

Ask HN: How secure is GPG using a symmetric cypher? - brdrak

If I encrypt a file using a 20 character password like so:<p><pre><code>  gpg -c --force-mdc file
</code></pre>
Assuming the password doesn&#x27;t appear on any dictionary lists, and has enough randomness to require brute force, how secure is the result?
======
tptacek
Very secure.

GPG doesn't have a particularly great KDF, so shorter passphrases are an
issue, but a 20 character passphrase compensates for that.

~~~
brdrak
Thanks. Secure enough to store out in the open (e.g. public git repo, etc)?

------
olefoo
First question, are you certain there is no keylogger on the computer you are
typing the password on?

O yeah, keyloggers don't have to be in your computers software either
[https://freedom-to-tinker.com/blog/felten/acoustic-
snooping-...](https://freedom-to-tinker.com/blog/felten/acoustic-snooping-
typed-information/)

~~~
drill_sarge
You boot from a Live-CD. But then maybe someone has put a logger in your
keyboard. Or doing powerline monitoring. Or watching you with infrared camera.
And so on...

~~~
brdrak
Let's say I have access to multiple computers at several locations, and at
least one is secure. I encrypt the plain text on c1, put on a USB key, encrypt
the encrypted file again on c2. Then again. Then transfer the file to a new
USB key and destroy the original (in case file system there has remnants of
other files).

The adversary would have to know all three passwords to decrypt the final
file.gpg.gpg.gpg, correct?

