s3cmd with OpenPGP encryption key - is this a password or a passphrase?

Question

I setup a 10 char complex password for GnuPG with s3cmd.

Run s3cmd --configure

You will be asked for the two keys - copy and paste them from your confirmation email or from your Amazon account page. Be careful when copying them! They are case sensitive and must be entered accurately or you'll keep getting errors about invalid signatures or similar.

You can optionally enter a GPG encryption key that will be used for encrypting your files before sending them to Amazon. Using GPG encryption will protect your data against reading by Amazon staff or anyone who may get access to your them while they're stored at Amazon S3.

Now I am unsure if I supposed to setup a passphrase (not a password). Can Amazon easy decrypt (they have huge compute power) a 10 char complex password?

Answer 1

"Passphrase" is just the common term for "password" in the OpenPGP environment. The passphrase is used to derive a symmetric key through OpenPGP's string-to-key function. GnuPG sets a reasonable default for the hash algorithm and number of iterations used, which makes brute-forcing an OpenPGP passphrase a very expensive operation. Brute-forcing of a ten characters passphrase is definitely not easy if it is random and cannot be derived from the usual password lists; if you consider your information especially valuable to entities that (a) might have access the encrypted information and (b) have vast computation powers, you might want to consider applying a stronger passphrase and/or tuning the string-to-key parameters to make testing a single passphrase more expensive.

Some more extensive discussion of the costs of brute-forcing passphrases in OpenPGP can be read up in "At what point does adding more iterations to PBKDF2 provide no extra security?".