Per this note from Werner the s2k-* options are all ignored as it relates to mangling the secret key passphrase:
"With GnuPG 2.1 the s2k options are only used for --symmetric encryption."
However, the man pages for gnupg 2.1.10 have not been updated to reflect this change in behavior and some might be using
these options (which used to work as the man page suggests prior to 2.1.x) with the intention of customizing their security
level but unaware that their options are being silently ignored.
The man pages currently show:
Use name as the cipher algorithm used to protect secret keys. The default cipher is AES-128. This cipher is
also used for symmetric encryption with a passphrase if --personal-cipher-preferences and --cipher-algo is not
Use name as the digest algorithm used to mangle the passphrases. The default algorithm is SHA-1.
Selects how passphrases are mangled. If n is 0 a plain passphrase (which is not recommended) will be used, a 1
adds a salt to the passphrase and a 3 (the default) iterates the whole process a number of times (see --s2k-
count). Unless --rfc1991 is used, this mode is also used for symmetric encryption with a passphrase.
Specify how many times the passphrase mangling is repeated. This value may range between 1024 and 65011712
inclusive. The default is inquired from gpg-agent. Note that not all values in the 1024-65011712 range are
legal and if an illegal value is selected, GnuPG will round up to the nearest legal value. This option is only
meaningful if --s2k-mode is 3.
I found this while experimenting with suggestions found here:
and could only verify that these options were having no effect after a lot of time experimenting, and viewing the exported
secret key with --list-packets, and after being led astray by the incorrect man page.