Weak encryption keys

jsmith9810 at gmx.com jsmith9810 at gmx.com
Mon Mar 22 17:43:08 CET 2021

Hello all,

I have a private key protected by blowfish cipher that despite a random salt and several rounds of RIPEMD160 iterations is still considered "weak" by GnuPG and it refuses to do anything with it. When I try to import this key manually (--import), gpg throws a "weak encryption key" error and refuses to import it. ...which I find ironic, because it has no problem importing unprotected plain-text keys. Also, it's worth pointing out that GnuPG applies its default protection scheme to the private keys imported this way regardless of what encryption these keys used earlier - which means that the issue that it's complaining about will actually be resolved simply by importing this key.

I still managed to force this key into GnuPG's private key store through the secring.gpg migration route which preserves the key in its openpgp-native format, but now gpg refuses any operation involving this private key - sign, encrypt, etc. It won't even let me change the password - which would actually make this issue go away. I tested with GnuPG 1.4.23 as well and it does not have a problem either importing or using this key.

I am not looking for a solution as I can easily work around this problem by changing password using GnuPG 1.x prior to importing this key in GnuPG 2.x, but should this be logged as a product defect? This doesn't look like reasonable way to deal with these so-called "weak" encryption keys when importing these keys would actually address the issue at hand.


More information about the Gnupg-users mailing list