6

The default format in which SSH private keys are stored is notably fairly insecure against bruteforce attacks. This question provides a very nice solution to the problem by encrypting SSH private keys in the PKCS#8 format with 1m rounds of PBKDF2 to make computing passwords really expensive, computationally speaking.

How are PGP/GPG private keys stored? Are they computationally cheap to brute-force or do they fare a bit better than the default format used by OpenSSH? If they're cheap to brute-force, are there ways of improving the security on them?

Naftuli Kay
  • 6,745
  • 9
  • 47
  • 76

1 Answers1

9

The OpenPGP standard includes format for encoding private keys as sequences of bytes, and for symmetrically encrypting sequences of bytes with a password-derived key. While any PGP implementation is free to store private keys in any way that it sees fit, most (if not all) will use the OpenPGP formats.

The critical point in password-based encryption is how the password is derived into a key. This is all the password hashing theory: the derivation process shall be made slow (e.g. with a configurable number of iterations) and should use a variation parameter called a salt. OpenPGP includes a "decent" password-based key derivation, called Iterated and Salted S2K. If you take care to specify a high enough count (that is, as high as is tolerable on your machine), then you can get good security. With the GnuPG implementation of OpenPGP, the iteration count is specified with the --s2k-count command-line option.

Of course, the primary defence against brute force on a password is to choose a strong password, that is a password with a lot of randomness in it. Iterations and salts are just methods to cope with the not-so-strong passwords that erupt within the tangled mess of human neurons.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955