8

When creating a secret key with GnuPG, you are asked for a password to protect it. Which encryption algorithm is used to achieve this? The handbook only says that a symmetric encryption algorithm is used.

Jens Erat
  • 23,446
  • 12
  • 72
  • 96
Moritz
  • 183
  • 1
  • 4

3 Answers3

11

GnuPG 2.x has a separate gpg-agent that is the custodian of secret keys and that offers no control whatsoever over the encryption parameters of the secret keys within.

Furthermore, --s2k are accepted but ignored when setting a passphrase or exporting a secret key.

There is an issue on the bug tracker about this and, when followed up on the mailing list, the answer was

No, that is not possible. Right now the agent always uses AES and S2K paremeters which require on the running machine about 100ms for decryption.

So I believe the current situation is that keys are held by the agent as the agent decides is best to meet its speed target on the running machine and there is no way to control it or to export differently. All exports I have tried result in key attributes that you can see like this:

$ gpg --export-secret-key DEADBEEF | gpg --list-packets
iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: ...

This reveals the symmetric-key (algo) and hashing (hash) algorithms in use, as defined in RFC4880. The above shows that algo: 7 is AES with 128-bit key and hash: 2 is SHA-1.

The iter+salt tag is the string-to-key mode that GnuPG uses to convert the passphrase (string) into a key. The default value iter+salt means that a salt is added to the passphrase and that string is hashed multiple times (a technique called key stretching which aims to increase difficulty of brute-forcing passphrases).

So that illustrates how GnuPG encrypts secret keys and highlights the fact that you have no control over it if you're using version 2.x due to its use of the gpg-agent.

Community
  • 1
starfry
  • 291
  • 2
  • 7
  • Using GnuPG 2.0.38 cannot reproduce, I get the output that the guy reporting in issue1800 says he expects. – Law29 Mar 19 '17 at 11:08
  • 2
    Probably because I should have been more specific. The change happened with GnuPG 2.1. It is described on the [what's new page](https://gnupg.org/faq/whats-new-in-2.1.html) in the *Removal of the secret keyring* section. – starfry Mar 19 '17 at 15:53
  • Looks like S2K parameters are still ignored - I changed the password with GnuPG 2.2.27 using the "passwd" command on "gpg --s2k-digest-algo sha256 --edit-key " but the key is still encrypted using SHA-1 hashing. Not a big deal since AES and SHA-1 is still okay to use with key encryption, but GPG should at least warn that these parameters are ignored. – dvo Feb 12 '22 at 09:05
8

Phase 1: Symmetric Key Derivation

First, the passphrase is used to derive a key for symmetric encryption using a string-to-key function. Several settings can be fine-tuned in GnuPG considering this, like the hashing algorithm and the number of repetitions. From the GnuPG manual:

--s2k-digest-algo name

Use name as the digest algorithm used to mangle the passphrases for symmetric encryption. The default is SHA-1.

--s2k-mode n

Selects how passphrases for symmetric encryption are mangled. If n is 0 a plain passphrase (which is in general not recommended) will be used, a 1 adds a salt (which should not be used) to the passphrase and a 3 (the default) iterates the whole process a number of times (see --s2k-count).

--s2k-count n

Specify how many times the passphrases mangling for symmetric encryption is repeated. This value may range between 1024 and 65011712 inclusive. The default is inquired from gpg-agent. Note that not all values in the 1024-65011712 range are legal and if an illegal value is selected, GnuPG will round up to the nearest legal value. This option is only meaningful if --s2k-mode is set to the default of 3.

Phase 2: Symmetric Encryption

Using this symmetric key, the private key is encrypted symmetrically. Also the encryption algorithm can be chosen, while AES-128 is the default in GnuPG.

--s2k-cipher-algo name

Use name as the cipher algorithm for symmetric encryption with a passphrase if --personal-cipher-preferences and --cipher-algo are not given. The default is AES-128.

Supported ciphers can be displayed by running gpg --version, for example:

$ gpg --version
[...]
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256

Unlike public-private-key algorithms (where GnuPG 2.1 added elliptic curves), the supported symmetric algorithms are the same among all somewhat current releases of GnuPG.

All those options can also be set up in ~/.gnupg/gpg.conf, where they're noted without the -- prefix.

Community
  • 1
Jens Erat
  • 23,446
  • 12
  • 72
  • 96
0

According to this article, you can choose which cipher to use for data encryption (which I assume includes key encryption, since it's just a file, right?) from the following list:

Cypher: 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256

EDIT:

After digging around a bit in man pages and on google, you can change the default through a number of settings (see this question for details: How to change default cipher in GnuPG on both Linux and Windows?)

I can't find anything that specifically mentions encryption of private keys, so I would assume that it just uses whatever is set as the default symmetric cipher.

Community
  • 1
Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207