Skip to content

Instantly share code, notes, and snippets.

Created September 11, 2014 02:38
Show Gist options
  • Save anonymous/3d928a0bcbb3ed92c454 to your computer and use it in GitHub Desktop.
Save anonymous/3d928a0bcbb3ed92c454 to your computer and use it in GitHub Desktop.
Ultimate-GPG-Settings
The Goals of this Gist are to:
[1] Increase the GnuPG key size limit beyond 4096 bits.
[2] Provide configuration files that maximize security and anonymity.
For now, the ideal configuration files have been provided.
The Debian_Linux_GnuPG_Compiler.bash script works to build GnuPG with the 4096 bit key size limit raised.
Please provide input. Feedback and changes welcome.
#!/bin/bash
make_log_file()
{
log_file="$(readlink -e $0).log.txt";
touch "$log_file";
if [[ -w "$log_file" ]];
then
echo "This Bash Shell Script's output will be logged inside: "$log_file"";
let made_log_file=0;
else
echo "This Bash Shell Script's output will NOT be logged inside: "$log_file" because it failed to create or access the stated file.";
echo "This Bash Shell Script can still continue its procedures.";
let made_log_file=1;
fi
}
opening_statements()
{
echo "This Bash Shell Script is designed for x86_64 Debian Linux 7.6 and Tested with GnuPG-1-1.4.18 and GnuPG-2-2.0.26.";
echo "It can download the Latest GnuPG-1 or GnuPG-2 Stable Source Code archive, extract it, and raise the key size and secure memory limits in the Source Code to enable working with up to 40960-bit keys.";
echo "It can build a Portable GnuPG-1 Standalone Static Executable that may be carried to other Debian-based Linux OSs.";
echo "It can also build a GnuPG-2 Dynamically-Linked Executable.";
echo "Any installations are optional. Clean-up options are provided.";
echo "Building dependencies are acquired via the APT repositories. The Source Code is acquired from either the GnuPG Website or the APT repositories.";
echo "Use the ldd utility to view a GnuPG executable's dependencies.";
echo "GnuPG comes in two flavours, GnuPG-1 (gpg) and GnuPG-2 (gpg2), which provide similar basic functionality and can be installed together.";
echo "Only GnuPG-1 is truly standalone. GnuPG-2 is modularized and relies on installed dynamic system components in order to function.";
echo "However, GnuPG-2 also supports S/MIME, X.509, CMS, keyring-daemon, SSH-agent, smart-cards, ECC (beta), etc.";
echo "Bottom-line: Use GnuPG-1 if you don't need need the extra GnuPG-2 features and if you need portability. The core algorithms are the same.";
echo "The GnuPG authors may eventually discontinue the development of GnuPG-1.";
echo "Unmodified GnuPG can generate up to 4096-bit keys but use up to 16384-bit keys. Larger keys can be viewed but not operated. Therefore, keep the modified GnuPG-1 Standalone Static Executable available for use.";
echo "FOR SECURITY: Manually check the authenticity and integrity of all the downloaded files.";
echo "Superuser (sudo) access is required.";
}
debian76_check()
{
echo "Checking for OS Name and Version.";
os_string=$(uname -a);
os_string=${os_string,,};
if [[ $os_string == *debian* ]] && [[ $os_string == *7* ]];
then
echo "The OS has been identified as DEBIAN 7.6.";
else
echo "Unknown OS. Use the recommended OSs. This Bash Shell Script will now exit.";
pause;
exit;
fi
}
gpg1_or_gpg2_question()
{
echo "Asking for the flavour of GnuPG to work on.";
let repeat_flavour_question=1;
while [[ $repeat_flavour_question == 1 ]];
do
echo "Which GnuPG flavour?";
echo "[1] GnuPG-1 - Static.";
echo "[2] GnuPG-2 - Dynamic.";
echo -n "Enter 1 or 2: ";
read gpg_flavour;
if [[ $gpg_flavour != 1 ]] && [[ $gpg_flavour != 2 ]];
then
