GPG passphrase vs public key encryption

2

If I have a GPG file that's passphrase protected, with no key, is it still encrypted? (It was hard to google for an answer to that question). A guy on answers.yahoo.com said it's not. So... what's the point of the passphrase? I don't get it.

From what I've read, GPG permits either a passphrase, or a key file, but the two are mutually exclusive right? You can't have both the key file and a passphrase?

Anyway, I read up on this a lot and I can't get a grasp on that. - If you can tell me that a passphrase alone provides encryption that's fine, thanks.

Mike

Posted 2016-12-09T19:05:11.247

Reputation: 23

Answers

1

From the GPG man page under Commands to select the type of operation

   --symmetric

   -c     Encrypt  with a symmetric cipher using a passphrase. The default
          symmetric cipher used is CAST5,  but  may  be  chosen  with  the
          --cipher-algo  option.  This  option may be combined with --sign
          (for a signed and symmetrically  encrypted  message),  --encrypt
          (for  a  message  that  may  be  decrypted via a secret key or a
          passphrase), or --sign and --encrypt together (for a signed mes-
          sage that may be decrypted via a secret key or a passphrase).

Yes, encryption with a passphrase is encryption (although usually theoretically not quite as strong since passphrases normally have less entropy than public keys) and in GPG passphrase encryption can be combined with public-key encryption, as well as publickey signature.

As a general rule, information about a program is very often contained in the documentation for that program; that is in fact the reason documentation is created.

dave_thompson_085

Posted 2016-12-09T19:05:11.247

Reputation: 1 962

Thank you- yes, like I said, I tried looking at the docs. (for about an hour)- actually I used this:

https://www.gnupg.org/documentation/manuals/gnupg/

Like, I said, the needle is probably in that haystack somewhere, and all of the google searches I did focussed on keys and things like programmatic automation, or email, which is one of it's biggest uses but that doesn't apply to me.

Anyway, I tried my best to RTFM as a programmer for 18 years, but some things elude google or the needle-in-the haystack of masses of documentation.

Thanks much, for a definitive answer, thanks.

– Mike – 2016-12-09T21:55:24.133

@Mike: For the part of that manual that is about the gpg program rather than the rest of the suite, the section headings match the gpg man page and the relevant one is 4.1.2 Commands to select the type of operation. Your Q didn't say what doc you looked in, only 'some guy on answers.yahoo' wnich is not a sufficient citation to verify easily or with any confidence. Cheers. – dave_thompson_085 – 2016-12-12T08:31:00.220

Thanks, nonetheless your pointing out to me that "As a general rule, information about a program is very often contained in the documentation for that program; that is in fact the reason documentation is created." Implies that I didn't read any documentation at all, which I had already said I did in the question, and it implies that I don't understand that documentation for a program is made to be read. Cheers. – Mike – 2016-12-12T16:51:14.483

Asked: 2016-12-09T19:05:11.247

Viewed: 1 308 times

Active: 2016-12-19T12:42:19.717