key preferences

[dataO1]

I just realized that, when creating a new key its preferences default to 3DES as its cipher algorithm and there is no parameter in the API to change that. Does this come from the vault plugin itself or does the plugin read the gpg config for defaults?

[LeSuisse]

Hello,

Thanks for the report. I will check that because obviously using 3DES is not expected.

[LeSuisse]

Hello,

After verification using a freshly created key it looks good to me:

$ vault read -field public_key gpg/keys/test | gpg --list-packets - | grep pref
	hashed subpkt 11 len 1 (pref-sym-algos: 7)
	hashed subpkt 21 len 1 (pref-hash-algos: 8)
	hashed subpkt 22 len 1 (pref-zip-algos: 0)
	hashed subpkt 34 len 1 (pref-aead-algos: 1)

or using the output of gpg --edit-key showpref:

     Cipher: AES, 3DES
     AEAD: EAX
     Digest: SHA256, SHA1
     Compression: Uncompressed
     Features: MDC, AEAD

As noted in RFC4880 section 9.2 and RFC4880 section 9.4, 3DES and SHA-1 must be implemented this is why you always see them in the showpref output.

Did you notice something else?

[dataO1]

Hi,

sorry for the very late answer, the problem was not very relevant until now.
Anyhow, here's my output for gpg --edit-key showpref (I exported the key as a file and imported it into gpg again):

     Cipher: 3DES
     Digest: SHA1
     Compression: ZIP, Uncompressed

and for vault read -field public_key gpg/keys/mephesto | gpg --list-packets - :

# off=0 ctb=c6 tag=6 hlen=3 plen=269 new-ctb
:public key packet:
	version 4, algo 1, created 1643208106, expires 0
	pkey[0]: [2048 bits]
	pkey[1]: [17 bits]
	keyid: 9DD0B9AB1889B878
# off=272 ctb=cd tag=13 hlen=2 plen=35 new-ctb
:user ID packet: "Daniel Tabellion <[email protected]>"
# off=309 ctb=c2 tag=2 hlen=3 plen=290 new-ctb
:signature packet: algo 1, keyid 9DD0B9AB1889B878
	version 4, created 1643208106, md5len 0, sigclass 0x13
	digest algo 8, begin of digest f5 ed
	hashed subpkt 2 len 4 (sig created 2022-01-26)
	hashed subpkt 16 len 8 (issuer key ID 9DD0B9AB1889B878)
	hashed subpkt 27 len 1 (key flags: 03)
	hashed subpkt 25 len 1 (primary user ID)
	data: [2048 bits]
# off=602 ctb=ce tag=14 hlen=3 plen=269 new-ctb
:public sub key packet:
	version 4, algo 1, created 1643208106, expires 0
	pkey[0]: [2048 bits]
	pkey[1]: [17 bits]
	keyid: 0CFBC7B867956A83
# off=874 ctb=c2 tag=2 hlen=3 plen=287 new-ctb
:signature packet: algo 1, keyid 9DD0B9AB1889B878
	version 4, created 1643208106, md5len 0, sigclass 0x18
	digest algo 8, begin of digest 6d 33
	hashed subpkt 2 len 4 (sig created 2022-01-26)
	hashed subpkt 16 len 8 (issuer key ID 9DD0B9AB1889B878)
	hashed subpkt 27 len 1 (key flags: 0C)
	data: [2047 bits]

Also, here's the output for a file encrypted with the corresponding public key (using gpg -vv --show-session-key --list-packets file.gpg):

# off=0 ctb=85 tag=1 hlen=3 plen=268
:pubkey enc packet: version 3, algo 1, keyid 0CFBC7B867956A83
	data: [2048 bits]
gpg: public key is 0CFBC7B867956A83
# off=271 ctb=d2 tag=18 hlen=2 plen=0 partial new-ctb
:encrypted data packet:
	length: unknown
	mdc_method: 2
gpg: encrypted with RSA key, ID 0CFBC7B867956A83
gpg: decryption failed: No secret key` 

Not sure how to read the last two outputs, but the showpref command clearly only states 3DES as cipher. Also, I got a warning earlier when trying to encrypt a file with the imported gpg key that said gpg: WARNING: encrypting more than 150 MiB with algorithm 3DES should be avoided. When trying to force AES with the option --cipher-algo AES256 i got gpg: WARNING: forcing symmetric cipher AES256 (9) violates recipient preferences.