GPG symmetric encryption - universal fallback that’s always there. Perfect for long-term cold storage and air-gapped setups.

Base Command

gpg --symmetric --armor file

Hardened Version

gpg --symmetric \
    --armor \
    --cipher-algo AES256 \
    --s2k-digest-algo SHA512 \
    --s2k-count 65011712 \
    --s2k-mode 3 \
    file

All params embedded in file. Future decryption just needs vanilla GPG.

Symmetric vs Asymmetric Security

• Symmetric: single point of failure (password) vs multiple (private key, config files, keyring)
• No key management complexity
• No web of trust/keyserver issues
• No risk of key revocation problems
• No forward secrecy concerns
• Easier to rotate (just re-encrypt)
• Simpler to verify security properties
• Quantum resistant (AES-256)
• Easier air-gap procedures
• No metadata about recipients
• No risk of GPG version compatibility with key formats

Parameter Reasoning

• AES256: Post-quantum resistant (Grover’s = ~2^128 operations)
• SHA512: Better suited for modern 64-bit systems than SHA256
• s2k-count 65011712: Higher iteration count = stronger key derivation
• s2k-mode 3: Salted + iterated mode, prevents rainbow tables
• armor: ASCII output, safer across systems, easier inspection

Quantum Resistance

• Symmetric AES256: Quantum resistant (Grover’s algorithm only halves security)
• Good for long-term storage even in post-quantum era
• Only applies to symmetric mode - asymmetric GPG not quantum safe
• NIST approved for post-quantum standards

Keys & Memory

• Password length > 20 chars minimum
• GPG wipes temp memory after use
• Uses kernel memory locking when available
• Memory dumps during decryption won’t leak full key
• Memory wiping works even after crash/panic

Air-Gapped Usage

# On networked system
gpg --symmetric --armor --output secrets.asc secrets.txt

# Transfer to air-gapped via USB

# On air-gapped (any live distro)
gpg --decrypt secrets.asc

Works on any live distro - GPG comes standard. No config or setup needed. Perfect for:

• Air-gapped cold storage
• Dead drop file transfer
• Offline key storage
• Cross-system secrets

Note: Always check gpg binary hash on untrusted systems.

Why it works

• Zero deps
• No config needed
• Params in file
• Part of GNU coreutils
• Universal availability

Parameters explicit during encryption > editing configs. Keep systems vanilla.