updprefs command and changing key

David Shaw dshaw at jabberwocky.com
Sat Mar 13 13:58:40 CET 2010

On Mar 13, 2010, at 5:55 AM, John Clizbe wrote:

> MFPA wrote:
>> On Saturday 13 March 2010 at 12:07:08 AM, in
>> <mid:DE002B15-FA18-49A1-B7B0-5AFAAF829339 at jabberwocky.com>, David Shaw
>> wrote:
>>> On Mar 12, 2010, at 6:31 PM, Faramir wrote:
>>>> is there a way to disable the usage of 3DES in GnuPG, when
>>>> encrypting?
>>> Patch the source :)
>>> There is no way other than that.
>> Wouldn't "--disable-cipher-algo 3DES" achieve this?
> "Google Is Your Friend®"
>    http://www.google.com/search?&q=disable-cipher-algo+3des
> http://lists.gnupg.org/pipermail/gnupg-devel/2009-May/025042.html
> "One" is, of course, free to shoot oneself in the foot. There is little rational
> rationale for disabling 3DES.

It won't work anyway.  You can't remove 3DES from the cipher preferences with disable-cipher-algo.  The best you can do is set a personal-cipher-preferences with ciphers other than 3DES and then simply decline to communicate at all with people who have a 3DES-only key.  To make matters worse, not only does it not work in preventing 3DES being selected via preferences, disable-cipher-algo also has the unpleasant side effect of making the user unable to *decrypt* 3DES messages as well.

So setting disable-cipher-algo 3DES both doesn't accomplish what it was intended to, and also breaks other things.  I'd avoid it ;)

There will eventually come a day when 3DES will have to go.  We're not there yet, and it'll be a big deal from the OpenPGP perspective, given the special position that 3DES has within the protocol.


More information about the Gnupg-users mailing list