2 files changed, 25 insertions, 4 deletions

diff --git a/doc/gpg.texi b/doc/gpg.texi
index f2bb95d04..b8cd0bb65 100644
--- a/doc/gpg.texi
+++ b/doc/gpg.texi
@@ -3149,10 +3149,12 @@ keys into non-VS-NfD compliant keys.
 @opindex require-pqc-encryption
 This option forces the use of quantum-resistant encryption algorithms.
 If not all public keys are quantum-resistant the encryption will fail.
-On decryption a warning is printed for all non-quantum-resistant keys.
-As of now the Kyber (ML-KEM768 and ML-KEM1024) algorithms are
-considered quantum-resistant; Kyber is always used in a composite
-scheme along with a classic ECC algorithm.
+The use of the symmetric encryption algorithm AES-256 is also enforced
+by this option.  On decryption a warning is printed for all
+non-quantum-resistant keys.  As of now the Kyber (ML-KEM768 and
+ML-KEM1024) algorithms and AES-256 are considered quantum-resistant;
+Kyber is always used in a composite scheme along with a classic ECC
+algorithm.
 
 @item --require-compliance
 @opindex require-compliance
diff --git a/g10/encrypt.c b/g10/encrypt.c
index e4e56c8b1..9b27b595b 100644
--- a/g10/encrypt.c
+++ b/g10/encrypt.c
@@ -139,6 +139,25 @@ create_dek_with_warnings (pk_list_t pk_list)
       dek->algo = opt.def_cipher_algo;
     }
 
+  if (dek->algo != CIPHER_ALGO_AES256)
+    {
+      /* If quantum resistance was explicitly required, we force the
+       * use of AES256 no matter what. Otherwise, we force AES256 if we
+       * encrypt to Kyber keys only and the user did not explicity
+       * request another another algo. */
+      if (opt.flags.require_pqc_encryption)
+        dek->algo = CIPHER_ALGO_AES256;
+      else if (!opt.def_cipher_algo)
+        {
+          int non_kyber_pk = 0;
+          for ( ; pk_list; pk_list = pk_list->next)
+            if (pk_list->pk->pubkey_algo != PUBKEY_ALGO_KYBER)
+              non_kyber_pk += 1;
+          if (!non_kyber_pk)
+            dek->algo = CIPHER_ALGO_AES256;
+        }
+    }
+
   return dek;
 }