any way to use gpg(openpgp) with Argon2

Christoph Anton Mitterer calestyo at
Tue Jun 19 14:20:36 CEST 2018


I've had posted the email below to gnupg-users already but nobody
seemed to have a clue.

Is there any way to reasonably use a more secure passphrase hashing
algo (e.g. Argon2) with gnupg?

I'd guess it's not useful to just use argon2's output as passphrase as
then the "normal" hashing (as controlled by the s2k* options) would
still be the "weakest" link in the chain.

Or is there any integration of argon2 planned into the standard (and
this going to happen in a forseeable time)?


On Thu, 2018-06-07 at 14:50 +0200, Christoph Anton Mitterer wrote:
> Hey.
> I have the following scenario:
> I'd like to archive private data to e.g. some cloud storage for
> backup
> reasons.
> Basically I'd see two ways to move on from here:
> 1) Put the data in on or more disk images which are encrypted with
> dm-
> crypt/LUKS (e.g. using aes-xts-plain64)
> 2) Put the data in one or more tar or dar archive files, which I
> think
> is a bit more flexible.
> With (2) I'd guess gnupg would be the tool of choice (or is there
> anything else well-maintained?) and using e.g. AES256 should provide
> adequate security.
> In both cases, I'd want to put the actual key alongside the archive
> (i.e. also backing it up the the remote storage, as I'd be screwed it
> I
> loose the key when I just store it locally).
> For both (LUKS/OpenPGP), the actual symmetric key is anyway alongside
> the image/archive encrypted by some passphrase (respectively the
> pubkey, in case of asymmetric encryption with gpg).
> Now here's the question/problem:
> - LUKS/cryptsetup, at least in it's more recent version already
> support
> Argon2 and even for the older version there was a noticeable effect
> when increasing the hashing iterations (like taking several minutes
> for
> cryptsetup to actually "open" the device).
> For gpg there is --s2k-* especially --s2k-count, but even when
> setting
> this to the max value of 65011712... passphrase hashing seems super
> fast.
> I'd be totally happy if a single passphrase try (for an attacker)
> takes
> like 10 minutes (just to be on the safe side)... but that doesn't
> seem
> possible with OpenPGP/gpg right now?
> What would you guys suggest in my scenario?
> Is there a way to chain Argon2 with current gpg versions (not having
> to
> wait until this gets integrated in a new RFC in some future)?
> Thanks,
> Chris.

More information about the Gnupg-devel mailing list