gpg: Force the use of AES-256 in some cases

* g10/encrypt.c (create_dek_with_warnings): Forcefully use AES-256 if
PQC encryption was required or if all recipient keys are Kyber keys.
--

If --require-pqc-encryption was set, then it should be safe to always
force AES-256, without even checking if we are encrypting to Kyber keys
(if some recipients do not have Kyber keys, --require-pqc-encryption
will fail elsewhere).

Otherwise, we force AES-256 if we encrypt *only* to Kyber keys -- unless
the user explicitly requested another algo, in which case we assume they
know what they are doing.

GnuPG-bug-id: 7472
Signed-off-by: Damien Goutte-Gattat <[email protected]>

Man page entry extended

Signed-off-by: Werner Koch <[email protected]>

1 files changed, 6 insertions, 4 deletions

diff --git a/doc/gpg.texi b/doc/gpg.texi
index f2bb95d04..b8cd0bb65 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -3149,10 +3149,12 @@ keys into non-VS-NfD compliant keys.
 @opindex require-pqc-encryption
 This option forces the use of quantum-resistant encryption algorithms.
 If not all public keys are quantum-resistant the encryption will fail.
-On decryption a warning is printed for all non-quantum-resistant keys.
-As of now the Kyber (ML-KEM768 and ML-KEM1024) algorithms are
-considered quantum-resistant; Kyber is always used in a composite
-scheme along with a classic ECC algorithm.
+The use of the symmetric encryption algorithm AES-256 is also enforced
+by this option.  On decryption a warning is printed for all
+non-quantum-resistant keys.  As of now the Kyber (ML-KEM768 and
+ML-KEM1024) algorithms and AES-256 are considered quantum-resistant;
+Kyber is always used in a composite scheme along with a classic ECC
+algorithm.
 
 @item --require-compliance
 @opindex require-compliance