s2k-count limits

Werner Koch wk at gnupg.org
Thu May 6 16:48:34 CEST 2010

On Thu,  6 May 2010 14:43, matteo.sasso at gmail.com said:

> medium-strength passphrase in symmetric encryption. If gpg implemented
> something like TKS1 (used by LUKS), do you think it would make my use
> case feasible without compromising security?

I don't know TKS1.  There are two established algorithms to transform a
string into a passphrase: PBKDF1 (and 2) and OpenPGP's S2K.

There is no way to replace a key with insufficient entropy by any other
mechanism.  Sure you can do some tradeoff between the time to decrypt
with a known key and to brute-force a key.  After all this is impractial
because public key encryption gives you a more powerful way to do the
same in a secure way.

> maybe it wasn't designed for this purpose, but now the net is full of
> tutorials that show how to encrypt a file using gpg. This shows my use

You should use public key encryption for best security.  Getting
symmetric encryption right is not easy and in almost all use cases more
insecure because you expose the secret key at two places.  In particular
for backup purposes public key encryption is what you want.  The case
for disk encryption is different but I seen no reason why you should use
a symmetric only solution.  A hybrid solution is not worse and gives you
the opportunity to store the secret key on a smartcard.



Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

More information about the Gnupg-devel mailing list