Setting Preferred Key Attributes (Cipher, Hash, Compression) with PGP Command Line
search cancel

Setting Preferred Key Attributes (Cipher, Hash, Compression) with PGP Command Line

book

Article ID: 263777

calendar_today

Updated On:

Products

PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK Desktop Email Encryption Drive Encryption Encryption Management Server Endpoint Encryption File Share Encryption Gateway Email Encryption

Issue/Introduction

PGP Command Line is able to encrypt files as well as decrypt, in addition to having the ability to sign and verify signatures.  When it performs encryption routines, PGP Command Line will observe which preferred attributes are set.  For example, the Cipher that should be preferred, or the Hashing algorithm used, or the Compression type.  These are individual key attributes that are specific to keys and can be set accordingly.  This article will discuss how you can assign these key attributes during the key generation process.

It is also possible to "Add" or "Remove" these preferred attributes.

 

For more information on PGP Commands, see our Product Documentation Portal as well as the following article on Using PGP Command Line:

158454 - Using PGP Command Line

Resolution

There are many more attributes that can be set, but only the top attributes recommended are listed below.  Consult the PGP Command Line Administrator's Guide for more information on specific examples not covered in this article.

 

 

Section 1 of 2: Working with Ciphers, Hashes and Compressions

 

The following list are the Cipher options that we recommend:
--aes256
--aes192
--aes128 

Hash options:
--sha256
--sha512
--sha384

Compression options:
--bzip2
--zip
--zlib

 

Because there are so many combinations of ciphers with hashes, with compressions available, we list only a few examples below to get you started:

 

The following is an example of generating a PGP Key using AES-256 as the Cipher, with SHA-256 as the hash, and Bzip2 as the compression:

pgp --gen-key "AES-256-SHA-256-Bzip2 <[email protected]>" --key-type rsa --bits 4096 --passphrase "password" --aes256 1 --bzip2 1 --sha256 1

 

You can pick out each of these attributes from the several examples below, but the idea is you can use any combination that suits your needs:

You can add multiple preferred ciphers/hash/compressions by specifying them in the command, followed by a "2" for 2nd place.


pgp --gen-key "AES-256-SHA-512-Zip <[email protected]>" --key-type rsa --bits 4096 --passphrase "password" --aes256 1 --zip 1 --sha512 1
pgp --gen-key "AES-256-SHA-384-Zlib <[email protected]>" --key-type rsa --bits 4096 --passphrase "password" --aes256 1 --zlib 1 --sha384 1

pgp --gen-key "AES-128-SHA-256-Bzip2 <[email protected]>" --key-type rsa --bits 4096 --passphrase "password" --aes128 1 --bzip2 1 --sha256 1
pgp --gen-key "AES-128-SHA384-Zlib <[email protected]>" --key-type rsa --bits 4096 --passphrase "password" --aes128 1 --zlib 1 --sha384 1
pgp --gen-key "AES-128-SHA-512-Zip <[email protected]>" --key-type rsa --bits 4096 --passphrase "password" --aes128 1 --zip 1 --sha512 1

pgp --gen-key "AES-192-SHA-256-Bzip2 <[email protected]>" --key-type rsa --bits 4096 --passphrase "password" --aes192 1 --bzip2 1 --sha256 1
pgp --gen-key "AES-192-SHA-384-Zlib <[email protected]>" --key-type rsa --bits 4096 --passphrase "password" --aes192 1 --zlib 1 --sha384 1
pgp --gen-key "AES-192-SHA-512-Zip <[email protected]>" --key-type rsa --bits 4096 --passphrase "password" --aes192 1 --zip 1 --sha512 1

 

 

 

 

 

 

Section 2 of 2: Removing Preferred Ciphers from PGP keys

In addition to setting the preferred ordering of ciphers and hashes, you can also remove a preferred cipher from a key.  The following will remove the preferred cipher "3DES" from a key

First, list the ciphers and hashes for the key by using the Key ID:

"pgp --list-key-details 0x12345678" 

 

The Key ID above is the Key ID in question.

 

BEFORE (TripleDES bolded below):

pgp --list-key-details 0xC7617731
Key Details: BOBKEYRING
     Key ID: 0xC7617731 (0x9A4E777AC7617731)
       Type: RSA (v4) key pair
       Size: 4096
   Validity: Complete
      Trust: Implicit (Axiomatic)
    Created: 2023-07-17
    Expires: Never
     Status: Active
     Cipher: AES-128
     Cipher: AES-192
     Cipher: AES-256
     Cipher: TripleDES
       Hash: SHA-256
       Hash: SHA-512
   Compress: ZLIB

 

        ADK: None

    Revoker: None

1 key found

 

Now Issue the command to remove the TripleDES cipher on the key:

 

pgp --remove-preferred-cipher 0x12345678 --cipher 3DES --passphrase "passphrase here"

 

AFTER:

pgp --list-key-details 0xC7617731
Key Details: BOBKEYRING
     Key ID: 0xC7617731 (0x9A4E777AC7617731)
       Type: RSA (v4) key pair
       Size: 4096
   Validity: Complete
      Trust: Implicit (Axiomatic)
    Created: 2023-07-17
    Expires: Never
     Status: Active
     Cipher: AES-128
     Cipher: AES-192
     Cipher: AES-256
       Hash: SHA-256
       Hash: SHA-512
   Compress: ZLIB

 

As you can see above, the TripleDES cipher is no longer listed on the key.

IMSFR-10 For further information on TripleDES/3DES, reach out to Symantec Encryption Support for further guidance. 

 

Note: Currently there is no method to view these preferred attributes.  A request to add this functionality has been logged with our Product team. 
To be added to this request, please reach out to Symantec Encryption Support and provide ID ISFR-2650 as well as this KB ID.

Additional Information

180118 - HOW TO: Use PGP Command Line to Create and Manage PGP Keys