On Fri, 18 Feb 2022 13:08, Daniel Colquitt said:
> Is the suggestion the gpg does not respect these flags when applying
> symmetric encryption to keys?
gpg does not encrypt private keys. This is done by gpg-agent. The
method how the keys are protected internally are out of scope for
OpenPGP. See gnupg/agent/keyformat.txt for the specification of the
internal format.
However, for allowing gpg to export a private key in the OpenPGP
specified format, gpg-agent applies the encryption. For this S2K mode 3
with AES128 and SHA1 is used. The iteration count is the standard count
as figured out by gpg-agent - unless the gpg-agent option s2k-count is
used. See these gpg-agent options:
--s2k-calibration milliseconds
Change the default calibration time to milliseconds. The given
value is capped at 60 seconds; a value of 0 resets to the
compiled-in default. This option is re-read on a SIGHUP (or gpgconf
--reload gpg-agent) and the S2K count is then re-calibrated.
--s2k-count n
Specify the iteration count used to protect the passphrase. This
option can be used to override the auto-calibration done by default.
The auto-calibration computes a count which requires by default
100ms to mangle a given passphrase. See also --s2k-calibration.
To view the actually used iteration count and the milliseconds
required for an S2K operation use:
gpg-connect-agent 'GETINFO s2k_count' /bye
gpg-connect-agent 'GETINFO s2k_time' /bye
To view the auto-calibrated count use:
gpg-connect-agent 'GETINFO s2k_count_cal' /bye
Remember that the OpenPGP specified protection format has some minor
flaws and it is suggested not to rely on this this protection alone.
Use the standard OpenPGP symmetric encryption layer on top.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
> Is the suggestion the gpg does not respect these flags when applying
> symmetric encryption to keys?
gpg does not encrypt private keys. This is done by gpg-agent. The
method how the keys are protected internally are out of scope for
OpenPGP. See gnupg/agent/keyformat.txt for the specification of the
internal format.
However, for allowing gpg to export a private key in the OpenPGP
specified format, gpg-agent applies the encryption. For this S2K mode 3
with AES128 and SHA1 is used. The iteration count is the standard count
as figured out by gpg-agent - unless the gpg-agent option s2k-count is
used. See these gpg-agent options:
--s2k-calibration milliseconds
Change the default calibration time to milliseconds. The given
value is capped at 60 seconds; a value of 0 resets to the
compiled-in default. This option is re-read on a SIGHUP (or gpgconf
--reload gpg-agent) and the S2K count is then re-calibrated.
--s2k-count n
Specify the iteration count used to protect the passphrase. This
option can be used to override the auto-calibration done by default.
The auto-calibration computes a count which requires by default
100ms to mangle a given passphrase. See also --s2k-calibration.
To view the actually used iteration count and the milliseconds
required for an S2K operation use:
gpg-connect-agent 'GETINFO s2k_count' /bye
gpg-connect-agent 'GETINFO s2k_time' /bye
To view the auto-calibrated count use:
gpg-connect-agent 'GETINFO s2k_count_cal' /bye
Remember that the OpenPGP specified protection format has some minor
flaws and it is suggested not to rely on this this protection alone.
Use the standard OpenPGP symmetric encryption layer on top.
Salam-Shalom,
Werner
--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.
Attached Files:
-
signature.asc (0.22 KB)