GPG Setup

Charly Avital shavital at
Sun Jul 5 17:16:07 CEST 2009

t eden wrote the following on 7/5/09 8:45 AM:
> I am rather new at gnupg and encryption. I have spent a good deal of
> time reading up on the subject.


that's a refreshing (for me) start.

> So, I think I understand what my setup
> should be, but would like input from the experts. :-)

Thanks God, I am no expert, but here are my 2¢
> 1. Change to sha256.

Good move.

Some experts will tell SHA1 is "compromised" or "bound to be
compromised", other experts will tell SHA1 is still OK. Which to my lay
understanding, amounts to the same thing.

So go for broke (for sure) and stay with SHA256.

Some other experts will recommend SHA512, but one can't accommodate all

Personally, I switched to SHA256 quite a while ago.
> 2. Generate separate keys for signing, certifying, and encrypting.

I understand you have generated a key that includes separate subkeys for
encrypting, and for signing only. The primary key is surely good for
> 3. Generate a revocation certificate.

Great. You have profited from your reading.

> 4. Disable hibernation on all my machines to make sure passwords
aren't saved to hibernation file.... (just kidding).

What I don't do is use the option offered by some systems that enable
the user to "save" the passphrase for a certain duration. Such saving
writes the passphrase to disk, not a good move.

I use GPG2 with gpg-agent.
gpg-agent does not save the passphrase, it caches it (encrypted) for a
period of time set by the user.

I tried to find your public on three or four separate servers, no luck.
Did you upload it? Mind you, you are not bound to do it, unless you
intend to sign your messages and expect the recipients to be able to
verify your signature. Ditto for people who would like to encrypt to you.

I have exceeded my 2¢, sorry.

It would help if you indicate some information about your system.

About your gpg.conf file, I'll let the real experts in this forum to

And about Comment. I don't know what you mean when you have set your
comment to read "", unless you have chosen not to display the real
comment you want to use. If you are not going to insert any comment of
your choice, I would suggest to comment that line in your gpg.conf:

#comment ""

MacOS 10.5.7-MacBook Intel C2Duo 2GHz-GnuPG 1.4.9-MacGPG 2.0.12
TB 0.95.7-Apple's Mail+GPGMail 1.2.0 (v56), Key: 0xA57A8EFA


More information about the Gnupg-users mailing list