How to change the protect cipher algorithm and the digest algorithm of the secret key?
A NiceBoy
wangtianjiao.wang959 at gmail.com
Thu Nov 12 15:27:26 CET 2020
Hello Gao,
Your question could be stated more clearly as in this bug report:
https://dev.gnupg.org/T1800
1. The solution is also in this report. Just install gpg version 2.0.x,
which prior to version 2.1, then run the following command to generate the
key:
> gpg2 --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-mode 3
--s2k-count 65000000 --gen-key
Then export, using the s2k options in case they're needed here instead:
> gpg2 --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-mode 3
--s2k-count 65000000 --export-secret-keys | gpg2 --list-packets
Then you can see the algo changed to AES256 and digest changed to SHA512.
2. To modify the existing key, you still have to install gpg version 2.0.x
first, which prior to version 2.1, then add the following options into your
gpg.conf:
> #-----------------------------
> # algorithm and ciphers
> #-----------------------------
> # Limits the algorithms used
> personal-cipher-preferences AES256
> personal-digest-preferences SHA512
> default-preference-list SHA512 SHA384 SHA256 RIPEMD160 AES256 TWOFISH
BLOWFISH ZLIB BZIP2 ZIP Uncompressed
> cipher-algo AES256
> digest-algo SHA512
> cert-digest-algo SHA512
> compress-algo ZLIB
> disable-cipher-algo 3DES
> #weak-digest SHA1
> s2k-cipher-algo AES256
> s2k-digest-algo SHA512
> s2k-mode 3
> s2k-count 65011712
Then reset the passphrase of the private key, using the above settings,
then export the private key to file. Here is the output of command of
--list-packets :
> iter+salt S2K, algo: 9, SHA1 protection, hash: 10, salt: 12d208a128163024
> protect count: 65011712 (255)
This idea comes from the links:
https://blog.eleven-labs.com/en/openpgp-almost-perfect-key-pair-part-1 ,
https://security.stackexchange.com/a/90617
3. There is a small tool along with the command of --list-packets, called
pgpdump which is available at https://www.mew.org/~kazu/proj/pgpdump/en/ ,
to provide more details of the private key file.
Best regards
On Fri, 6 Nov 2020 at 16:27, Gao Xiaohui via Gnupg-users <
gnupg-users at gnupg.org> wrote:
> Hello,
> Excuse me,When using "gpg --list-packets [private secret key file]",it
> print "iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt:
> ****************", how to change "algo:7" and "hash:2"?
> I searched on Google, it use the "gpg --gen-key" or "gpg --edit-key"
> command with "--s2k-cipher-algo AES256" and "--s2k-digest-algo SHA512"
> options could change them, but I tested,It could not change them. Tell me
> the correct way please.Thank you very much.
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20201112/e4fdb4b0/attachment-0001.html>
More information about the Gnupg-users
mailing list