Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. users
aes-mode, RSA
gnupg-users at gnupg
Sep 12, 2018, 12:25 PM
Post #1 of 3 (267 views)
Permalink
I have heard that gnupg for aes256 uses cbc mode is this correct and would like to know the command line to send a key by RSA 2056 or higher. Thank you.
Wayneschmtzway@yahoo.com
Re: aes-mode, RSA [ In reply to ]
rjh at sixdemonbag
Sep 12, 2018, 4:25 PM
Post #2 of 3 (267 views)
Permalink
> I have heard that gnupg for aes256 uses cbc mode is this correct

No. GnuPG uses a version of CFB mode. CBC mode is not part of the spec.

> would like to know the command line to send a key by RSA 2056 or higher.

If your recipient's primary encryption subkey is RSA-2056 or higher,
congratulations, you're done.

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: aes-mode, RSA [ In reply to ]
rjh at sixdemonbag
Sep 13, 2018, 12:41 PM
Post #3 of 3 (265 views)
Permalink
Wayne asked me off-list how to ensure RSA-2056 or greater was being used.

First, it's a little weird: normally we talk of RSA-2048, not -2056.
But never mind, the answer is the same each way.

When sending email to another person, you use their public key for the
encryption. Your own key isn't used at all for encryption (unless you
include yourself on the recipients list).

To check a certificate, use --list-key and the ID of the certificate you
want to check. For instance, my certificate is

=====
rjh@pop-os:~$ gpg --list-key 1DCBDC01B44427C7

pub rsa3072/1DCBDC01B44427C7 2015-07-16 [SC]
CC11BE7CBBED77B120F37B011DCBDC01B44427C7
uid [ultimate] Robert J. Hansen <rjh@sixdemonbag.org>
uid [ultimate] Robert J. Hansen <rob@hansen.engineering>
uid [ultimate] Robert J. Hansen <rob@enigmail.net>
sub rsa3072/DC0F82625FA6AADE 2015-07-16 [E]
sub ed25519/A83CAE94D3DC3873 2017-04-05 [S]
sub cv25519/AA24CC81B8AED08B 2017-04-05 [E]
=====

Cut-and-paste that into a text document (Notepad, Atom, whatever).
Remove any line that doesn't start with "pub" or "sub".

=====
pub rsa3072/1DCBDC01B44427C7 2015-07-16 [SC]
sub rsa3072/DC0F82625FA6AADE 2015-07-16 [E]
sub ed25519/A83CAE94D3DC3873 2017-04-05 [S]
sub cv25519/AA24CC81B8AED08B 2017-04-05 [E]
=====

Now remove anything that doesn't end with the letter "E" somewhere in
brackets. "[SCE]" is okay, but "[SC]" isn't.

=====
sub rsa3072/DC0F82625FA6AADE 2015-07-16 [E]
sub cv25519/AA24CC81B8AED08B 2017-04-05 [E]
=====

Presto. I have two encryption subkeys. Now look at the second column:
one starts with "rsa3072", denoting a 3072-bit RSA key. The other,
cv25519, is an elliptical curve key -- not what you want.

By default, GnuPG will use the newest encryption subkey. That means if
you were to type in this:

=====
rjh@pop-os:~$ gpg --recipient 1DCBDC01B44427C7 --encrypt foo.txt
=====

... GnuPG would use my cv25519 subkey, since it's the newest. You can
override this. To the right-hand side of my RSA key you'll see an
identifier for it, "DC0F82625FA6AADE". To override GnuPG's choice of
subkeys, specify the specific subkey's identifier and add an exclamation
point to the end ("!"). This is how you tell GnuPG "no, really, use
this one".

=====
rjh@pop-os:~$ gpg --recipient DC0F82625FA6AADE! --encrypt foo.txt
=====

Hope this helps!

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal