</literallayout>
</sect4>
<sect4 id="pgcrypto-pgp-enc-funcs-opts-sess-key">
<title>sess-key</title>
<para>
Use separate session key. Public-key encryption always uses a separate
session key; this option is for symmetric-key encryption, which by default
uses the S2K key directly.
</para>
<literallayout>
Values: 0, 1
Default: 0
Applies to: pgp_sym_encrypt
</literallayout>
</sect4>
<sect4 id="pgcrypto-pgp-enc-funcs-opts-s2k-mode">
<title>s2k-mode</title>
<para>
Which S2K algorithm to use.
</para>
<literallayout>
Values:
0 - Without salt. Dangerous!
1 - With salt but with fixed iteration count.
3 - Variable iteration count.
Default: 3
Applies to: pgp_sym_encrypt
</literallayout>
</sect4>
<sect4 id="pgcrypto-pgp-enc-funcs-opts-s2k-count">
<title>s2k-count</title>
<para>
The number of iterations of the S2K algorithm to use. It must
be a value between 1024 and 65011712, inclusive.
</para>
<literallayout>
Default: A random value between 65536 and 253952
Applies to: pgp_sym_encrypt, only with s2k-mode=3
</literallayout>
</sect4>
<sect4 id="pgcrypto-pgp-enc-funcs-opts-s2k-digest-algo">
<title>s2k-digest-algo</title>
<para>
Which digest algorithm to use in S2K calculation.
</para>
<literallayout>
Values: md5, sha1
Default: sha1
Applies to: pgp_sym_encrypt
</literallayout>
</sect4>
<sect4 id="pgcrypto-pgp-enc-funcs-opts-s2k-cipher-algo">
<title>s2k-cipher-algo</title>
<para>
Which cipher to use for encrypting separate session key.
</para>
<literallayout>
Values: bf, aes, aes128, aes192, aes256
Default: use cipher-algo
Applies to: pgp_sym_encrypt
</literallayout>
</sect4>
<sect4 id="pgcrypto-pgp-enc-funcs-opts-unicode-mode">
<title>unicode-mode</title>
<para>
Whether to convert textual data from database internal encoding to
UTF-8 and back. If your database already is UTF-8, no conversion will
be done, but the message will be tagged as UTF-8. Without this option
it will not be.
</para>
<literallayout>
Values: 0, 1
Default: 0
Applies to: pgp_sym_encrypt, pgp_pub_encrypt
</literallayout>
</sect4>
</sect3>
<sect3 id="pgcrypto-pgp-enc-funcs-gnupg">
<title>Generating PGP Keys with GnuPG</title>
<para>
To generate a new key:
<programlisting>
gpg --gen-key
</programlisting>
</para>
<para>
The preferred key type is <quote>DSA and Elgamal</quote>.
</para>
<para>
For RSA encryption you must create either DSA or RSA sign-only key
as master and then add an RSA encryption subkey with
<literal>gpg --edit-key</literal>.
</para>
<para>
To list keys:
<programlisting>
gpg --list-secret-keys
</programlisting>
</para>
<para>
To export a public key in ASCII-armor format:
<programlisting>
gpg -a --export KEYID > public.key
</programlisting>
</para>
<para>
To export a secret key in ASCII-armor format:
<programlisting>
gpg -a --export-secret-keys KEYID > secret.key
</programlisting>
</para>
<para>
You need to use <function>dearmor()</function> on these keys before giving them to
the PGP functions. Or if you can handle binary data, you can drop
<literal>-a</literal> from the command.
</para>
<para>
For more details see <literal>man gpg</literal>,
<ulink url="https://www.gnupg.org/gph/en/manual.html">The GNU
Privacy Handbook</ulink> and other documentation on
<ulink url="https://www.gnupg.org/"></ulink>.
</para>
</sect3>
<sect3 id="pgcrypto-pgp-enc-funcs-limitations">
<title>Limitations of PGP Code</title>
<itemizedlist>
<listitem>
<para>
No support for signing. That also means that it is not checked
whether the encryption subkey belongs to the master key.
</para>
</listitem>
<listitem>
<para>
No support for encryption key as master key. As such practice
is generally discouraged, this should not be a problem.
</para>
</listitem>
<listitem>
<para>
No support for several