echo "Invalid choice.";
else
let repeat_flavour_question=0;
fi
done
echo "Will work on GnuPG-$gpg_flavour.";
}
ask_to_use_sid()
{
echo "Asking about whether to add the Sid APT Repository.";
echo "CAUTION: The Sid APT Repository significantly changes system package management.";
echo "Clean-up options can reverse these changes.";
let sid_use_question_answered=0;
while [[ $sid_use_question_answered == 0 ]];
do
echo -n "Build GnuPG by using the Sid APT Repository (Large Download)? (Recommended Answer: Nn for GnuPG-1. Yy for GnuPG-2.) (Yy or Nn): "
read whether_to_use_sid;
whether_to_use_sid=${whether_to_use_sid,,};
if [[ $whether_to_use_sid != "n" ]] && [[ $whether_to_use_sid != "y" ]];
then
echo "Invalid choice. Enter Yn or Nn.";
else
let sid_use_question_answered=1;
fi
done
echo "Sid Repository preferences processed.";
}
web_or_repos_question()
{
echo "Asking whether to use the GnuPG Website or the APT repositories to acquire the GnuPG Source Code.";
let repeat_web_or_repos_question=1;
while [[ $repeat_web_or_repos_question == 1 ]];
do
echo "Source Code acquisition method?";
echo "[1] GnuPG FTP Server (Web) - Compile Latest Known Version.";
echo "[2] APT Repositories - Compile Available Repository Version.";
echo -n "Enter 1 or 2: ";
read web_or_repos;
if [[ $web_or_repos != 1 ]] && [[ $web_or_repos != 2 ]];
then
echo "Invalid choice.";
else
let repeat_web_or_repos_question=0;
fi
done
if [[ $web_or_repos == 1 ]];
then
echo "Will use GnuPG FTP Server (Web).";
else
echo "Will use Built-in APT Repositories.";
fi
}
set_directories()
{
echo "Asking for working directory location choice.";
echo "Changing into Home (~) directory first.";
cd ~;
echo "Entered into Home (~) directory: "$(pwd)".";
let repeat_dir_question=1;
while [[ $repeat_dir_question == 1 ]];
do
echo "Method of setting directory to work inside?";
echo "[1] Preset (Automatically create a directory inside the Home (~) directory).";
echo "[2] Manual (Specify a directory under which to create a working directory).";
echo -n "Enter 1 or 2: ";
read dir_choice;
if [[ $dir_choice != 1 ]] && [[ $dir_choice != 2 ]];
then
echo "Invalid choice. Enter 1 or 2.";
elif [[ $dir_choice == 1 ]];
then
work_dir="~/work_in_progress/";
directory_input_processor;
if [[ $directory_validity == 1 ]];
then
working_directories_maker;
if [[ $dir_making_success != 0 ]];
then
let repeat_dir_question=0;
fi
fi
elif [[ $dir_choice == 2 ]];
then
echo "Specify an accessible existing or new directory location for this Script to work inside.";
echo -n "Enter directory location: ";
read work_dir;
directory_input_processor;
if [[ $directory_validity == 0 ]];
then
let dir_interpretation_question_answered=1;
else
let dir_interpretation_question_answered=0;
fi
while [[ $dir_interpretation_question_answered == 0 ]];
do
echo "The working directory location will be set as: "$work_dir".";
echo -n "Is this interpretation correct? Continue? (Yy or Nn): ";
read if_dir_interpretation_correct;
if_dir_interpretation_correct=${if_dir_interpretation_correct,,};
if [[ $if_dir_interpretation_correct != "n" ]] && [[ $if_dir_interpretation_correct != "y" ]];
then
echo "Invalid choice. Enter Yn or Nn.";
else
let dir_interpretation_question_answered=1;
fi
done
if [[ $if_dir_interpretation_correct == "y" ]];
then
working_directories_maker;
if [[ $dir_making_success != 0 ]];
then
let repeat_dir_question=0;
fi
fi
fi
done
echo "Done processing working directory location choice.";
}
directory_input_processor()
{
echo "Processing directory location input.";
work_dir=${work_dir// /_spac_};
eval work_dir=""$work_dir"";
if [[ $? == 0 ]];
then
let eval_pass=1;
else
let eval_pass=0;
