PGP, gpg-agent, and KDF criticisms?

Matthieu Weber mweber at
Wed Oct 28 07:31:10 CET 2020

I reply to myself to add a few more explanations.

On Tue, 27 Oct 2020 at 11:06PM +0200, Matthieu Weber wrote:
> On Tue, 27 Oct 2020 at 02:48PM -0400, TRS-80 wrote:
> > Pretty quickly thereafter, both of main devs reply[2] with some
> > criticisms of PGP, gpg-agent, and some other concept (KDF?)
> > which I am not actually even familiar with.  The following are their
> > comments, which I quote in full:
> > 
> > > droidmonkey
> > > 
> > > Pass offers the barest minimal protections. I would never endorse
> > > the product because it is very easy to expose all of your secrets to
> > > any program by using gpg-agent to remember your credentials. There
> > > is also no concept of a KDF so brute forcing is an option, in fact
> > > their encryption method is undocumented or at least not readily
> > > apparent from their website.

Regarding the use of a KDF in GPG, droidmonkey's statement is wrong,
AFAICT (it may have been true at some point in the past, maybe).

GPG uses one of the KDF defined in RFC 4880 according to
and by default uses the variant with iterative salting. If I've
understood correctly what man gpg and man gpg-agent explain about the
--s2k-* options, the number of iterations is chosen such that it takes
300 ms to calculate the key from the passphrase (that is the key that
protects the secret key, not the secret key itself).

 (~._.~)        Matthieu Weber - matthieu at        (~._.~)
  ( ? )                         ( ? )
 ()- -()           public key id : 0x85CB340EFCD5E0B3            ()- -()
 (_)-(_) "Humor ist, wenn man trotzdem lacht (Otto J. Bierbaum)" (_)-(_)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <>

More information about the Password-Store mailing list