What is the most robust available algo for GPG symmetric encryption?

Use AES-256 (because it stops people from lecturing you about quantum computers).

If you don't have particular (performance) requirements in mind, 256-bit AES is a good and safe choice. But that doesn't mean there are practical attacks against the other ciphers. Ultimately, it's a matter of personal preference since nobody can predict which theoretical observations might work as practical attacks in the future.

In fact, you can also safely use AES-128, which is about 30% faster. There is a bit of a disagreement whether it's worth switching from AES-128 to AES-256: Doubling the key size doesn't prevent any current attacks because searching the key space is not practical either way. However, the difference becomes important when at some point in the future quantum computers might be able to execute Grover's algorithm which effectively halves the key size and hence could make brute-force attacks against AES-128 feasible. But that's a theoretical future scenario. The article "Guess why we're moving to 256-bit AES keys" is a good read on AES key sizes.

Similar to @SteffenUllrich I'm comfortable with the AES family because due to its status as a NIST standard, AES has been studied extensively and it has been around for quite a while without anyone having published any concerning weaknesses.

The GnuPG FAQ has an opinion, too:

11.10 What are the best algorithms in GnuPG?

MD5 and SHA-1 should be avoided if possible, and for bulk encryption it’s best to use Camellia, Twofish, or AES. Beyond that guidance there is no “best algorithm” in GnuPG. It’s sort of like asking whether Godzilla or King Kong is better at terrorizing urban cities: there is no clear-cut winner.

This is not to say you shouldn’t have preferences, though. It is only to say that GnuPG’s algorithms are so well-designed for what they do that there is no single “best”. There’s just a lot of personal, subjective choice.


You should use one of the AES variants, because it's the most common modern cipher by far, and as such:

  1. Has been scrutinized more closely than most of the alternatives;
  2. There is considerable hardware support for AES. E.g., Intel CPUs and many ARM mobile CPUs have had hardware AES acceleration for years.

GnuPG version 2.1 uses AES (128 bit key) as the default, so if you have that version you don't need to tweak the default at all. Older versions default to CAST5, but if they support AES it is worthwhile to override that default. (Neglecting to do so shouldn't be a cause for alarm, however.)


Now, to go over the other alternatives:

  • IDEA, 3DES, CAST5 and Blowfish have a 64-bit block size. Such ciphers are best avoided even if they're not technically known to be insecure. Matthew Green has an accessible blog article on this topic.
  • 3DES is very slow in addition to the 64-bit block size. The only good reason to ever use 3DES is that tons of legacy systems use plain DES (which is insecure), and 3DES is a way of upgrading those systems' security without major investment.
  • Camellia, like AES supports the more modern 128-bit block size. There's nothing obviously bad with Camellia, but it's just not used nearly as much as AES, so it doesn't benefit from the resulting network effects.

Tags:

Gnupg

Ciphers