GPG --symmetric option and passphrases

David Shaw dshaw at
Mon Oct 6 19:44:40 CEST 2008

On Mon, Oct 06, 2008 at 10:28:21AM -0500, Kevin Hilton wrote:

> Thanks -- very clear explanations.  How long can the passphrase be?  I
> assume it would be truncated at a particular length.  For example if I
> passes a Whirlpool Hash as the passphrase, would the entire 128-digit
> hexadecimal hash be used as the passphrase or would this be rounded?

There is no limit in OpenPGP for a passphrase length, beyond that of
the inherent limit imposed by the hash used for string-to-key
conversion.  So, for SHA-1, the passphrase can be up to 2^64-1 bits,
or just under 2 exabytes.  In practice, however, that's an insane size
for a passphrase (around 457 million DVDs worth if my back of the
envelope scribble is right) and no OpenPGP implementation supports
anything near that.  GnuPG in particular will take whatever you give
it, but it must be able to fit in memory (and secure memory to boot,
on those platforms that support it).  You can probably get a few kb,
but not much more.

Obviously, your 128-digit hash (how are you getting 128 digits out of
Whirlpool anyway?  512 bits / 8 == 64 bytes) is well under the limit
and would work fine, but note that 128 digits is 1024 bits - well over
the largest key size of a symmetric cipher in GPG (256 bits).  You're
not really adding security at that point.  Even if you're using the
Whirlpool text output as the passphrase (which is the only way I can
see getting 128 digits out of Whirlpool), you are putting in 512 bits
of real input, which is still at least twice as large as the symmetric

Be careful you don't shoot yourself in the foot here.


More information about the Gnupg-users mailing list