# See: /usr/share/doc/gnupg2/examples/gpgconf.conf # Options for GnuPG # Copyright 1998, 1999, 2000, 2001, 2002, 2003 Free Software Foundation, Inc. # # This file is free software; as a special exception the author gives # unlimited permission to copy and/or distribute it, with or without # modifications, as long as this notice is preserved. # # This file is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY, to the extent permitted by law; without even the # implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. # # Unless you specify which option file to use (with the command line # option "--options filename"), GnuPG uses the file ~/.gnupg/gpg.conf # by default. # # An options file can contain any long options which are available in # GnuPG. If the first non white space character of a line is a '#', # this line is ignored. Empty lines are also ignored. # # See the man page for a list of options. # --https://riseup.net/en/security/message-security/openpgp/best-practices # Do not include a “Comment” in your User ID. # # If you think you need a “Comment” field in your OpenPGP User # ID please think long and hard before deciding that is really the # case. You probably don’t need or want it, and having a comment field # makes it harder for people to know what they’re certifying. # Uncomment the following option to get rid of the copyright notice no-greeting # If you have more than 1 secret key in your keyring, you may want to # uncomment the following option and set your preferred keyid. #default-key KEYID # info gpg2 default-key: # '--default-key NAME' # Use NAME as the default key to sign with. If this option is not # used, the default key is the first key found in the secret keyring. # Note that '-u' or '--local-user' overrides this option. This # option may be given multiple times. In this case, the last key for # which a secret key is available is used. If there is no secret key # available for any of the specified values, GnuPG will not emit an # error message but continue as if this option wasn't given. #default-key thomas # info '(gnupg.info.gz)GPG Configuration Options' # default-recipient some-user-id default-recipient-self # If you do not pass a recipient to gpg, it will ask for one. Using # this option you can encrypt to a default key. Key validation will # not be done in this case. The second form uses the default key as # default recipient. # Use --encrypt-to to add the specified key as a recipient to all # messages. This is useful, for example, when sending mail through a # mail client that does not automatically encrypt mail to your key. # In the example, this option allows you to read your local copy of # encrypted mail that you've sent to others. #encrypt-to some-key-id # By default GnuPG creates version 3 signatures for data files. This # is not strictly OpenPGP compliant but PGP 6 and most versions of PGP # 7 require them. To disable this behavior, you may use this option # or --openpgp. #no-force-v3-sigs # Because some mailers change lines starting with "From " to ">From " # it is good to handle such lines in a special way when creating # cleartext signatures; all other PGP versions do it this way too. # To enable full OpenPGP compliance you may want to use this option. #no-escape-from-lines # If you do not use the Latin-1 (ISO-8859-1) charset, you should tell # GnuPG which is the native character set. Please check the man page # for supported character sets. This character set is only used for # metadata and not for the actual message which does not undergo any # translation. Note that future version of GnuPG will change to UTF-8 # as default character set. In most cases this option is not required # GnuPG is able to figure out the correct charset and use that. #charset utf-8 # Group names may be defined like this: # group mynames = paige 0x12345678 joe patti # # Any time "mynames" is a recipient (-r or --recipient), it will be # expanded to the names "paige", "joe", and "patti", and the key ID # "0x12345678". Note there is only one level of expansion - you # cannot make an group that points to another group. Note also that # if there are spaces in the recipient name, this will appear as two # recipients. In these cases it is better to use the key ID. #group mynames = paige 0x12345678 joe patti # Lock the file only once for the lifetime of a process. If you do # not define this, the lock will be obtained and released every time # it is needed, which is usually preferable. #lock-once # GnuPG can send and receive keys to and from a keyserver. These # servers can be HKP, email, or LDAP (if GnuPG is built with LDAP # support). # # Example HKP keyserver: # hkp://subkeys.pgp.net # # Example email keyserver: # mailto:pgp-public-keys@keys.pgp.net # # Example LDAP keyservers: # ldap://keyserver.pgp.com # # Regular URL syntax applies, and you can set an