How do I fix "WARNING: message was not integrity protected" when using GPG symmetrical encryption?

I've encrypted a file using symmetric encryption like this:

gpg --symmetric myfile

which results in a file myfile.gpg.

Alright. Now let's decrypt the file again:

gpg -o myfile --decrypt myfile.gpg

I'm being asked for the passphrase I've put on, and then I see

gpg: CAST5 encrypted data
gpg: encrypted with 1 passphrase
gpg: WARNING: message was not integrity protected

I'm not sure about the first and last line there.

  • What is the CAST5 cipher and is it secure? I know 3DES and AES and I know those are secure.
  • Why isn't it protected for integrity?
  • And moreover, how do I fix this?

Solution 1:

Background

CAST-5 is an older encryption algorithm used by GnuPG because AES didn't exist yet back in the time GnuPG was created initially source. It's not widely used (apart from GnuPG for compatibility reasons).

The WARNING: message was not integrity protected is because this feature isn't turned on by default at time of encryption. If this was turned on, GnuPG could tell if the file has been altered in transit.

Update: modern versions of GnuPG shipped with Ubuntu/Debian now have MDC enabled by default and you should never see this message again for anything signed with these newer versions.

Solutions

To use a stronger AES-256 you've got to specify it either on the command line or in your configuration file.

  • Command-line: add the --cipher-algo AES256 option so the full line to encrypt becomes

    gpg -o myfile.gpg --cipher-algo AES256 --symmetric myfile
    
  • Configuration file (recommended): add the following line to your ~/.gnupg/gpg.conf configuration file.

    cipher-algo AES256
    

    I recommend this approach because it will be used for all future GPG operations on this user account.

There's nothing to change for the user to decrypt the file - GnuPG will detect this automatically.

Note that using the AES-256 cipher, the message is automatically protected for integrity. To manually enable the integrity protection on other ciphers for which this is not enabled (like CAST-5) add the --force-mdc option when encrypting.

Even better: sign!

An even better approach would be to sign your files with your keypair (if you have it). Just add the --sign option to the encryption command, like this:

gpg -o myfile.gpg --cipher-algo AES256 --sign --symmetric myfile

This will not only validate the integrity of the file, but also make it possible for the recipient of the file to verify the origin. Any alterations on the file would have the signature check to fail.