Editing a key in GnuPG2

Henry Hertz Hobbit hhhobbit at securemecca.net
Tue Aug 27 08:15:11 CEST 2013

On 08/27/2013 01:29 AM, Avi wrote:
> With the recent release of GPG4Win, I decided to try it once again.
> One of the things I like about the shell I use is the ability to use
> the GUI to start more advanced operations like editing keys (for
> cleaning/disabling, etc) and setting prefs for individual keys. The
> bundled GPA does not allow any of those options. Is that intentional
> to prevent people from monkeying around (they have to know the command
> line options to mess around)?
> Also, where are the configuration options controlling the preferred
> cipher used when creating keys, the bzip level, etc. adjusted? I'm
> seeing that GPA does provide a front-end to gpgconf (at least on
> expert mode) but I cannot find those values, whereas in GPG 1.x I
> could simply have a gpg.cof file with entries like:
> s2k-digest-algo SHA512
> s2k-cipher-algo AES
> cert-digest-algo SHA512
> verbose
> compress-level 9
> bzip2-compress-level 9

I cannot help via the method that you are using but from the
command line (yeah, I know, cmd.exe sucks):


c:\> gpg --edit-key YOUR-KEY
Command> set pref H10 S7 Z3
Command> save
(note - you invariably have a pub/sec & sub/ssb key pair
which means you need to change both if you don't like the

You very rarely change the preferences and the desired way is
to make it a property of the key itself since what you are
really doing is telling others what your preferences are.  Others
can NOT see your gpg.conf file.  I believe you want to make some
of these attributes of the keys themselves.  By that I mean if
you want others to use CAMELLIA256 in sending you a PK enciphered
message then you need to tell them up front in the key properties
and put it first if you want it to be your s2k-cipher-algo first
choice.  You do that by changing the attributes of the keys
themselves.  If the key does not have that information the
sending party will probably use the default cipher which at one
time was CAST5 since your public key did not tell them what to

Your pub/sec and sub/ssb keys if you have a key pair both have
separate settings.  You can also have other sub-keys.  But since
I only have a pair I edit both the 2048R/C83946F0 and the
2048R/BDED6C8D and give them the same preference.  That is more
habit than anything else and you can configure each key with
a different set of preferences if that is what you want.  Just
be sure you use the correct key for the setting you are using.
Also remember that these settings are the advice you are giving
others in how you want things.  If you want CAMELLIA128 instead
of AES make it first.  If you don't set it you will get the
default which at one time was CAST5.


SHA512 is fairly large. I used it for a while and dropped back
to SHA256.  It is just something for you to think about.  I
found that while SHA512 posed no burden for me it very likely
will cause problems for others.  Remember that GnuPG encryption
is avaiable for iPhone and iPhones don't have a really powerful

I assume you are using the Power Shell.  I don't think GPG4Win's
developers want your pass-phrase being captured by the Power
Shell's GUI.  The reason I gave my primitive srm program to
only Linux people (I tell Windows people to purchase a good
wipe program that has been around a long time so it doesn't
disappear completely on you):


was because for test after test when I over-wrote the file  on
Windows I  would find that most of it was not over-wrote at all.
It didn't matter whether I used Microsoft's tools or the little
free build system (it is no longer free).   Huge sections of the
file just didn't get over-written at all.  NOW I understand the
US DOD's multiple over-write requirements.  By contrast my srm
'nix version over-writes everything in just one pass but only
on 'nix systems.  I had the same program on Windows and finally
just threw it away and used a Windows wiper program.

But Microsoft has this nasty habit of keeping EVERYTHING.  That
was when I finally did a dd of several megabytes clear back with
W2K onto the start of the drive.  It prevented Microsoft from
SAVING that C:\ partition and building a D:\ system partition.
Now that dd wipes out low level start of disk root-kits when
cleaning is no longer possible.  Do NOT confuse that to mean
the dd erases all disk contents.  It just wipes out any vestige
of malware down in the bowels of the disk and makes an OS
install mandatory.

Windows kesps your last commands / programs started et al in
the registry and in general seems to have two to three backups
of EVERYTHING stashed away.  Just like me setting BASH to have
zero history when using gpg / gpg2 on Linux you don't want
ANYTHING keepng your key's pass-phrase ANYWHERE outside the
key itself other than gpg / gpg2 or the other gpg programs or
libraries (dll files).  Note the difference in my crypt
(symmetric cipher) and pcrypt (PK enciphering) scripts:


I allow for the shell possibility of reading a symmetric cipher
password to be used for all enciphered files (code commented out).
Just make sure you do NOT uses the password "BOGUS" or even
"bogus".  Either that or change the last value of the environment
variable PASSPHRASE to something you will never use.  I used
PASSPHRASE instead of PASSWORD because many programs will use
the PASSWORD environment variable.

I provide NO capability for the bash shell to get the pass-phrase
for the key in pcrypt even with zero history.  The same thing holds
for Windows.  You don't want Power Shell on Windows having your
key's pass-phrase any more than you want bash having it.

PS  I made my comment on the CAMELLIA ciphers AFTER doing some
    symmetric cipers with the crypt script.  They worked just
    fine so why not use the CAMELLIA ciphers if you want to?
    Which is best, CAMELLIA or AES?  I don't know and my first
    choice is TWOFISH.  Any of them are better than nothing.

More information about the Gnupg-users mailing list