Changing passphrase parameters (s2k options)

Peter Lebbing peter at
Mon Jan 23 12:22:19 CET 2017

On 23/01/17 11:01, John Lane wrote:
> I've been reading about symmetric encryption of the private key.
> When I tried to experiment with the `--s2k` options, attempting to
> change the passphrase on my key, I found that they were ignored.

GnuPG 2.1 handles the private key in a completely different manner than
earlier versions. I couldn't find any other configurable things than the
s2k-count. Look at the difference between the man page for 2.1.16 and

>        --s2k-cipher-algo name
>               Use name as the cipher algorithm used  to  protect  secret  keys.
>               The default cipher is CAST5. This cipher is also used for conven‐
>               tional encryption if --personal-cipher-preferences and  --cipher-
>               algo is not given.

>        --s2k-cipher-algo name
>               Use  name as the cipher algorithm for symmetric encryption with a
>               passphrase if --personal-cipher-preferences and --cipher-algo are
>               not given.  The default is AES-128.

> A brief
> search identified issue 1800 [1] on the bug tracker which was last
> updated in 2015, some 20 months ago.

It's close to what you're talking about, but not exactly. That is
specifically about *exporting* an OpenPGP secret key, not how it is
*stored* in your keyring. The protection on private-keys-v1.d is
implemented differently than the protection of the OpenPGP standard
which is used for export.



I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at <>

More information about the Gnupg-users mailing list