better passphrase hashing with gnupg?

Christoph Anton Mitterer calestyo at scientia.net
Thu Jun 7 14:50:43 CEST 2018


Hey.


I have the following scenario:


I'd like to archive private data to e.g. some cloud storage for backup
reasons.

Basically I'd see two ways to move on from here:
1) Put the data in on or more disk images which are encrypted with dm-
crypt/LUKS (e.g. using aes-xts-plain64)

2) Put the data in one or more tar or dar archive files, which I think
is a bit more flexible.
With (2) I'd guess gnupg would be the tool of choice (or is there
anything else well-maintained?) and using e.g. AES256 should provide
adequate security.


In both cases, I'd want to put the actual key alongside the archive
(i.e. also backing it up the the remote storage, as I'd be screwed it I
loose the key when I just store it locally).
For both (LUKS/OpenPGP), the actual symmetric key is anyway alongside
the image/archive encrypted by some passphrase (respectively the
pubkey, in case of asymmetric encryption with gpg).




Now here's the question/problem:
- LUKS/cryptsetup, at least in it's more recent version already support
Argon2 and even for the older version there was a noticeable effect
when increasing the hashing iterations (like taking several minutes for
cryptsetup to actually "open" the device).
For gpg there is --s2k-* especially --s2k-count, but even when setting
this to the max value of 65011712... passphrase hashing seems super
fast.

I'd be totally happy if a single passphrase try (for an attacker) takes
like 10 minutes (just to be on the safe side)... but that doesn't seem
possible with OpenPGP/gpg right now?


What would you guys suggest in my scenario?

Is there a way to chain Argon2 with current gpg versions (not having to
wait until this gets integrated in a new RFC in some future)?


Thanks,
Chris.



More information about the Gnupg-users mailing list