Static 1.4 gnupg requires --enable-static-rnd=linux and -static to ldflags Jari's key iteration boost patch: Note: patch works on 1.4.2 From http://loop-aes.sf.net/loop-AES.README When gpg encrypts data with symmetric cipher only or when gpg encrypts secret keyring keys with secret passphrase, gpg uses seeded (salted) and iterated key setup. However, default amount of iteration is tuned for slow processors and can be increased for better resistance against dictionary attacks. Larger key iteration makes key setup much slower, but also makes dictionary attacks much slower too. Included optional gpg patch makes gpg password iteration 128 times slower. gpg stores new iteration value along with seed bytes into symmetric cipher encrypted output file or secret keyring, so unpatched gpg versions will read and decrypt the data just fine. gpg sources are available from: ftp://ftp.gnupg.org/gcrypt/gnupg/ These commands, as root user, will recompile and install gpg and gpgv and their man pages: zcat gnupg-1.4.1.tar.gz | tar xvf - cd gnupg-1.4.1 patch -p1 <../gnupg-1.4.1.diff CFLAGS="-O2" LDFLAGS="-static -s" ./configure --prefix=/usr --enable-static-rnd=linux make rm -f /usr/share/man/man1/{gpg,gpgv}.1.gz make install chown root.root /usr/bin/gpg chmod 4755 /usr/bin/gpg Note: Above instructions create statically linked version of gpg. Static linking is necessary if you ever decide to encrypt your root partition. Reproducible: Always Steps to Reproduce: 1. Follow instruction in section 5 of http://loop-aes.sf.net/loop-AES.README 2. Above results in modified ebuild that is attached 3. Compile with USE=static, get static gpg with key iteration boost of 128
Created attachment 67105 [details] Modified Ebuild for 1.4.2-r1 with static and Jari's patch
I'm concerned that Jari's key iteration boost patch will break backwards compatibility.
added without Jari patch. If you can show the Jari patch doesn't break backwards compatibility I'll include it.
I have been using Jari's patch with no problems communicating to PGP and older GnuPG users. Jari himself says (and I quoted in the original report): "gpg stores new iteration value along with seed bytes into symmetric cipher encrypted output file or secret keyring, so unpatched gpg versions will read and decrypt the data just fine." So I think in the interests of good security we can put in Jari's patch.
Venkat - thanks. Added jari patch to gnupg-1.4.2-r2