I'm working on PGP symmetric key (passphrase), below options should be used to encrypt the file,

  1. Symmetric-Key Algorithm should be 9 (AES-256)
  2. compression Algorithm should be 0 (Uncompressed)
  3. Hash Algorithm should be 8 (SHA-256)
  4. Passphrase: Server Secret concatenated with a random 256-bit Client Secret
  5. S2k-count: 65535
  6. Filename: Any non-null value (typically the FileId + PartNumber)
  7. Mode: b (62)

I want to encrypt the file using the above options. I tried this, and it's working but somehow it's not creating the correct encrypted file.

I'm using a third-party integration, that has asked me to encrypt the file using the above options, when I try to decrypt the file at their end it fails. So that's how I know there is something wrong with the options.

gpg --passphrase 'Test' --s2k-digest-algo SHA256 --cipher-algo AES256 --compress-algo 0 --s2k-count 65535 -e -r "Test" sample.csv

Is this correct? Can anyone tell me the correct options?

  • I've migrated this question, but please edit the question to indicate why you think "it is not creating the correct encrypted file". Commented Oct 10, 2021 at 20:07
  • @MaartenBodewes Added Commented Oct 10, 2021 at 20:11
  • Hmm, yeah, but now we can only check if the options do comply with your requirements, not how or why the decryption fails. Are you sure they are also using Test as passphrase? If you don't have more information, I would suggest you contact them to figure out where it goes wrong. Why not ask them how they encrypt, and that they provide a test set? Commented Oct 10, 2021 at 21:58
  • gpg -e -r recipientid does publickey (hybrid) encryption; gpg -c [--passphrase password [--batch | --pinentry-mode=loopback]] does password-based 'symmetric' encryption of the data (not the passphrase). Read the man page. Note the passphrase must be human-typable, so (something described as) a '256-bit client secret' probably doesn't work. Commented Oct 11, 2021 at 2:04
  • What does "Mode: b (62)" means? Commented Oct 11, 2021 at 6:27

1 Answer 1


Symmetric-Key Algorithm should be 9 (AES-256)

Use option --cipher-algo AES256 or --cipher-algo S9.

compression Algorithm should be 0 (Uncompressed)

Use option --compress-algo Uncompressed or --compress-algo Z0.

Hash Algorithm should be 8 (SHA-256)

Use option --s2k-digest-algo SHA256 or --s2k-digest-algo H8.

Passphrase: Server Secret concatenated with a random 256-bit Client Secret

To include this value on the command line, use option --pinentry-mode loopback --passphrase 'ServerSecret+ClientSecret'. Otherwise, just enter the passphrase at the Pinentry prompt.

S2k-count: 65535

Use option --s2k-count 65535.

Filename: Any non-null value (typically the FileId + PartNumber)

Use option --output FileIDPartNumber.

Mode: b (62)

The "b" means binary (62 is the hex code value for the letter 'b'). This refers to the data format being binary as opposed to text. It will be binary by default so you don't need to do anything special to satisfy this condition (the only way to screw this up is using the option --textmode).

gpg --passphrase 'Test' --s2k-digest-algo SHA256 --cipher-algo AES256 --compress-algo 0 --s2k-count 65535 -e -r "Test" sample.csv

Is this correct?

No, you don't want to use -e or -r if you want symmetric encryption. You also need to use --pinentry-mode loopback when entering the passphrase on the command line.

Something like this should produce a file encrypted to the given specifications:

gpg --output FileIDPartNumber --pinentry-mode loopback --passphrase 'ServerSecret+ClientSecret' --cipher-algo S9 --compress-algo Z0 --s2k-digest-algo H8 --s2k-count 65535 --symmetric sample.csv

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .