When should I use symmetric encryption instead of RSA?

This is not a question of size.

The raw asymmetric encryption algorithm known as RSA can do asymmetric encryption for a "message" in a rather limited space; namely, with a 2048-bit RSA key and PKCS#1 v1.5 RSA encryption, the algorithm can process a sequence of bytes up to 245 bytes at most.

But you never use the raw algorithm. You use a protocol, in this case OpenPGP, which defines the algorithms to use and where each byte goes. In OpenPGP, when the recipient has a public/private key pair and you want to encrypt your message "with the public key" (i.e. you want the message to be unreadable except by whoever knows the corresponding private key), then you invoke your OpenPGP-compatible software which will then follow the OpenPGP rules -- and these rules are that symmetric encryption is always used: the software generates a random symmetric key K, encrypts the message itself with a symmetric algorithm using K as key, then encrypts K (not the message) with the recipient's RSA public key. You don't have to choose, and you don't get to choose: this is the way OpenPGP works.

Designing your own secure protocol, and then implementing it securely, are two incredibly hard tasks ("incredibly" because people don't believe it at first) so the smart thing is not to do it yourself, but instead use an existing protocol (e.g. OpenPGP) and existing implementations of that protocol (e.g. GnuPG). In that sense, you should not ask yourself this question.


Any file size really. Symmetric cryptography generally provides a much, MUCH higher level of security for a given key length. This is why we can use 128 bit symmetric algorithms but have to use 1024 or 2048 bit asymmetric algorithms. There are also a few attacks that make it easier to figure out certain asymmetric algorithms if you have a larger amount of structured data encrypted with them. Additionally, Symmetric algorithms are FAR faster to execute and asymmetric algorithms give you no added benefit when protecting files.

You only need asymmetric cryptography when you need to exchange information with a particular individual that you don't have a key exchanged with (and even then, you use symmetric and encrypt the key asymmetrically normally) or when you need to sign something (in which case you encrypt the hash value asymmetrically).

Asymmetric encryption should pretty much always be used on the absolute smallest possible amount of information for both security and efficiency reasons. This is, in fact, what many, if not most, established protocols that utilize asymmetric cryptography are based on.


PGP, GPG, SSH, and most public key systems already use symmetric algorithms internally.

Internally, when you encrypt with a public key, the software/hardware first generates a symmetric key and encrypts your data with the symmetric algorithm. And then it encrypts that symmetric key with the public key (using an asymmetric algorithm) and stores the encrypted symmetric key within the ciphertext. On the other end, the recipient needs the secret key to decrypt the symmetric key stored with the cipher text and then use the symmetric key to decrypt the cipher text and retrieve the message. In all of these steps, the only elements that the users see are: public keys, plaintext, ciphertext, secret keys. The symmetric key and encryption is all internal and never exposed to the users. That way, you are getting the benefits of asymmetric algorithms (being able to encrypt to multiple people with public keys), but also the speed of symmetric algorithms.

This is also the reason why when you change your GPG/PGP keys' passwords, you can still decrypt the files encrypted with you public key earlier. The key is actually stored in the file and is the only part that is truly encrypted with pure public key goodness!