Allow s2k options for gpg --export-secret-key
Open, WishlistPublic

Description

The s2k options --s2k-cipher-algo, --s2k-digest-algo, and --s2k-count all appear
to be ignored in versions of GnuPG that no longer use secring.gpg. Perhaps it's
an oversight from removal of secring.gpg. I tried these options with --gen-key,
--edit-key, and --export-secret-keys but there was no effect in any case.

To reproduce:

gpg2 --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-mode 3 --s2k-count 65000000 --gen-key

Then export, using the s2k options in case they're needed here instead:

gpg2 --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-mode 3 --s2k-count 65000000 --export-secret-keys | gpg2 --list-packets

What I expect to see:

iter+salt S2K, algo: 9, SHA1 protection, hash: 10, salt: 1134d6e05d8a2a4b
protect count: 65011712 (255)

What I see instead:

iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: ea29b70061f987bd
protect count: 14155776 (219)

It's exporting algo 7 (AES-128) with digest 2 (SHA-1) and protect count 219,
instead of algo 9 (AES-256) with digest 10 (SHA-512) with protect count 255. The
expected output shown here is the output of GnuPG 2.0.26 using the same commands.

I marked it as urgent because these options are silently ignored and it's not
obvious to the user that they're not getting the security level they asked for.
Only using --list-packets reveals the problem.

Details

Version
2.1.1
skeeto set Version to 2.1.1.
skeeto added a subscriber: skeeto.
werner lowered the priority of this task from High to Normal.Jan 5 2015, 6:35 PM
werner added a subscriber: werner.

Note that gpg-agent is responsible for this. The agent calibrates the s2k count
so that the KDF takes about 100ms. Actually this is the default since 2.0
something (at least a couple of years). Note that the s2k count is still used
for symmetric encryption.

It is an open question whether gpg should be allowed to change the s2k options
because the keys are a property of the agent and not of gpg. For export it
might hwoever make sense to be able to change that (think export for use on a
slower box).

Implement that for export.

werner renamed this task from Secret key s2k options ignored in GnuPG modern to Allow s2k options for gpg --export-secret-key.
larryv updated the task description. (Show Details)Jul 21 2017, 10:54 PM
werner lowered the priority of this task from Normal to Wishlist.Jul 24 2017, 9:50 AM
larryv added a subscriber: larryv.Jan 1 2018, 8:52 AM
dkg added a subscriber: dkg.Jul 12 2018, 6:31 PM

About how the keys are actually stored on disk:

On modern GnuPG (2.1.x), gpg-agent itself has an s2k-count argument: either --s2k-count on the gpg-agent command line, or (more likely, since people rarely launch gpg-agent manually), as s2k-count in ~/.gnupg/gpg-agent.conf.

Reading the gpg-agent(1) manpage should provide more details about it.

This bug report is scoped to the details about how the keys are structured when exported, and has nothing to do with how keys are stored by gpg-agent.