Performance regression for gnupg v2 keys

Felix A. Kater fkater at posteo.net
Fri Sep 21 10:14:07 CEST 2018 

wk:

> We try to achieve that this decryption process takes about 100ms;

Oh, I see...

> When you change the passphrase of an old key the first time or
> when you import it to gpg the key is re-encrypted so that it takes
> that long.

So, the trigger for this delay is then inherent to the re-encrypted
key itself, not primarily dependent on the agent or gnupg library
configuration, correct?

I am asking this detail because

- I need to move the keys to another machine, into a postgresql
  database where gnupg seems to be part of postgresql itself
  (pgcrypto) and cannot be hand-configured easily, and

- I'd like to know if I have to re-create all existing (slow) keys
  after applying --with-agent-s2k-calibration=MSEC to gnupg (on the
  machine where the keys are generated).

Please confirm.


> It seems that you are doing a lot of operations with that key in a row.
> gpg-agent's cache will cache the unprotected key so that the 100ms to
> unprotect the key is only spend once during the caching time to live (10
> minutes by default).  Make sure tha the cache is enabled by checking the
> options --max-cache-ttl and default-cache-ttl.  Depending on your use
> case you may want to work without a passphrase (key protection) at all.

Indeed: We do many decryptions, let me explain in short:

It is postgresql that receives passphrase protected gpg keys
(pgcrypto). Otherwise it couldn't execute SQL queries on encrypted
data. So, I am forced to move the whole decryption work to
postgresql instead of dealing with decryption after the query using
(a clean version of) gnupg. I don't know about postgresql's
internals but it doesn't seem to even run an agent... And just as an
example: A query using gnupg 1.x keys that completes within 3 sec
takes 40 sec with 2.x keys.


> that value can be changed at build time using the configure option
> --with-agent-s2k-calibration=MSEC but not at run time.  

This sounds like a suitable solution.  I've seen that option here
[1] but it is missing in official gnupg.  What do you recommend?

Felix

[1] https://dev.gnupg.org/source/gnupg/browse/master/configure.ac

More information about the Gnupg-users mailing list