User experience of --hidden-recipient encryption

Peter Lebbing peter at
Sat Jan 30 13:36:45 CET 2016

On 29/01/16 19:32, Bjarni Runar Einarsson wrote:
> If the user only has one public/private key pair, I assume the
> experience isn't too bad, GnuPG will just make a guess. But if
> the user has multiple keys, do they have to enter the passphrase
> for each in succession, as gpg tries to guess how to decrypt?

AFAIK, yes.

> How does this work in practice? Is --hidden-recipient a decent
> user experience for the recipient?

I think separate copies for BCC recipients is a much better user
experience. Yes, you have to send more copies, but in many environments,
that isn't relevant at all. Only when you pay per kilobyte on a mobile
connection or when you have large attachments would this actually incur
any significant penalty on the sender side, I think.

Also, some mail servers actually identify and aggregate identical
e-mails or attachments of their users. I suppose if you're in a
corporate environment with a lot of internal mail with large encrypted
attachments and hidden recipients, you would need more storage on your
mail server because each hidden recipient gets a different mail. This is
just something that occured to me, it doesn't seem to outweigh the
advantages of separate copies.

> Also, if I go with a), does that leak the fact that there were
> hidden recipients? Does it leak how many?

I'd say yes and yes. Every recipient has their own Public Key Encrypted
Session Key (PKESK) packet with the (shared) session key encrypted to
their key. The only difference between a regular recipient and a hidden
one is that the regular ones identify which key the packet is meant for,
whereas each hidden recipient has a packet without that identification.
So the number of PKESK packets without identification is equal to the
number of hidden recipients. It leaks that there were and how many there
were, just like you can identify all non-hidden recipients by the
remaining PKESK packets.



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list