Patch add support for different algorithms in the agent private key storage

Kyle Butt kylebutt at
Wed Feb 20 18:20:39 CET 2013

On Wed, Feb 20, 2013 at 6:46 AM, Werner Koch <wk at> wrote:
> On Wed, 20 Feb 2013 04:30, kylebutt at said:
>> There's probably more to done for this to be complete, but I'd like to
>> get thoughts before I go too much further. I've tested with a new key
>> and it works. Info about writing an automated test would be useful.
> I am not keen to add the complexity by adding new vanity ciphers.  If we
> would start with this we would rightfully receive requests to add yet
> another cipher for use in country X.  There is a reason why gpg-agent
> only uses one cipher.  Right, it could be argued that AES-256 is a
> stronger variant of AES but AES 128 is still sufficient for our
> purposes.  There are many possible attacks on the passphrase and AES-128
> is for sure not the weakest point.

In general, yes. but not always. There are people with passphrases that long.
I have a passphrase that long, and had changed my previous gpg settings to
use AES-256. It's a minor regression to not be able to use a 256 bit cipher to
protect keys.

I think these 2 and no more is an acceptable position.

I wrote the patch with the idea of making it general. If gpg will only
ever support
AES and AES256, there are some simplifications I can make (like removing
smatchesprefix and putting the openpgp-sha1-s2k3- in the cipher name,
assuming everything is CBC, etc).

More information about the Gnupg-devel mailing list