alternate port # through the usual method: # hkp://keyserver.example.net:22742 # # If you have problems connecting to a HKP server through a buggy http # proxy, you can use keyserver option broken-http-proxy (see below), # but first you should make sure that you have read the man page # regarding proxies (keyserver option honor-http-proxy) # # Most users just set the name and type of their preferred keyserver. # Note that most servers (with the notable exception of # ldap://keyserver.pgp.com) synchronize changes with each other. Note # also that a single server name may actually point to multiple # servers via DNS round-robin. hkp://subkeys.pgp.net is an example of # such a "server", which spreads the load over a number of physical # servers. #keyserver hkp://subkeys.pgp.net #keyserver mailto:pgp-public-keys@keys.nl.pgp.net #keyserver ldap://keyserver.pgp.com #----------------------------- # keyserver #----------------------------- # This is the server that --recv-keys, --send-keys, and --search-keys will # communicate with to receive keys from, send keys to, and search for keys on keyserver hkps://hkps.pool.sks-keyservers.net # hkps://hkps.pool.sks-keyservers.net is or will be the default for gpg 2.1.x per IRC in spring 2017 # Provide a certificate store to override the system default # Get this from https://sks-keyservers.net/sks-keyservers.netCA.pem # keyserver-options ca-cert-file=/usr/local/etc/ssl/certs/hkps.pool.sks-keyservers.net.pem # Causes warning in gpg2. See https://github.com/riseupnet/riseup_help/issues/294 # Set the proxy to use for HTTP and HKP keyservers - default to the standard # local Tor socks proxy # It is encouraged to use Tor for improved anonymity. Preferrably use either a # dedicated SOCKSPort for GnuPG and/or enable IsolateDestPort and # IsolateDestAddr #keyserver-options http-proxy=socks5-hostname://127.0.0.1:9050 # Don't leak DNS, see https://trac.torproject.org/projects/tor/ticket/2846 # keyserver-options no-try-dns-srv # Causes warning in gpg2. # When using --refresh-keys, if the key in question has a preferred keyserver # URL, then disable use of that preferred keyserver to refresh the key from keyserver-options no-honor-keyserver-url # When searching for a key with --search-keys, include keys that are marked on # the keyserver as revoked keyserver-options include-revoked # Common options for keyserver functions: # # include-disabled = when searching, include keys marked as "disabled" # on the keyserver (not all keyservers support this). # # no-include-revoked = when searching, do not include keys marked as # "revoked" on the keyserver. # # verbose = show more information as the keys are fetched. # Can be used more than once to increase the amount # of information shown. # # use-temp-files = use temporary files instead of a pipe to talk to the # keyserver. Some platforms (Win32 for one) always # have this on. # # keep-temp-files = do not delete temporary files after using them # (really only useful for debugging) # # honor-http-proxy = if the keyserver uses HTTP, honor the http_proxy # environment variable # # broken-http-proxy = try to work around a buggy HTTP proxy # # auto-key-retrieve = automatically fetch keys as needed from the keyserver # when verifying signatures or when importing keys that # have been revoked by a revocation key that is not # present on the keyring. # # no-include-attributes = do not include attribute IDs (aka "photo IDs") # when sending keys to the keyserver. #keyserver-options auto-key-retrieve # Display photo user IDs in key listings # list-options show-photos # Display photo user IDs when a signature from a key with a photo is # verified # verify-options show-photos # Use this program to display photo user IDs # # %i is expanded to a temporary file that contains the photo. # %I is the same as %i, but the file isn't deleted afterwards by GnuPG. # %k is expanded to the key ID of the key. # %K is expanded to the long OpenPGP key ID of the key. # %t is expanded to the extension of the image (e.g. "jpg"). # %T is expanded to the MIME type of the image (e.g. "image/jpeg"). # %f is expanded to the fingerprint of the key. # %% is %, of course. # # If %i or %I are not present, then the photo is supplied to the # viewer on standard input. If your platform supports it, standard # input is the best way to do this as it avoids the time and effort in # generating and then cleaning up a secure temp file. # # If no photo-viewer is provided, GnuPG will look for xloadimage, eog, # or display (ImageMagick). On Mac OS X and Windows, the default is # to use your regular JPEG image viewer. # # Some other viewers: # photo-viewer "qiv %i" # photo-viewer "ee %i" # # This one saves a copy of the photo ID in your home directory: # photo-viewer "cat > ~/photoid-for-key-%k.