Quote from: pine on July 20, 2012, 01:31 am2. Or you could simply exchange symmetric keys via PGP signed messages. Symmetric encryption can be orders of magnitude more powerful than PGP at less computationally cost. We're talking encryption it could take centuries or millennia to crack with brute force here. The disadvantage is that you cannot possibly give out those keys to anybody, they are always secret, there is no public key with symmetric encryption. But... by using the strengths of public key crypto, you can use PGP to share the secret keys and thus obtain super strong encryption with ease.Regular OpenPGP messages are symmetrically encrypted already. Using symmetric encryption is not normally recommended for this type of situation.A little primer on OpenPGP messages: when a message is encrypted with someone's public key what actually happens is that the message is encrypted with a symmetric cipher (e.g. AES256) and a single use passphrase. That passphrase is then encrypted with the recipient's public key using the relevant asymmetric cipher for that key (either RSA or Elgamal). When the message is received the single use passphrase portion is decrypted with the recipient's private key and the the single use passphrase is used to decrypt the symmetrically encrypted message.This is why PGP and GPG can withstand a situation where a third party cracks a single message. Even if one or more messages are intercepted and decrypted, the asymmetric keys are still safe.The only thing using symmetric encryption here would do is reintroduce the problem of how to share the secret of the passphrase for the symmetrically encrypted message. This is precisely the problem which public key cryptography in general, and the Diffie-Hellman key exchange in particular, was designed to solve.To confirm the above, it is possible with any message that is encrypted to your key to see the session key for that message by including the "--show-session-key" flag when decrypting the message. You could then, if you wished, provide that message and session key to someone not in possession of any of the public keys to which a message was encrypted and they could use the session key to decrypt that single message with the "--override-session-key" flag. They could not, however, decrypt other messages encrypted with the same public keys as the message they had the session key for.