Strength of passphrase encryption

David Shaw dshaw at
Wed Nov 19 17:56:12 CET 2003

On Wed, Nov 19, 2003 at 04:11:18PM -0600, Mike Perry wrote:
> I have a quick question. What algorithm does gpg use to encrypt your
> private keyfile on your disk? Does it have any known classes of weak
> keys? Can it be brute-forced quickly?  Obviously this depends on the
> length of the passphrase, if it's dictionary based, etc. But independent
> of these, is it an easily brute-forced cipher, or a slowly brute-forced
> cipher?

By default, GnuPG uses CAST5 to encrypt the private keyfile on disk.
The encryption key is derived from the passphrase ("string-to-key")
via SHA1 and some salt, and that combination is hashed repeatedly.
This helps foil dictionary attacks.  A SHA1 checksum is used to detect
any modification of the key on disk.

Both CAST5 and SHA1 are considered strong at this time.

Of course, these are the defaults.  The user is free to use any
symmetric cipher, hash, or string-to-key scheme they like, or even
store their secret keys unencrypted, but the defaults are just fine
for most people.  The protections in place are vastly stronger than
the average passphrase, making the passphrase the weak point.


More information about the Gnupg-users mailing list