7

How secure is any data encrypted using the following command:

gpg -o *encrypted_output_file_name* --symmetric --cipher-algo AES256 *file_to_be_encrypted*

Can anyone depend on this to encrypt and archive personal content in a public store?

Please provide details as to which attacks it is vulnerable to, and describe better encryption alternatives if any exist.

Patriot
  • 3,132
  • 3
  • 18
  • 65
Arjun
  • 171
  • 1
  • 1
  • 3

1 Answers1

9

GPG's AES-256 symmetric encryption is believed to be as secure as it is difficult to

  • guess the passphrase
  • or compromise the machine used to perform encryption and decryption.

Guessing the passphrase should be harder if one uses

gpg --s2k-mode 3 --s2k-count 65011712 --s2k-digest-algo SHA512 --s2k-cipher-algo AES256

or equivalently puts in the gpg.conf file:

s2k-mode 3
s2k-count 65011712
s2k-digest-algo SHA512
s2k-cipher-algo AES256

These options increase (to about the maximum possible per the OpenPGP format) the amount of processing to transform a passphrase into a key, hence the resistance to brute-force passphrase search. This is not a substitute to using a hard-to-guess passphrase, but does help significantly.

When encrypting to self, it still makes a lot of sense to use asymmetric encryption: that allows to encrypt without a passphrase, limiting its possible leak to decryption. I use this for automated backups in the cloud (with a different asymmetric key to sign the backups). I can confidently say that nothing on the machines doing the backups allows to decipher the backups.

fgrieu
  • 140,762
  • 12
  • 307
  • 587
  • Thanks for the quick responce fgrieu. Correct me if i'm wrong : only advantage (in this context) of the asymmetric is that it prevents us from hardcoding the password in the backup-system correct ?. Also, can you suggest a few links/books that provide a good introduction to this subject. – Arjun Jan 07 '19 at 10:13
  • @Arjun: yes, not needing the passphrase for encryption is the one good reason to use asymmetric for encryption to self, including backups. Sorry that I pass on the request for introductory doc. – fgrieu Jan 07 '19 at 10:39
  • @Arjun I don't agree that it is the only advantage; asymmetric encryption also allows you / requires you to have access to the private key. Basically, the password now wraps / unwraps the private key. However, you can move the private key to smart card or USB stick so it becomes impossible for an adversary to 1) directly attack the ciphertext (as you need the private key to decrypt) or 2) search for the password, as you can only find it by trying to unwrap the private key. – Maarten Bodewes Jan 07 '19 at 15:05
  • @MaartenBodewes: right. We can (and should) keep the passphrase-protected private key out of the server, and that a strong line of defense. – fgrieu Jan 07 '19 at 15:56
  • And store the pw in a pw manager of sorts, especially if other persons are involved. I mean, I've seen people propose passwords as "strong" passwords that are literally too bad to post. AFAIK PGP doesn't really indicate if the password is weak or not. Now assuming some passwords are strong by just looking at character frequences etc. is tricky at best, but accepting known bad passwords is definitely worse. – Maarten Bodewes Jan 07 '19 at 16:24
  • 1
    @fgrieu: What's the point of AES 256 with RSA? The default GPG RSA 3072 has security level of AES 128. The RSA 4096 doesn't add much to 3072 (perhaps 18 bits). – eli Mar 28 '20 at 18:10
  • Basically, with RSA you are, effectively, limited to AES 128. Also, signing doesn't add much: your public key is known. – eli Mar 28 '20 at 18:12
  • @eli, AES256 provides 128 bit security after a successful quantum attack. AES128 only offers 64bit security if a quantum attack was to occur. RSA is more secure against a quantum attack than AES at this scale, so moving to AES256 improves the weakest link. RSA4096 has 226 bit security vs RSA3072 which has 138 bits. Its common to round down (to the nearest 32 bit: 224 and 128 respectively), but in this case looking at the details shows that you improve security even if the mythical quantum computer if never build. https://crypto.stackexchange.com/a/35797/42249 – Brandon Apr 04 '22 at 09:17