How to change the protect cipher algorithm and the digest algorithm of the secret key?

A NiceBoy wangtianjiao.wang959 at gmail.com
Thu Nov 12 15:48:48 CET 2020


Hello Gao,

Your question could be stated more clearly as in this bug report:
https://dev.gnupg.org/T1800


1. The solution is also in this report. Just install gpg version
2.0.x, which prior to version 2.1, then run the following command to
generate the key:

> gpg2 --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-mode 3 --s2k-count 65000000 --gen-key

Then export, using the s2k options in case they're needed here instead:

> gpg2 --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-mode 3 --s2k-count 65000000 --export-secret-keys | gpg2 --list-packets

Then you can see the algo changed to AES256 and digest changed to SHA512.


2. To modify the existing key, you still have to install gpg version
2.0.x first, which prior to version 2.1, then add the following
options into your gpg.conf:

> #-----------------------------
> # algorithm and ciphers
> #-----------------------------
> # Limits the algorithms used
> personal-cipher-preferences AES256
> personal-digest-preferences SHA512
> default-preference-list SHA512 SHA384 SHA256 RIPEMD160 AES256 TWOFISH BLOWFISH ZLIB BZIP2 ZIP Uncompressed
> cipher-algo AES256
> digest-algo SHA512
> cert-digest-algo SHA512
> compress-algo ZLIB
> disable-cipher-algo 3DES
> #weak-digest SHA1
> s2k-cipher-algo AES256
> s2k-digest-algo SHA512
> s2k-mode 3
> s2k-count 65011712

Then reset the passphrase of the private key, using the above
settings, then export the private key to file. Here is the output of
command of --list-packets :

> iter+salt S2K, algo: 9, SHA1 protection, hash: 10, salt: 12d208a128163024
> protect count: 65011712 (255)

This idea comes from the links:
https://blog.eleven-labs.com/en/openpgp-almost-perfect-key-pair-part-1
,  https://security.stackexchange.com/a/90617


3. There is a small tool along with the command of --list-packets,
called pgpdump which is available at
http://www.mew.org/~kazu/proj/pgpdump/en/ , to provide more details of
the private key file.


Best regards

On Fri, 6 Nov 2020 at 16:27, Gao Xiaohui via Gnupg-users
<gnupg-users at gnupg.org> wrote:
>
> Hello,
> Excuse me,When using "gpg --list-packets [private secret key file]",it print "iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: ****************", how to change "algo:7" and "hash:2"?
> I searched on Google, it use the "gpg --gen-key" or "gpg --edit-key" command with "--s2k-cipher-algo AES256" and "--s2k-digest-algo SHA512" options could change them, but I tested,It could not change them. Tell me  the correct way please.Thank you very much.
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users



More information about the Gnupg-users mailing list