Modern gnupg.conf setup
dgouttegattat at incenp.org
Sun Dec 15 03:07:57 CET 2019
On Sat, Dec 14, 2019 at 11:18:32PM +0100, Defiant wrote:
>Hey, I recall back in the days there were lots of online tutorials about
>how to strengthen your GnuPG configuration.
I don’t know which tutorials exactly you’re referring to, but I have
seen several of them myself, and I have always had the feeling that they
were written by people who couldn’t be bothered to check what GnuPG’s
default configuration actually is before deciding it needed to be
Not needed, those are the defaults.
That’s up to you. Note, this does not actually “strengthen” anything.
For information, the default is not to display any key ID (either short
or long) but to display the full fingerprint instead (which makes
displaying the key ID quite irrelevant).
Setting keyid-format to either “short” or “long” however has the effect
of forcing GnuPG to display the key ID of *subkeys*, so if that’s
something you need, you may keep that line.
Already enabled by default.
The default is AES256, AES192, AES128, 3DES. Note that you cannot remove
3DES which is mandatory as per the RFC 4880 (that’s the only algorithm
which is guaranteed to be supported by any compliant OpenPGP
implementation): even if you do not include it, GnuPG will silently add
By removing AES192 and AES128, you’re actually increasing the risk that
GnuPG will have to fallback to 3DES if AES256 is not supported by the
other party. I don’t think this is what you want.
The default is SHA256, SHA384, SHA512, SHA-224, SHA1, with SHA1 being
mandatory. Same problem as above: by limiting GnuPG’s options, you are
increasing the risk of having to fallback to SHA1.
>default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES
>TWOFISH ZLIB BZIP2 ZIP Uncompressed
This is almost exactly the default list, except that the default list
does not include TWOFISH.
You are basically bypassing the whole preference-based mechanism used to
select algorithms compatible with your recipients’ implementation.
Almost certainly a bad idea unless you are operating in a context where
you know you don’t need to care about interoperability (e.g. if you are
only encrypting files for yourself).
>disable-cipher-algo 3DES IDEA CAST5 Blowfish
3DES and SHA1 are mandatory as said above. The other algorithms are
already not used by default.
The default S2K mode is already 3 (iter+salt). As for the S2K count, for
information the default is a value automatically determined by GPG Agent
so that, on your computer, running the S2K algorithm will take ~100ms.
Overall I’d say most of your configuration is either uneeded or even
counterproductive. I’ll quote GnuPG’s FAQ :
> Does GnuPG need to be ‘tuned’ before use?
> No. GnuPG has sensible defaults right out of the box.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 228 bytes
Desc: not available
More information about the Gnupg-users