Skip to content

Instantly share code, notes, and snippets.

@S1SYPHOS
Created June 17, 2019 17:10
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save S1SYPHOS/350aad89f211d1c26d6f3cf59a53bbf6 to your computer and use it in GitHub Desktop.
Save S1SYPHOS/350aad89f211d1c26d6f3cf59a53bbf6 to your computer and use it in GitHub Desktop.
Modern GnuPG Configuration
##################
# DIRMNGR CONF #
##################
##
# SKS keyserver running as Tor hidden service
# See https://sks-keyservers.net/overview-of-pools.php#pool_tor
keyserver hkp://jirk5u4osbsr34t5.onion
##
# Switches GnuPG into "Tor mode", routing all network access via Tor (an anonymity network).
use-tor
# For more information, see https://www.gnupg.org/documentation/manuals/gnupg/Dirmngr-Options.html
##
####################
# GPG-AGENT CONF #
####################
##
# Set the time a cache entry is valid. Each time a cache entry is accessed,
# the entry's timer is reset.
# The default is 600 seconds.
default-cache-ttl 1800 # 30 minutes
##
# Set the maximum time a cache entry is valid. After this time a cache entry
# will be expired even if it has been accessed recently.
# The default is 2 hours (7200 seconds).
max-cache-ttl 3600 # 1 hour
##
# Like `default-cache-ttl`, but for SSH keys.
# The default is 1800 seconds.
default-cache-ttl-ssh 1800 # 30 minutes
##
# Like `max-cache-ttl`, but for SSH keys.
# The default is 2 hours (7200 seconds).
max-cache-ttl-ssh 3600 # 1 hour
##
# Enable OpenSSH Agent (ssh-agent) protocol support
enable-ssh-support
# For more information, see https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html
##
##############
# GPG CONF #
##############
####
# Behaviour
##
##
# Use `default-key` as the default key to sign with
# default-key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
##
# Use `default-key` as default recipient
default-recipient-self
##
# Disable inclusion of the version string in ASCII armored output
# Enabled by default (but I like being explicit)
no-emit-version
##
# Disable comment string in clear text signatures and ASCII armored messages
# Enabled by default (but I like being explicit)
no-comments
##
# Suppress the initial copyright message
no-greeting
##
# Don't include recipient key IDs as it may disclose the sender or any other non-obvious key IDs
# as a (limited) countermeasure against traffic analysis
# Enabled by default (but I like being explicit)
throw-keyids
##
# Display the calculated validity of ..
#
# .. user IDs during key listings
list-options show-uid-validity
# .. the user IDs on the key that issued the signature
verify-options show-uid-validity
##
# Enable the creation of RSA secret keys as large as 8192 bit
# Note: 8192 bit is more than is generally recommended. These large keys don't significantly improve security,
# but they are more expensive to use, and their signatures and certifications are larger
# enable-large-rsa
##
# Cross-certify that subkeys are present and valid
# This protects against a subtle attack against subkeys that can sign
# Enabled by default (but I like being explicit)
require-cross-certification
# This is just for show, as `gpg` always requires the agent
# Enabled by default (but I like being explicit)
use-agent
####
# Input & Output
##
## Input
##
# Force UTF-8 encoding
display-charset utf-8
utf8-strings
## Output
##
# Display long key IDs
keyid-format 0xlong
##
# List keys along with their fingerprints
with-fingerprint
##
# Create ASCII armored output
# Defaults to creating the binary OpenPGP format
armor
##
# When outputting certificates, view user IDs distinctly from keys
# Always enabled since GnuPG v2.0.10 (obsolete)
fixed-list-mode
####
# Keyserver
##
# When searching for a key with --search-keys, include keys that are marked on
# the keyserver as revoked
keyserver-options include-revoked
# When using --refresh-keys, if the key in question has a preferred keyserver
# URL, then disable use of that preferred keyserver to refresh the key from
keyserver-options no-honor-keyserver-url
####
# Cryptography
##
## Algorithms & Ciphers
##
# Prefer the strongest ciphers and digests in the OpenPGP specification
# To list available algorithms: gpg --version
personal-cipher-preferences AES256 TWOFISH
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
personal-compress-preferences BZIP2 ZLIB ZIP Uncompressed
##
# Use the strongest digest when signing a key
cert-digest-algo SHA512
##
# Set the list of personal compression preferences
default-preference-list SHA512 SHA384 SHA256 SHA224 RIPEMD160 AES256 TWOFISH BLOWFISH ZLIB BZIP2 ZIP Uncompressed
##
# Disable insecure algorithms
disable-cipher-algo 3DES IDEA
##
# Disable the passphrase cache used for symmetrical operations
no-symkey-cache
##
# Force the use of encryption with a modification detection code.
# Enabled by default (but I like being explicit)
force-mdc
## String-to-Key Specifiers
# Cipher algorithm for symmetric encryption with a passphrase
# Defaults to AES-128
s2k-cipher-algo TWOFISH
##
# Digest algorithm used to mangle the passphrases for symmetric encryption
# Defaults to SHA-1
s2k-digest-algo SHA512
##
# Selects how passphrases for symmetric encryption are
# Defaults to 3 (iterated & salted, see RFC4880) (obsolete)
s2k-mode 3
##
# Specify how many times the passphrases mangling for symmetric encryption is repeated
# Note: this is only meaningful if `s2k-mode` is set to the default of 3
s2k-count 65536
##
# Sources & further information:
# - GnuPG options: https://www.gnupg.org/documentation/manuals/gnupg/GPG-Options.html
# - S2K Specifications: https://tools.ietf.org/html/rfc4880#section-3.7
# - Parcimonie.sh: https://github.com/EtiennePerot/parcimonie.sh
#
# Useful tweaks:
# - https://github.com/Whonix/anon-gpg-tweaks/tree/master/etc/skel/.gnupg
# - https://www.designed-cybersecurity.com/tutorials/harden-your-gnupg-config
#
# A bit outdated, but still a good starting point:
# - https://github.com/ioerror/duraconf
# - https://alexcabal.com/creating-the-perfect-gpg-keypair
# - https://riseup.net/en/security/message-security/openpgp/best-practices
##
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment