howto secure older keys after the recent attacks

Robert J. Hansen rjh at
Thu Sep 10 03:05:37 CEST 2009

> So waht I'd like to see is some step by step howto on securing older
> keys (written by some expert probably ;-) ).

Add these lines to your gpg.conf file:

personal-digest-preferences SHA256 SHA224 SHA384 SHA512 RIPEMD160
personal-cipher-preferences AES128 3DES

... This will tell GnuPG that you'd much rather use a newer SHA than you
would SHA-1; and if for some reason GnuPG has to use a 160-bit hash, to
use RIPEMD160 instead of SHA-1.  It will also tell GnuPG to use AES128
for message encryption.  If for whatever reason your recipient can't
read AES128, it should fall back to 3DES.

Some people will tell you that 3DES is an old, antique and outdated
cipher.  This is true.  Some will tell you it's slow.  This is an
understatement.  3DES is ugly, crude, and inelegant.  It has all the
aesthetics of the Soviet Socialist Realism school of art.  It has also
been turning brilliant cryptanalysts into burned-out alcoholic wrecks
for three decades straight, and that reputation is solid gold.

Some people will undoubtedly advocate much more complex schemes.  I
suggest avoiding them.  Simple and effective solutions are usually much,
much better than complex and effective solutions.

More information about the Gnupg-users mailing list