how to create a symmetric cipher

Jeffrey F. Bloss jbloss at
Wed Nov 15 19:49:15 CET 2006

Wei Wu [H] wrote:

> Yes. That's what I need.

If you're just trying to eliminate pass phrases and set up a key file
only scenario, why not simply create a key pair with a null or "zero
length" pass phrase? Keep those keys on your removable device, and use a
script/batch that calls GnuPG with the appropriate keyring switches
or .conf file options so it sees only those keys, only when they're

This would in effect eliminate asymmetric encryption, which I believe
GnuPG really only uses to encrypt a symmetric session key. In reality
you'd still be using both key files and asymmetric encryption I'd
think, but it would appear as though you were merely using a simple key
file encryption because you wouldn't have to enter a pass phrase, and
the only actual security would come from the session key encryption.

> Thanks,
> WW
> -----Original Message-----
> From: Sven Radde [mailto:sven at] 
> Sent: Wednesday, November 15, 2006 12:46 AM
> To: Wei Wu [H]
> Cc: gnupg-users at
> Subject: Re: how to create a symmetric cipher
> Hello!
> Wei Wu [H] schrieb:
> > The data to be protected resides on a fixed harddisk in a Windows
> computer.
> > I have a tool on Windows platform that does encryption using either
> > a passphrase or a key file. Use of a key file is recommended as it
> > is more secure (assuming passphrases can be cracked relatively
> > easily). The key
> file
> > is expected to be stored separately in a removable disk. So I need
> > a tool
> to
> > create a key. 
> >
> > I checked a few key tools such as java keytool and gpg, but their
> > genkey option does not support the generation of a symmetric
> > key/cipher.
> No offense intended, but you are confusing the involved concepts quite
> heavily.
> What you need for your tool is merely a file filled with random data.
> This "key" is totally different from what gnupg, java keytool, openssl
> etc. use as keys for their sophisticated protocols.
> However, gnupg offers to generate some random bytes using the
> --gen-random command, which is probably what you need:
> --gen-random /0|1|2/ [/count/]
>     Emit COUNT random bytes of the given quality level. If count is
> not given or zero, an endless sequence of random bytes will be
> emitted. PLEASE, don't use this command unless you know what you are
> doing, it may remove precious entropy from the system!
> So you would need to issue something like "gpg --gen-random 2 32 >
> file.key" to generate a 32 Bytes (=256 Bit) file full with random data
> to be used as a key by your other tool.
> Note that I do not have an idea whether "0" or "2" is the highest
> "quality" level for the random data. Probably others can clarify, but
> I assume that 2 is highest quality.
> HTH,
>   Sven Radde
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at

Hand crafted on 15 November, 2006 at 13:02:13 EST using
only the finest domestic and imported ASCII.

A long-forgotten loved one will appear soon.

Buy the negatives at any price.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 892 bytes
Desc: not available
Url : /pipermail/attachments/20061115/739341d0/signature.pgp

More information about the Gnupg-users mailing list