GPG --symmetric option and passphrases
David Shaw
dshaw at jabberwocky.com
Mon Oct 6 17:17:55 CEST 2008
On Oct 6, 2008, at 10:54 AM, Kevin Hilton wrote:
> When using gpg with the --symmetric flag (as when symmetrically
> encrypting a file with a passphrase), is the passphrase salted and
> hashed?
Yes. Unless you change that safe default with --s2k-mode.
> Is so, how many times is it hashed, and what hashing
> algorithm is used for this process?
By default, it's 65536 iterations. The hash algorithm is SHA-1,
unless you change it with --s2k-digest-algo.
> Is this controlled by some
> parameter in the gpg.conf file or command line flag?
--s2k-count is what you're looking for:
--s2k-count n
Specify how many times the passphrase mangling is
repeated.
This value may range between 1024 and 65011712
inclusive, and
the default is 65536. Note that not all
values in the
1024-65011712 range are legal and if an illegal
value is
selected, GnuPG will round up to the nearest legal
value. This
option is only meaningful if --s2k-mode is 3.
As always, the defaults here are safe. Don't change them unless you
know what you're doing.
David
More information about the Gnupg-users
mailing list