Modern gnupg.conf setup
mistave at countermail.com
Sun Dec 15 13:33:14 CET 2019
Thank you kindly for your very informative answers.
It seems I was right to have asked here after all. It's amazing how many
outdated tutorials exist i.e. googling for "perfect pgp keypair" gives
at least three "wrong" articles among the top few results.
Having read the GnuPG docs a bit it appears a lot of options I listed
are already enabled by default by a recent gpg, so I removed them.
On 15. 12. 19 01:31, Robert J. Hansen wrote:>
> Instead, try this:
> personal-cipher-preferences AES256 CAMELLIA256 TWOFISH AES192
> CAMELLIA192 AES CAMELLIA128
> personal-digest-preferences SHA512 SHA384 SHA256 SHA224 RIPEMD160
Should these also be included in the default-preference-list? I think
the latter is only used when generating new keys (setpref), yes? Alas:
personal-cipher-preferences AES256 CAMELLIA256 TWOFISH AES192
CAMELLIA192 AES CAMELLIA128
personal-digest-preferences SHA512 SHA384 SHA256 SHA224 RIPEMD160
default-preference-list SHA512 SHA384 SHA256 SHA224 RIPEMD160 AES256
CAMELLIA256 TWOFISH AES192 CAMELLIA192 AES CAMELLIA128 ZLIB BZIP2 ZIP
>> cert-digest-algo SHA512
> Still valid, still useful.
This I'm uncertain about. Should probably be removed too?
The documentation says:
Use name as the message digest algorithm used when signing a key.
Running the program with the command --version yields a list of
supported algorithms. *Be aware that if you choose an algorithm that
GnuPG supports but other OpenPGP implementations do not, then some users
will not be able to use the key signatures you make, or quite possibly
your entire key.*
>> disable-cipher-algo 3DES IDEA CAST5 Blowfish
> 3DES is a MUST algorithm, according to the spec. If you want to disable
> the others that's your business -- but it's already implicit by not
> including them in your personal-cipher-preferences. This line can be
> removed entirely.
>> weak-digest SHA1
> Again, SHA-1 is a MUST.
The RFC 4880 standard (section 9) does say that 3DES and SHA-1 must be
implemented, but the reason I included these is because I read on some
websites that you do NOT want to use these at all due to their
weaknesses and there should be some way of warning the user that weak
algorithms are being used.
If some client can't support newer algorithms like SHA-2 and AES then
it's better if that person upgraded their software rather than continue
to use SHA-1 and 3DES.
More information about the Gnupg-users