5

How can I change the default symmetric cipher used by GnuPG from CAST5 to another?

I'm using GPG4Win on Windows, but would also be interested in a solution for Linux.

schroeder
  • 125,553
  • 55
  • 289
  • 326
RPK
  • 195
  • 1
  • 1
  • 7

2 Answers2

8

If there is no option in the graphical user interface, edit GnuPG's configuration file instead. In the end, graphical user interfaces for GnuPG don't do anything else but calling the GnuPG command line.

Encrypting to Others

There are two options to set the used algorithms for encrypting to other people: cipher-algo [algorithm] and personal-cipher-preferences [algorithm]. Latter is preferred, as it both takes the other user's algorithm capabilities and preferences into account, and complies to the OpenPGP standard; while cipher-algo enforces a given algorithm.

You can look up available algorithms by running gpg --version, on Windows you might have to call gpg.exe --version and cd to the installation directory before. An example output might include:

Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256

To enforce the use of AES256, edit your gpg.conf file and add following line:

personal-cipher-preferences AES256

Receiving Encrypted Messages

You can also set preferences which algorithms you want others to choose when they send encrypted messages to you. This might only be available on the command line, but will have affect no matter what client application the other is using (but remember: it is only a proposal of your preferences, and not enforced, compare with cipher-algo above).

Start the edit menu using gpg --edit-key [key-id] (replacing [key-id] with your key id, and you might have to use gpg.exe again as described above). Inside, you can use showpref to list the currently set up preferences, and setpref to change them. The user interface for doing so is horrible, and you have to provide a long list of cipher, digest and compression algorithms, while the preferred ones always have to be listed first.

An article on debian-administration.org also describes this procedure, and proposes following preferences, which seem reasonable:

setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
Jens Erat
  • 23,816
  • 12
  • 75
  • 96
  • The documentation says about gpg.conf but this file is not present in the folder – RPK Feb 21 '15 at 14:32
  • 1
    It should be in `%APPDATA%\gnupg` (you can copy that path to the Explorer address bar, it will resolve the environment variable). – Jens Erat Feb 21 '15 at 14:37
  • I found the file. What I need to insert in that file? – RPK Feb 21 '15 at 14:55
  • 2
    Exactly what I described. If you want to prefer AES with 256 bit, add a line `personal-cipher-preferences AES256` somewhere. – Jens Erat Feb 21 '15 at 18:47
2

Updated: For Gpg4win, I see two options:

  • For S/MIME, the GUI has a place to set it (Settings -> Configure Kleopatra -> GnuPG System -> GPG for S/MIME -> Use cipher algorithm)
  • Otherwise, you have to alter the underlying gpg.conf file

@jens-erat has already more knowledgeably described the latter, but I will offer the following inputs based on playing with it myself:

  1. The command line gpg you're going to use is %INSTALLDIR%\gpg2.exe; on my system that worked out to C:\Program Files (x86)\GNU\GnuPG
  2. You can find out your homedir (where you need to put gpg.conf) by running gpg2 --version and looking for the line like Home: C:/Users/gowenfawr/AppData/Roaming/gnupg

Original (non-GUI) answer:

If you're using the command line gpg, then the --cipher-algo argument will allow you to choose your cipher, and you can use --version to see which ciphers are available.

(Test shown here on Linux, should be equivalent for Windows)

$ gpg --version
gpg (GnuPG) 1.4.16
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Home: ~/.gnupg
Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2
$ file test*
test1.txt: ASCII text
test2.txt: ASCII text
$ gpg --cipher-algo TWOFISH -c test1.txt 
Enter passphrase: 
Repeat passphrase: 
$ gpg --cipher-algo AES256 -c test2.txt 
Enter passphrase: 
Repeat passphrase: 
$ file test*
test1.txt:     ASCII text
test1.txt.gpg: GPG symmetrically encrypted data (TWOFISH cipher)
test2.txt:     ASCII text
test2.txt.gpg: GPG symmetrically encrypted data (AES256 cipher)
$
gowenfawr
  • 72,355
  • 17
  • 162
  • 199