Understanding the Purpose of –s2k-* GnuPG Options
When using the gpg --symmetric --s2k-
command in GnuPG, you may have noticed the appearance of several options:
--s2k-cipher-algo
--s2k-count
--s2k-digest-algo
--s2k-mode
These options have specific purposes and functionalities:
–s2k-mode
The --s2k-mode
option sets the mode of operation for password hashing. There are three modes available:
- 0: Simple (hash applied one time to password)
- 1: Salted (hash applied one time to password+8 byte salt)
- 3: Iterated and salted (hash applied chosen number of times to password+8 byte salt)
–s2k-digest-algo
The --s2k-digest-algo
option sets the hash function used for password hashing.
–s2k-count
The --s2k-count
option determines the number of rounds the hash function will be applied.
–s2k-cipher-algo
The --s2k-cipher-algo
option selects the cipher used for encrypting the plaintext using the hashed password.
In GnuPG 1.4.12, the default values for these options are:
--s2k-mode = 3
--s2k-digest-algo = SHA1 (also supports MD5, RIPEMD-160, SHA2s)
--s2k-count = 65536 (supports values from 1024 to 65011712)
--s2k-cipher-algo = CAST5 (also supports 3DES, CAST5, Blofish, AES, Twofish, Camellia)
You can view how your existing keys are encrypted by running the command gpg --list-packets ~/.gnupg/secring.gpg
.
However, it’s worth noting that all algorithms supported by GnuPG can be efficiently automated on GPUs. For enhanced security, it is recommended to use an external implementation of bcrypt
or scrypt
instead of the --s2k-*
options. The result of the external implementation can then be passed as a passphrase to GnuPG with the --s2k-mode
set to 0.