Change key prefs; few questions

David Shaw dshaw at
Sun Jul 3 16:24:15 CEST 2011

On Jul 3, 2011, at 4:37 AM, Chris Poole wrote:

> Thanks.
> There's no way to change the cipher used for encrypting the private key itself (CAST5 I believe)?

It is CAST5 by default, but you can change it.  To change the cipher, you need to set the passphrase since that's when the encryption for the secret key is set.  You can take the opportunity to change the passphrase, or just use the same one as before.

This will set your private key cipher to AES:

   gpg --s2k-cipher-name aes --edit-key (thekey) passwd save

> Also, if I understand correctly, someone trying to brute-force the key would need to guess my passphrase, then pass it through the key stretching algorithm that gpg uses, before trying to decrypt the key. How often does the "work function" defining how long the key stretching process take, get updated? (I can't find an option to make it user configurable.)

It's configurable in the same way that changing the encryption is: you need to do it while changing the password.  Add "--s2k-count XXX" to the above command line and you can set how many iterations are done.  It can range from 1024 to 65011712, and the default is 65536.  Note that not all possible values are legal, and if you pick an illegal value, GnuPG will round it up to the next higher legal value.


More information about the Gnupg-users mailing list