PGP Command Line is able to encrypt files as well as decrypt, in addition to having the ability to sign and verify signatures. When it performs encryption routines, PGP Command Line will observe which preferred attributes are set. For example, the Cipher that should be preferred, or the Hashing algorithm used, or the Compression type. These are individual key attributes that are specific to keys and can be set accordingly. This article will discuss how you can assign these key attributes during the key generation process.
It is also possible to "Add" or "Remove" these preferred attributes.
For more information on PGP Commands, see our Product Documentation Portal as well as the following article on Using PGP Command Line:
There are many more attributes that can be set, but only the top attributes recommended are listed below. Consult the PGP Command Line Administrator's Guide for more information on specific examples not covered in this article.
The following list are the Cipher options that we recommend:
--aes256
--aes192
--aes128
Hash options:
--sha256
--sha512
--sha384
Compression options:
--bzip2
--zip
--zlib
Because there are so many combinations of ciphers with hashes, with compressions available, we list only a few examples below to get you started:
The following is an example of generating a PGP Key using AES-256 as the Cipher, with SHA-256 as the hash, and Bzip2 as the compression:
pgp --gen-key "AES-256-SHA-256-Bzip2 <[email protected]>" --key-type rsa --bits 4096 --passphrase "password" --aes256 1 --bzip2 1 --sha256 1
You can pick out each of these attributes from the several examples below, but the idea is you can use any combination that suits your needs:
You can add multiple preferred ciphers/hash/compressions by specifying them in the command, followed by a "2" for 2nd place.
pgp --gen-key "AES-256-SHA-512-Zip <[email protected]>" --key-type rsa --bits 4096 --passphrase "password" --aes256 1 --zip 1 --sha512 1
pgp --gen-key "AES-256-SHA-384-Zlib <[email protected]>" --key-type rsa --bits 4096 --passphrase "password" --aes256 1 --zlib 1 --sha384 1
pgp --gen-key "AES-128-SHA-256-Bzip2 <[email protected]>" --key-type rsa --bits 4096 --passphrase "password" --aes128 1 --bzip2 1 --sha256 1
pgp --gen-key "AES-128-SHA384-Zlib <[email protected]>" --key-type rsa --bits 4096 --passphrase "password" --aes128 1 --zlib 1 --sha384 1
pgp --gen-key "AES-128-SHA-512-Zip <[email protected]>" --key-type rsa --bits 4096 --passphrase "password" --aes128 1 --zip 1 --sha512 1
pgp --gen-key "AES-192-SHA-256-Bzip2 <[email protected]>" --key-type rsa --bits 4096 --passphrase "password" --aes192 1 --bzip2 1 --sha256 1
pgp --gen-key "AES-192-SHA-384-Zlib <[email protected]>" --key-type rsa --bits 4096 --passphrase "password" --aes192 1 --zlib 1 --sha384 1
pgp --gen-key "AES-192-SHA-512-Zip <[email protected]>" --key-type rsa --bits 4096 --passphrase "password" --aes192 1 --zip 1 --sha512 1
In addition to setting the preferred ordering of ciphers and hashes, you can also remove a preferred cipher from a key. The following will remove the preferred cipher "3DES" from a key
First, list the ciphers and hashes for the key by using the Key ID:
"pgp --list-key-details 0x12345678"
The Key ID above is the Key ID in question.
BEFORE (TripleDES bolded below):
pgp --list-key-details 0xC7617731
Key Details: BOBKEYRING
Key ID: 0xC7617731 (0x9A4E777AC7617731)
Type: RSA (v4) key pair
Size: 4096
Validity: Complete
Trust: Implicit (Axiomatic)
Created: 2023-07-17
Expires: Never
Status: Active
Cipher: AES-128
Cipher: AES-192
Cipher: AES-256
Cipher: TripleDES
Hash: SHA-256
Hash: SHA-512
Compress: ZLIB
ADK: None
Revoker: None
1 key found
Now Issue the command to remove the TripleDES cipher on the key:
pgp --remove-preferred-cipher 0x12345678 --cipher 3DES --passphrase "passphrase here"
AFTER:
pgp --list-key-details 0xC7617731
Key Details: BOBKEYRING
Key ID: 0xC7617731 (0x9A4E777AC7617731)
Type: RSA (v4) key pair
Size: 4096
Validity: Complete
Trust: Implicit (Axiomatic)
Created: 2023-07-17
Expires: Never
Status: Active
Cipher: AES-128
Cipher: AES-192
Cipher: AES-256
Hash: SHA-256
Hash: SHA-512
Compress: ZLIB
As you can see above, the TripleDES cipher is no longer listed on the key.
IMSFR-10 For further information on TripleDES/3DES, reach out to Symantec Encryption Support for further guidance.
Note: Currently there is no method to view these preferred attributes. A request to add this functionality has been logged with our Product team.
To be added to this request, please reach out to Symantec Encryption Support and provide ID ISFR-2650 as well as this KB ID.