%t" # # Use your MIME handler to view photos: # photo-viewer "metamail -q -d -b -c %T -s 'KeyID 0x%k' -f GnuPG" # Passphrase agent # # We support the old experimental passphrase agent protocol as well as # the new Assuan based one (currently available in the "newpg" package # at ftp.gnupg.org/gcrypt/alpha/aegypten/). To make use of the agent, # you have to run an agent as daemon and use the option # # use-agent # Per IRC: K_F> "use-agent" is a no-op in >=2.0 # # which tries to use the agent but will fallback to the regular mode # if there is a problem connecting to the agent. The normal way to # locate the agent is by looking at the environment variable # GPG_AGENT_INFO which should have been set during gpg-agent startup. # In certain situations the use of this variable is not possible, thus # the option # # --gpg-agent-info=::1 # # may be used to override it. # Automatic key location # # GnuPG can automatically locate and retrieve keys as needed using the # auto-key-locate option. This happens when encrypting to an email # address (in the "user@example.com" form), and there are no # user@example.com keys on the local keyring. This option takes the # following arguments, in the order they are to be tried: # # cert = locate a key using DNS CERT, as specified in 2538bis # (currently in draft): http://www.josefsson.org/rfc2538bis/ # # pka = locate a key using DNS PKA. # # ldap = locate a key using the PGP Universal method of checking # "ldap://keys.(thedomain)". # # keyserver = locate a key using whatever keyserver is defined using # the keyserver option. # # You may also list arbitrary keyservers here by URL. # # Try CERT, then PKA, then LDAP, then hkp://subkeys.net: #auto-key-locate cert pka ldap hkp://subkeys.pgp.net cipher-algo AES256 # See http://superuser.com/questions/633715/how-do-i-fix-warning-message-was-not-integrity-protected-when-using-gpg-symme # ========== { ========================================================= # from # https://we.riseup.net/riseuplabs+paow/openpgp-best-practices or # https://www.void.gr/kargig/blog/2013/12/02/creating-a-new-gpg-key-with-subkeys # ====================================================================== # When outputting certificates, view user IDs distinctly from keys: fixed-list-mode # Display long key IDs keyid-format 0xlong # List all keys (or the specified ones) along with their fingerprints with-fingerprint personal-digest-preferences SHA512 SHA384 SHA256 SHA224 # list of personal digest preferences. When multiple digests are supported by # all recipients, choose the strongest one personal-cipher-preferences AES256 AES192 AES CAST5 # https://riseup.net/en/security/message-security/openpgp/best-practices # https://raw.githubusercontent.com/ioerror/duraconf/master/configs/gnupg/gpg.conf # Preferences chosen for new keys should prioritize stronger algorithms. # This preference list is used for new keys and becomes the default for # "setpref" in the edit menu default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed # If you use a graphical environment (and even if you don't) you should be using an agent: # (similar arguments as https://www.debian-administration.org/users/dkg/weblog/64) use-agent # You should always know at a glance which User IDs gpg thinks are legitimately bound to the keys in your keyring: verify-options show-uid-validity list-options show-uid-validity # when making an OpenPGP certification, use a stronger digest than the default SHA1: cert-digest-algo SHA512 # https://riseup.net/en/security/message-security/openpgp/best-practices # prevent version string from appearing in your signatures/public keys no-emit-version ## } # ======================= http://nullprogram.com/blog/2012/06/24 { ===== # Chris Wellons wellons@nullprogram.com # https://www.tylerburton.ca/2015/04/increasing-the-protection-of-your-stored-pgp-key/ # https://dev.gnupg.org/T1800 # Suggests gpg instead of gpg2 for key creation, so s2k-count is supported. # ====================================================================== s2k-cipher-algo AES256 s2k-digest-algo SHA512 s2k-mode 3 s2k-count 65011712 #s2k-count 65000000 # You need to calculate this, else it 'rounds' up to another number when you run # $ gpg --list-packets /a/rodmant/.gnupg/secring.gpg 2>&1 |grep 'protect count' # # ex 30000000 in this file becomes: 30408704 ## } # --https://news.ycombinator.com/item?id=13382734 # Here's an alternative to wrapping GPG, using .gnupg/gpg.conf: # # personal-cipher-preferences AES256 AES # personal-digest-preferences SHA256 SHA512 # personal-compress-preferences Uncompressed # default-preference-list SHA256 SHA512 AES256 AES Uncompressed # # cert-digest-algo SHA256 # # s2k-cipher-algo AES256 # s2k-digest-algo SHA256 # s2k-mode 3 # s2k-count 65011712 # # disable-cipher-algo 3DES # weak-digest SHA1 # force-mdc # # Note that these options impact compatibility with other GPG/PGP clients. ask-cert-level # For --sign-key