+wjR1KjdxgcsMqopchZvwCe5usCYoMH7ppW/ggMOczQM/KS29
jnExaebzeAPONIfgke6
=EDpQ
-----END PGP MESSAGE-----
[root@server1]# gpg --export --armor -o server1.asc
Here "server1.asc" is the public key which will be required to decrypt the data file we encrypted.
[root@server1]# less server1.asc
Version: GnuPG v1.4.5 (GNU/Linux)
mQGiBFEKRWURBADN00ldTrjOJ5JsyZZkKyttRI+YR8lIQBqWt6yzh7W3St/hALhUcfo1QIDdNUqGw9LTe+ECVxG4lYAH22penNDCAkefJP77J6RoqTUzMwOLZV417sOhm2MloKa1elWV8Be0nRutSPmDt7chOIPAu0QbMWkhX0QDSJk/D3GmVefYuwCgiclM9DmiF9vUA+RAaRXdmX8oJRcD/jnM0+8G3BjtFZanaVKsfPWNls117KlMOXSXOWLfNL614F/woFzgHfIMxvBiHZBfAPaKjcEmEOrjaFBwuThA+HXZWQdg2NMVQ1XxwIS9m3ZDDlqav0Bc/dgfquqMj9b5TlNcxkRuz0bX9PE4cKDFMFCM1Y+RhSKtgOHJHWRU6r8A/9D3mL3E9aopuq82x5aAPuxve12l4NcaxDW8+qzgxtXsk/gN+DcHaReGrFG0ji4c757e66wuhKDKefosu0OPNbpGrO3QGu4drEmkxGaiaR7YpJcwERP2EpkoKtqYMP91BnXKa46Iew1oKaJrHS4KekfB1iOstIdXfT4qs9MYJxOjLQadGVzdGluZyA8dGVzdEBlc3R1YXRlLmNvbT6IYAQTEQIAIAUCUQpFZQIbAwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEAnKyrxvQz89cQUAnApryznbDFgWpe80I6xqIdPTVBLSAJ9Pvnih55RneWQ2elBk0xUSdbq9RrkBDQRRCkVnEAQAzs0MNQp/5kN5Puf4YSJ2igjJdd6Vc8gKiASfVufYEYh8Wg4zT8/HC69zflT8b4SKmE+7MM0k/zk+yJJ72Kb+7tRCPB9EMh54D5RN32243fClkqJZn9kCf0njwfkj2Pq5l4IswFrBUELYzO4hZxX4xSWJ4BcPQH5Cl0AmRwwhGkMAAwUEALyzl7ni4dFZPl+TvIaOnnAvMoj+LJU4de7Li7FVu7UAvtRuWLfaaH5WxFXqmB751pfyMuzoVi0U0xczVOj+eyYk6zxYoWueMklzoWBaD3HVUmD2ffyVNXMoVfvf3bAv1nQ8vZvyz86gMMXSSA4BcuZqoRR9y9gklyBdRIxFKq4BiEkEGBECAAkFAlEKRWcCGwwACgkQCcrKvG9DPz2G5QCfZGsa6LUQ3kGPrLoSz4tS1fVsEgEAn2mcFv/q+uIUU+RR3rc7O5qlwGFk=risQ
-----END PGP PUBLIC KEY BLOCK-----
[root@server1]# mv server1.asc server1.asc.pub
[root@server1]# scp server1.asc.pub server2:/
On server 2
[root@server2]# gpg --export --armor -o server2.asc.pub
[root@server2]# scp server2.asc.pub server1:/
[root@server2]# gpg --import server1.test.asc.pub
gpg: key 6F433F3D: public key "testing <test@example.com>" imported
gpg: Total number processed: 1
gpg: imported: 1
[root@server2]# gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub 1024R/78AC92D1 2013-01-30
uid Deepak Prasad <deepak@example.com>
sub 1024R/2698ECBD 2013-01-30
pub 1024D/6F433F3D 2013-01-31
uid testing <test@example.com>
sub 1024g/BF74F2FB 2013-01-31
On server1
[root@server1]# gpg --import server2.asc.pub
[root@server1]# gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub 1024D/6F433F3D 2013-01-31
uid testing <test@example.com>
sub 1024g/BF74F2FB 2013-01-31
pub 1024R/78AC92D1 2013-01-30
uid Deepak Prasad <deepak@example.com>
sub 1024R/2698ECBD 2013-01-30
As you can see both the keys on both server1 and server2. So we can test for the encryption of the data.
Now we need to encrypt the data with the public keys of server2 which was just imported on server1. So that only server2 can decrypt the data file.
[root@server1]# gpg -e -r 78AC92D1 --armor -o test.txt.server2.asc test.txt
gpg: 2698ECBD: There is no assurance this key belongs to the named user
pub 1024R/2698ECBD 2013-01-30 Deepak Prasad <deepak@example.com>
Primary key fingerprint: 1F50 F1FE B6DD 9909 B673 F187 DB55 88DC 78AC 92D1
Subkey fingerprint: 9201 1452 8E80 1050 36C8 F668 AA0D 4697 2698 ECBD
It is NOT certain that the key belongs to the person named
in the user ID. If you *really* know what you are doing,
you may answer the next question with yes.
Use this key anyway? (y/N) y
File `test.txt.server2.asc' exists. Overwrite? (y/N) y
[root@server1] scp test.txt.server2.asc server2:/
[root@server2] # gpg --decrypt test.txt.server2.asc
gpg: encrypted with 1024-bit RSA key, ID 2698ECBD, created 2013-01-30
"Deepak Prasad <deepak@example.com>"
This is a secret file