Question regarding s2k algorithms

David Shaw dshaw at
Mon Nov 17 03:29:59 CET 2008

On Nov 16, 2008, at 9:11 PM, Kevin Hilton wrote:

> Just wondering specifically is the option
> s2k-digest-algo
> Does this option specifically refer to one particular digest algorithm
> or a list of algorithms.  I'm just thinking there may be a problem
> with a few different scenarios if this refers to only one algorithm if
> for example the SHA256 algorithm is used.
> 1. Symmetric Encryption -- Using symmetric encryption to specifically
> password protect a file, the chosen password is salted and hashed with
> the algorithm specificied with the s2k-digest-algo.  I would assume
> however if this file along with the password was distributed, that the
> recipient's gpg version would need to specifcally have to have the
> SHA256 enabled in their build or a problem would result.

Yes.  This is the same issue with picking a symmetric cipher that your  
recipient doesn't have.  When you're encrypting using --symmetric it's  
your responsibility to pick algorithms that your recipient can handle.

> 2. Asymmetric Encrytion -- Am I wrong to assume, but isn't the session
> key salted and hashed in the same manner?  Again, wouldn't the
> recipient need the specific hashes installed.

No.  "S2K" means "String to Key".  There is no string to key  
conversion in the session key.  s2k-digest-algo only applies to your  
local secret protection in this case, so there is no issue with  
asymmetric encryption.

> s2k-cipher-algo
> If you are using a "stock" gpg.conf file, and say for example this
> variable is set to Camellia, or IDEA.  If you use this "stock"
> gpg.conf file with another gpg version that doesn't have these ciphers
> compiled in -- What results?  A default back to CAST5?  What if you
> change this parameter after keys are already stored on the keyring?
> Will this confuse things?

I can't quite parse a question here.  Use the cipher for what?   
Symmetric?  Asymmetric?  You need to state what you're trying to do.   
Be specific.

> And lastly what specifically is the purpose of the -for-your-eyes-only
> flag?  Is this option currently still in use, or only included for
> backwards compatibility purposes.

It tags the data as "for your eyes only", which can be interpreted in  
different ways by different clients.  GnuPG in particular won't  
display it to the screen, but will save it to a file.  Note that this  
feature is more of a "please don't display this file", than a "this  
cannot be displayed".  It's just a hint.


More information about the Gnupg-users mailing list