fi
work_dir=${work_dir//_spac_/ };
work_dir=""$(readlink -m "$work_dir")/gpg_work"";
if [[ -z $work_dir ]] || [[ $eval_pass == 0 ]];
then
let directory_validity=0;
echo "Directory location input seems incorrect.";
echo "Manually input a different directory location.";
else
echo "Directory location input seems correct for now.";
let directory_validity=1;
fi
echo "Directory location input processed.";
}
working_directories_maker()
{
echo "Making directories to work inside.";
gpg1_source_dir="$work_dir/gpg1_source";
gpg2_source_dir="$work_dir/gpg2_source";
if
(
mkdir -vp "$work_dir";
mkdir -vp "$gpg1_source_dir";
mkdir -vp "$gpg2_source_dir";
);
then
echo "SUCCESS: The Script will process files inside: "$work_dir".";
let dir_making_success=1;
else
echo "FAILURE: Directory making process failed. Try again.";
let dir_making_success=0;
fi
echo "Working directory creation process complete.";
}
change_to_correct_source_dir()
{
if [[ $gpg_flavour == 1 ]];
then
cd "$gpg1_source_dir";
else
cd "$gpg2_source_dir";
fi
}
add_sid_apt_repos()
{
echo "Installing Sid APT Repository.";
sid_repo_list_placement="/etc/apt/sources.list.d/sid_repo.list";
sid_repos_line="deb http://http.us.debian.org/debian/ sid main contrib non-free\ndeb-src http://http.us.debian.org/debian/ sid main contrib non-free";
sudo touch "$sid_repo_list_placement";
echo "$sid_repos_line" | sudo tee -a "$sid_repo_list_placement";
sudo apt-get update;
echo "Sid APT Repository installation procedure complete.";
}
regular_apt_repos_update()
{
echo "Performing a regular update of the APT Repository information.";
sudo apt-get update;
echo "APT Repository information update process complete.";
}
get_apt_gpg1_builddeps()
{
echo "Installing building dependencies for GnuPG-1 via APT - Automatically.";
sudo apt-get build-dep "gnupg";
echo "GnuPG-1 building dependencies Installation procedure complete.";
}
get_apt_gpg2_builddeps()
{
echo "Installing building dependencies for GnuPG-2 via APT - Automatically.";
sudo apt-get build-dep "gnupg2";
echo "GnuPG-2 building dependencies Installation procedure complete.";
}
get_apt_gpg1_src()
{
echo "Getting Source Code for GnuPG-1 via APT.";
cd "$work_dir";
apt-get -d source "gnupg";
tar -xf "$(ls source| grep -E 'gnupg.*1..*orig.*tar')" --strip-components=1 -C "$gpg1_source_dir";
echo "Source Code retrieval and extraction for GnuPG-1 complete.";
}
get_apt_gpg2_src()
{
echo "Getting Source Code for GnuPG-2 via APT.";
cd "$work_dir";
apt-get -d source "gnupg2";
tar -xf "$(ls | grep -E 'gnupg2.*2..*orig.*tar')" --strip-components=1 -C "$gpg2_source_dir";
echo "Source Code retrieval and extraction for GnuPG-2 complete.";
}
get_web_gpg1_src()
{
echo "Retrieving GnuPG-1 Source Code from the web.";
cd "$work_dir";
wget ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-1.4.18.tar.bz2;
tar -xf $(ls | grep -E 'gnupg.*1..*tar.bz2') --strip-components=1 -C "$gpg1_source_dir";
echo "Web-Based Source Code retrieval and extraction for GnuPG-1 complete.";
}
get_web_gpg2_src()
{
echo "Retrieving GnuPG-2 Source Code from the web.";
cd "$work_dir";
wget ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.0.26.tar.bz2;
tar -xf $(ls | grep -E 'gnupg.*2..*tar.bz2') --strip-components=1 -C "$gpg2_source_dir";
echo "Web-Based Source Code retrieval and extraction for GnuPG-2 complete.";
}
raise_limits_in_source_code_dir()
{
echo "Raising the key size and secure memory limits in the GnuPG-$gpg_flavour Source Code to enable working with up to 40960-bit keys.";
change_to_correct_source_dir;
grep -rl 4096 | xargs sed -i 's/4096/40960/g'; #Replaces the 4096 bit key size limit with 102400 bits.
