The s2k options --s2k-cipher-algo, --s2k-digest-algo, and --s2k-count all appear
to be ignored in versions of GnuPG that no longer use secring.gpg. Perhaps it's
an oversight from removal of secring.gpg. I tried these options with --gen-key,
--edit-key, and --export-secret-keys but there was no effect in any case.
To reproduce:
gpg2 --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-mode 3 --s2k-count 65000000 --gen-key
Then export, using the s2k options in case they're needed here instead:
gpg2 --s2k-cipher-algo AES256 --s2k-digest-algo SHA512 --s2k-mode 3 --s2k-count 65000000 --export-secret-keys | gpg2 --list-packets
What I expect to see:
iter+salt S2K, algo: 9, SHA1 protection, hash: 10, salt: 1134d6e05d8a2a4b protect count: 65011712 (255)
What I see instead:
iter+salt S2K, algo: 7, SHA1 protection, hash: 2, salt: ea29b70061f987bd protect count: 14155776 (219)
It's exporting algo 7 (AES-128) with digest 2 (SHA-1) and protect count 219,
instead of algo 9 (AES-256) with digest 10 (SHA-512) with protect count 255. The
expected output shown here is the output of GnuPG 2.0.26 using the same commands.
I marked it as urgent because these options are silently ignored and it's not
obvious to the user that they're not getting the security level they asked for.
Only using --list-packets reveals the problem.