4

I want to change some encryption options while using GnuPG to encrypt a file symmetrically.

1) However, for choosing the cipher algorithm, GnuPG has two commands and I don't know which one to use.

Between these two, which one should I use?

--s2k-cipher-algo AES256

--cipher-algo AES256

2) Also for choosing the digest algorithm, there are two options,

Between these two, which one should I use?

--s2k-digest-algo SHA512

--digest-algo SHA512

3) Is there anything wrong with this encryption?

gpg -symmetric --cipher-algo AES256 --digest-algo SHA512 --s2k-mode 3 --s2k-count 65011712 PlainText

Edit: This is not a duplicate question, I can't find any post here on Stackexchange or any where in the net that specify the difference between --s2k-cipher-algo and --cipher-algo.

forest
  • 15,626
  • 2
  • 49
  • 103
COLD Crypto
  • 55
  • 1
  • 5

1 Answers1

4

(1,2) You could use:

gpg2 --s2k-mode 3 --s2k-count 65011712 --s2k-digest-algo SHA512 --s2k-cipher-algo AES256 --symmetric /*file path*

According to The GNU Privacy Guard Manual, p. 71, we use --s2k-cipher-algo name when we want to apply symmetric encryption with a passphrase if --cipher-algo name or --personal-cipher-preferences string have not been set. The default is AES128 for GnuPG 2.1 and higher. The setup above is the strongest one available in the OpenPGP Proposed Standard (RFC 4880).

The result will look like this (but the salt will surely be different):

gpg2 --list-packets /*file path* gpg: AES256 encrypted data gpg: encrypted with 1 passphrase off=0 ctb=8c tag=3 hlen=2 plen=13 :symkey enc packet: version 4, cipher 9, s2k 3, hash 10 salt 406974B08EF1428B, count 65011712 (255)

(3)

Yes, there were two errors: one hyphen was left out in front of symmetric. It should be:

--symmetric

Secondly, after --s2k-count 65011712 one should put the path to the file. Those usually look something like this:

/home/me/Documents/myfile

Keep in mind what your goals are. Perhaps you should focus on using a very strong passphrase: long, truly random, using all possible characters.

So, in short, those pairs of commands you listed do the same things, but the s2k specifiers only apply to symmetric encryption with a passphrase (note that s2k specifiers have another function: in the encryption of the secret part of private keys in the private keyring).

Patriot
  • 3,162
  • 3
  • 20
  • 66