How to change the protect cipher algorithm and the digest algorithm of the secret key?

Werner Koch wk at gnupg.org
Fri Nov 13 09:48:40 CET 2020


On Thu, 12 Nov 2020 09:27, A NiceBoy said:

> 1. The solution is also in this report. Just install gpg version 2.0.x,

Don't!

2.0 reached end-of-life 3 years ago - there are no security fixes etc.
You shall not use that version anymore.

> Then you can see the algo changed to AES256 and digest changed to SHA512.

If you want to convey secret keys do not rely on the passphrase
protection of OpenPGP but use a secure transport channel.  Which may be
just a gpg encrypted file.  The problem with the passphrase is that you
need to transport a secure passphrase via another secured medium and in
this case you can also a transport the secret key with a "weaker"
passphrase.  Whether you use SHA256 or SHA512 does not matter.  The
iteration count matters more but in any case you can't create better
security from a weak passphrase - the iteration count is a failstop
thing but not a proper cryptographic replacement for a weak passphrase.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20201113/4e3cdd49/attachment.sig>


More information about the Gnupg-users mailing list