encryptiongnupgencryption-symmetrictwofish

GPG - Max Keysize with TWOFISH symmetric encryption


I'm using a script to pack and encrypt archives in order to backup them in cloud storage.

It generates shell commands like this:

cd /vault/backup/pictures; tar cf - vacation-201309 | xz -3 | gpg --symmetric --cipher-algo TWOFISH --digest-algo SHA512 --no-secmem-warning --yes --batch --passphrase-file /vault/keys/back_keyfile -o /vault/backup/upload/vacation-201309.tar.xz.gpg

TWOFISH is a 256-bit cipher which means, that it can only use a keyfile not bigger than,

openssl rand -base64 256:

3zXeZC/XWC1h1lxre88gzkhCZqk6tV7YKCg9HiKDLrooEDYkvwYXQ5LMBLSFdpYr
c2KAP10aq6pfEi4YeL7llQXfd47qXsEDi8nOpBpPRALxv2NYE4qjZC3sTPe+d1ue
cbFM18BmxHN0094YotLBD+6cQIfZyU8GVLLHx8iH2jf48+7QuXigqWW1oT33BPbQ
zrlND50ZFeGNYo7woIRpSvt8KeBm8t75jVEqXIzA2Zei0r9Xsx0mu828t0wZ6mGL
hkj4B5M56eJzFUCFG207Mf/bXvV5X7Pz6W72Y8nhjAtkumdAsEb0Vc0iIHJ64mfH
XWEfs/1T3n2F8/kxASIvPQ==

At least that's how I understand it.

My question is, how would GPG behave, if I pass a bigger key file to it like

openssl rand -base64 512:

P0MzGpZItSu6fKObtJvAx1fLRxPBK/pOIjR9Yv+mCrHLlit7ksHOjif6ln32lXl3
8g/zxdQc39kanAproaOzZ1ulebxbfK1Bi6/OfwhdP1HF61nWBZb03TDtdNNXEDFW
9lAN6kHUUctpY9PhFCv2AmoKSKzv1HsAGkrhqslO4E+3sIlGgVLg69qKHE9yQJSX
s5xhXKTcAcaVZ++HwuTTvIduf3sc2J+BEDzpqrAwES2hV5gFwnFFA6G0md31VwEI
9wf22p07qbOrRryV/0WZUNZfOuZ5g/JgrqhRgq53lK0VHvyRkNjMlx7BW4n3Y/0y
5Lgve8Q89Cx5jwbxPcBnXW5h4SWLFa8bSLrGrn/eDH+F1mA5BbU+3IrBdLgivz0u
Unr+jLD3FbBOv/8jRAyp/iOwMmOw9welTu/mcEEa20gyupeJXxAZaVrNfWdWVORi
PdjW5vR9Rn/NLh6fV46+E39dgTn4TBp/v9h+LZpiVK3nNkry+as9vH73o+nFIe8Q
H/UkchDqmIBLntKc9rBZQrkx8NOzruoWGJoFE/Wb23AHN7RNyYgVgvZTy5QWhILz
CW/mzwMQYAuLbFfnY4cgDs9zLMo4OqFGUmbgbnXO9KbYgsplU2aps9JoOjyWCchm
uWYRNAGWrgdfl8vIaxMz1WUwWJFDxyNrANPRiPFQTUg=

Will it just take the first 256 characters and ignore the rest?


Solution

  • You are using the random as input as a passphrase. Only the first line is used. So you are not generating the key at all, the key is generated using the S2K algorithms, using just the first line.

    Note that a 256 bit key does not consist of 256 "characters" or bytes.