GPG – How to Specify AES-256 Algorithm When Creating GPG Key

encryptiongpgpassword-store

Pardon me if this is not possible. My goal is to utilise pass. From the conducted research, it appears that the pass command utility will require a GPG key before you can store your sensitive data.

Now, in order to generate a GPG key, one would run the following command

gpg --full-generate-key

which is a pre-requisite to using pass.

From the output, we can see that the options to choose from are as follows:

gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

gpg: directory '/home/user1/.gnupg' created
gpg: keybox '/home/user1/.gnupg/pubring.kbx' created
Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
  (14) Existing key from card
Your selection?

As you can see, you can use RSA or DSA, despite GPG specifying that you can use AES256.

gpg (GnuPG) 2.2.27
libgcrypt 1.8.8
Copyright (C) 2021 Free Software Foundation, Inc.
License GNU GPL-3.0-or-later <https://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: /home/user1/.gnupg
Supported algorithms:
Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Does that mean it is impossible to secure your passwords in pass using AES256 encryption method?

Best Answer

What you are trying to do is unfortunately not possible.

AES256 is a symmetric-key algorithm, i.e. the same key is used for encrypting and decrypting.
The --generate-key or --full-generate-key option of gpg is used to create an asymmetric public/private key pair, where the public key is used for encryption and the private key for decryption.

Note that AES256 is listed under the options for "Cipher", not "Pubkey".

That said, I can understand that you would prefer the higher security level of AES256 over RSA. It seems however that the ECDSA and ED25519 algorithms can provide similar security to AES256.

To enable it in gpg2, you will need to specify the --expert option. When asked "what kind of key you want", choose

(9) ECC and ECC

with either NIST P-256 or Curve 25519, respectively. Both curve algorithms provide the same level of security, with ED25519 being a tiny bit faster than ECDSA.

Related Solutions

Pass and gpg: No public key

pass uses gnupg2, which does not share it's keyring with gnupg 1.x.

Import your keys again using gnupg2 instead of gnupg. If you already have your keys in gnupg on the target machine run:

$ gpg --export-secret-keys > keyfile
$ gpg2 --import keyfile

After importing, you may need to update the trust on your key. You should see a Secret key is available. message if the import was successful:

$ gpg2 --edit-key FA829B53
[...]
Secret key is available.

sec  rsa4096/FA829B53
     created: 2015-03-14  expires: 2017-03-13  usage: SC  
     trust: unknown      validity: ultimate
ssb  rsa4096/74270D4A
     created: 2015-03-14  expires: 2017-03-13  usage: E   
[ultimate] (1). Yury Shvedov (shved) <shved@lvk.cs.msu.su>

Now update the trust on your key:

gpg> trust
[...]
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
[...]
gpg> save

Gpg: “secret key not available” when sec & pub key are in keyring

Note the error message: it doesn't say that the secret key is missing (it isn't), it says the public key is missing.

gpg: key 71980D35:secret key without public key- skipped

In RSA, some numbers (d, p, q, u) are private and others (n, e) are public. Only the 2 public numbers are required for encryption and signature verification while all 6 numbers are required in order to decrypt and sign. So for the latter operations, you actually need both the secret and public keys.

Did the public key get deleted from the pubring by accident?

You can try re-importing the public key. Since the public key is the one that is distributed widely, it should be easy to re-obtain a copy of it.

Best Answer

Related Solutions

Pass and gpg: No public key

Gpg: “secret key not available” when sec & pub key are in keyring

Related Question