What is the default cipher algorithm for GnuPG?

TL;DR: For GnuPG 1.0 and 2.0, default is Cast5, for GnuPG 2.1 it is AES-128.

Recipient's Preferences

Per default, GnuPG will read the recipient's algorithm preferences and take the first algorithm in that list it supports (in other words, it takes the most-preferred supported algorithm the recipient asks for).

Safe Algorithms

If no preferences are given (or --symmetric is used for symmetric encryption using a passphrase), it chooses a "safe" one. Safe means, one that must be or should be implemented. Which one this is depends on the version of GnuPG and compatibility level chosen. You can easily verify this by starting a symmetric encryption, passing one of the compatibility levels (or none, which implies --gnupg):

gpg --verbose --symmetric
gpg: using cipher CAST5

Strict RFC Compliance

On the other hand, if enforcing strict OpenPGP compliance following RFC 4880, it drops to triple DES:

gpg --rfc4880 --verbose --symmetric
gpg: using cipher 3DES

The same applies if enforcing RFC 2440 using --rfc2440.

GnuPG 2.1 Defaults to AES-128

GnuPG 2.0 also uses CAST5 with the default --gnupg, while this default was changed to AES-128 in GnuPG 2.1:

LANG=C gpg2 --verbose --symmetric
gpg: using cipher AES

(AES without further specification means AES-128 in GnuPG)

GnuPG 2.1 uses the same algorithms for the RFC-compliant settings.

Digest Algorithms

For digest algorithms, similar algorithm preference inference is performed. If --verbose is set as an option, the used algorithm is printed.

An exception is the Modification Detection Code Packet, which only allows SHA-1 with no algorithm choice as defined by the standard.


The defaults must have changed. The default (in early 2019) for gnupg-1.4.23 is AES128. The default for gnupg-2.1.18 is AES256. The manpages for both versions state that the default is AES128 but that's wrong for gnupg-2.1.18.

To answer this yourself for your version of gnupg, do:

echo hi > testfile
gpg -c -vv testfile
rm testfile testfile.gpg

After entering the passphrase twice, it'll say something like:

gpg: using cipher AES
gpg: writing to `testfile.gpg'

or:

gpg: using cipher AES256
gpg: writing to 'testfile.gpg'

AES means AES128.

Tags:

Encryption

Gnupg

Recent Posts