Home > Encryption, GnuPG, OpenPGP, Privacy > Secure GnuPG configuration

Secure GnuPG configuration


Someone recently asked what my GPG.conf file looks like since he hadn’t updated his in… years.  Okay, let’s take a look and I’ll try to explain what each setting is and why I feel it is important.  I’m not guaranteeing this as being complete and I welcome input from others.

keyserver-options auto-key-retrieve

This says that if a program needs a public key but it’s not in my keyring that it should automatically reach out to the keyserver (see below) and download it.

use-agent

This says to use the GPG agent. I cannot remember, right now, why this was a good idea. Perhaps it isn’t?

auto-key-locate cert pka ldap hkps://hkps.pool.sks-keyservers.net
keyserver hkps://hkps.pool.sks-keyservers.net
keyserver-options ca-cert-file=/etc/ssl/certs/sks-keyservers.netCA.pem
keyserver-options no-honor-keyserver-url
keyserver-options auto-key-retrieve

Almost the fun stuff there.  This is just setting up the keyserver that I wish to use (note the use of hkps instead of hkp).

default-preference-list AES AES192 AES256 TWOFISH SHA1 SHA224 SHA256 SHA384 SHA512 Uncompressed ZIP ZLIB BZIP2
personal-cipher-preferences AES256 TWOFISH AES192 AES
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
personal-compress-preferences BZIP2 ZLIB ZIP

Okay, the fun stuff. These are all the algorithms that I wish to use. If you setup your GPG key to advertise these then it will make it easier for others to use the most secure algorithms since they will already know what you can do. The first line just lists all the preferences. The second, third, and fourth lines actually provide the preferences in order of them being used. If you’ll note my preferred cipher is AES with a 256-bit key and my preferred hash (digest) is SHA with a 512-bit key.  There are other options available and a quick

gpg --help

should provide what options are available to you. For instance, my current installation says that its supported algorithms are:

Supported algorithms:
Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSA
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

I’ve omitted 3DES, MD5, and SHA1 from my preferences due to their weaknesses but I could still use them according to my GnuPG software.

Again, this wasn’t meant to be a strict “thou must do this to be secure” but rather a “this is what I’m doing” sort of thing. I’d appreciate feedback!

About these ads
  1. Jamie Nguyen
    2013-07-09 at 05:50 EST

    For better or worse, I stole some of my config from Whonix (though I don’t use gpg through Tor):

    https://github.com/Whonix/Whonix/blob/master/whonix_workstation/usr/share/whonix/home/.gnupg/gpg.conf

    display-charset utf-8
    no-emit-version
    no-comments
    no-greeting
    require-cross-certification
    throw-keyids

    personal-digest-preferences SHA512
    cert-digest-algo SHA512
    default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

  2. foo
    2013-07-09 at 07:00 EST

    More stuff in the OpenPGP best practices guide:

    https://we.riseup.net/riseuplabs+paow/openpgp-best-practices

  3. Stephen Smoogen
    2013-07-09 at 14:13 EST

    Close to decades.. it still had pgp directives.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 226 other followers