Best Practices

Robert J. Hansen rjh at
Sun Dec 12 08:58:12 CET 2010

On 12/12/2010 2:10 AM, David Tomaschik wrote:
> In my gpg.conf, I have (other than keyserver/no-greeting/etc. settings):
> personal-digest-preferences SHA512
> cert-digest-algo SHA512
> Are there any other settings (or changes to these) that would be
> considered more "forward looking"?

personal-digest-prefs is probably a bit off.  For instance, if for any
reason SHA512 is unavailable it will degrade to SHA-1, which you
probably don't want.  It's generally best to include all the algorithms
you'll accept, in whatever order you like.  E.g.:

personal-digest-preferences SHA512 SHA384 SHA256 SHA224 RIPEMD160 SHA1

This way you have a natural degradation in hash preferences: rather than
immediately degrading to SHA-1, it gives you more options to keep on
using strong hashes.

More information about the Gnupg-users mailing list