How to change the protect cipher algorithm and the digest algorithm of the secret key?

A NiceBoy wangtianjiao.wang959 at
Thu Nov 12 15:27:26 CET 2020

Hello Gao,

Your question could be stated more clearly as in this bug report:

1. The solution is also in this report. Just install gpg version 2.0.x,
which prior to version 2.1, then run the following command to generate the

> gpg2 --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-mode 3
--s2k-count 65000000 --gen-key

Then export, using the s2k options in case they're needed here instead:

> gpg2 --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-mode 3
--s2k-count 65000000 --export-secret-keys | gpg2 --list-packets

Then you can see the algo changed to AES256 and digest changed to SHA512.

2. To modify the existing key, you still have to install gpg version 2.0.x
first, which prior to version 2.1, then add the following options into your

> #-----------------------------
> # algorithm and ciphers
> #-----------------------------
> # Limits the algorithms used
> personal-cipher-preferences AES256
> personal-digest-preferences SHA512
> default-preference-list SHA512 SHA384 SHA256 RIPEMD160 AES256 TWOFISH
> cipher-algo AES256
> digest-algo SHA512
> cert-digest-algo SHA512
> compress-algo ZLIB
> disable-cipher-algo 3DES
> #weak-digest SHA1
> s2k-cipher-algo AES256
> s2k-digest-algo SHA512
> s2k-mode 3
> s2k-count 65011712

Then reset the passphrase of the private key, using the above settings,
then export the private key to file. Here is the output of command of
--list-packets :

> iter+salt S2K, algo: 9, SHA1 protection, hash: 10, salt: 12d208a128163024
> protect count: 65011712 (255)

This idea comes from the links: ,

3. There is a small tool along with the command of --list-packets, called
pgpdump which is available at ,
to provide more details of the private key file.

Best regards

On Fri, 6 Nov 2020 at 16:27, Gao Xiaohui via Gnupg-users <
gnupg-users at> wrote:

> Hello,
> Excuse me,When using "gpg --list-packets [private secret key file]",it
> print "iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt:
> ****************", how to change "algo:7" and "hash:2"?
> I searched on Google, it use the "gpg --gen-key" or "gpg --edit-key"
> command with "--s2k-cipher-algo AES256" and "--s2k-digest-algo SHA512"
> options could change them, but I tested,It could not change them. Tell me
>  the correct way please.Thank you very much.
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Gnupg-users mailing list