Re: How to change the protect cipher algorithm and the digest algorithm of the secret key?
Hello Gao, Your question could be stated more clearly as in this bug report: https://dev.gnupg.org/T1800 1. The solution is also in this report. Just install gpg version 2.0.x, which prior to version 2.1, then run the following command to generate the key: > gpg2 --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-mode 3 > --s2k-count 6500 --gen-key Then export, using the s2k options in case they're needed here instead: > gpg2 --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-mode 3 > --s2k-count 6500 --export-secret-keys | gpg2 --list-packets Then you can see the algo changed to AES256 and digest changed to SHA512. 2. To modify the existing key, you still have to install gpg version 2.0.x first, which prior to version 2.1, then add the following options into your gpg.conf: > #- > # algorithm and ciphers > #- > # Limits the algorithms used > personal-cipher-preferences AES256 > personal-digest-preferences SHA512 > default-preference-list SHA512 SHA384 SHA256 RIPEMD160 AES256 TWOFISH > BLOWFISH ZLIB BZIP2 ZIP Uncompressed > cipher-algo AES256 > digest-algo SHA512 > cert-digest-algo SHA512 > compress-algo ZLIB > disable-cipher-algo 3DES > #weak-digest SHA1 > s2k-cipher-algo AES256 > s2k-digest-algo SHA512 > s2k-mode 3 > s2k-count 65011712 Then reset the passphrase of the private key, using the above settings, then export the private key to file. Here is the output of command of --list-packets : > iter+salt S2K, algo: 9, SHA1 protection, hash: 10, salt: 12d208a128163024 > protect count: 65011712 (255) This idea comes from the links: https://blog.eleven-labs.com/en/openpgp-almost-perfect-key-pair-part-1 , https://security.stackexchange.com/a/90617 3. There is a small tool along with the command of --list-packets, called pgpdump which is available at http://www.mew.org/~kazu/proj/pgpdump/en/ , to provide more details of the private key file. Best regards On Fri, 6 Nov 2020 at 16:27, Gao Xiaohui via Gnupg-users wrote: > > Hello, > Excuse me,When using "gpg --list-packets [private secret key file]",it print > "iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: ", > how to change "algo:7" and "hash:2"? > I searched on Google, it use the "gpg --gen-key" or "gpg --edit-key" command > with "--s2k-cipher-algo AES256" and "--s2k-digest-algo SHA512" options could > change them, but I tested,It could not change them. Tell me the correct way > please.Thank you very much. > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: How to change the protect cipher algorithm and the digest algorithm of the secret key?
Hello Gao, Your question could be stated more clearly as in this bug report: https://dev.gnupg.org/T1800 1. The solution is also in this report. Just install gpg version 2.0.x, which prior to version 2.1, then run the following command to generate the key: > gpg2 --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-mode 3 --s2k-count 6500 --gen-key Then export, using the s2k options in case they're needed here instead: > gpg2 --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-mode 3 --s2k-count 6500 --export-secret-keys | gpg2 --list-packets Then you can see the algo changed to AES256 and digest changed to SHA512. 2. To modify the existing key, you still have to install gpg version 2.0.x first, which prior to version 2.1, then add the following options into your gpg.conf: > #- > # algorithm and ciphers > #- > # Limits the algorithms used > personal-cipher-preferences AES256 > personal-digest-preferences SHA512 > default-preference-list SHA512 SHA384 SHA256 RIPEMD160 AES256 TWOFISH BLOWFISH ZLIB BZIP2 ZIP Uncompressed > cipher-algo AES256 > digest-algo SHA512 > cert-digest-algo SHA512 > compress-algo ZLIB > disable-cipher-algo 3DES > #weak-digest SHA1 > s2k-cipher-algo AES256 > s2k-digest-algo SHA512 > s2k-mode 3 > s2k-count 65011712 Then reset the passphrase of the private key, using the above settings, then export the private key to file. Here is the output of command of --list-packets : > iter+salt S2K, algo: 9, SHA1 protection, hash: 10, salt: 12d208a128163024 > protect count: 65011712 (255) This idea comes from the links: https://blog.eleven-labs.com/en/openpgp-almost-perfect-key-pair-part-1 , https://security.stackexchange.com/a/90617 3. There is a small tool along with the command of --list-packets, called pgpdump which is available at https://www.mew.org/~kazu/proj/pgpdump/en/ , to provide more details of the private key file. Best regards On Fri, 6 Nov 2020 at 16:27, Gao Xiaohui via Gnupg-users < gnupg-users@gnupg.org> wrote: > Hello, > Excuse me,When using "gpg --list-packets [private secret key file]",it > print "iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: > ", how to change "algo:7" and "hash:2"? > I searched on Google, it use the "gpg --gen-key" or "gpg --edit-key" > command with "--s2k-cipher-algo AES256" and "--s2k-digest-algo SHA512" > options could change them, but I tested,It could not change them. Tell me > the correct way please.Thank you very much. > ___ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