grep -rl 32768 | xargs sed -i 's/32768/10000000/g'; #Replaces the 32768 byte secure memory limit with 10000000 bytes.
grep -rl 16384 | xargs sed -i 's/16384/40960/g'; #Replaces the 16384 bit MPI (Message Parsing Interface) Object limit and another secure memory limit with 40960 bits.
echo "Source Code Limits on key size and secure memory Raised.";
}
build_static_gnupg1()
{
echo "Building a Portable GnuPG-1 Standalone Static Executable.";
change_to_correct_source_dir;
./configure --enable-ldap --with-libcurl CFLAGS="-static" LDFLAGS="-static";
make;
echo "Building process for a Portable GnuPG-1 Standalone Static Executable complete.";
}
build_dynamic_gnupg2()
{
echo "Building a Dynamically-Linked GnuPG-2 Executable.";
change_to_correct_source_dir;
./configure;
make;
echo "Building process for a Dynamically-Linked GnuPG-2 Executable complete.";
}
ask_and_perform_install()
{
echo "Asking for installation preference.";
let repeat_install_question=1;
while [[ $repeat_install_question == 1 ]];
do
echo -n "Install this build? (Yy or Nn): ";
read install_preference;
install_preference=${install_preference,,};
if [[ $install_preference != "n" ]] && [[ $install_preference != "y" ]];
then
echo "Invalid choice.";
else
let repeat_install_question=0;
fi
done
if [[ $install_preference == "y" ]];
then
echo "Installing build.";
change_to_correct_source_dir;
sudo make install;
else
echo "The built application will not be installed.";
fi
echo "Preferred installation preference applied.";
}
ask_and_perform_cleanup()
{
echo "Checking for clean-up preferences.";
echo "The user may need to manually remove some packages to avoid undesired changes in system package management.";
echo "Use "apt-get showsrc and markauto package_name" to remove the installed build dependencies.";
if [[ $install_preference == "y" ]];
then
let repeat_cleanup_question=0;
echo "Will not perform clean-up because GnuPG installation was chosen.";
else
let repeat_cleanup_question=1;
fi
while [[ $repeat_cleanup_question == 1 ]];
do
echo -n "Remove some repository changes and installed packages? (Not needed for Live OSs.) (Yy or Nn): ";
read cleanup_preference;
cleanup_preference=${cleanup_preference,,};
if [[ $cleanup_preference != "n" ]] && [[ $cleanup_preference != "y" ]];
then
echo "Invalid choice.";
else
let repeat_cleanup_question=0;
fi
done
echo "Processing clean-up options.";
if [[ $cleanup_preference == "y" ]] && [[ $whether_to_use_sid == "y" ]];
then
remove_sid_apt_repos;
clean_debian_deps;
elif [[ $cleanup_preference == "y" ]] && [[ $whether_to_use_sid == "n" ]];
then
clean_debian_deps;
fi
echo "Clean-up options processed.";
}
remove_sid_apt_repos()
{
echo "Removing Sid APT repository.";
sudo rm $sid_repo_list_placement;
sudo apt-get update;
sudo apt-get clean;
echo "Sid APT repository removal procedure complete.";
}
clean_debian_deps()
{
echo "Cleaning APT dependencies chain.";
sudo apt-get autoremove;
sudo apt-get autoclean;
sudo apt-get clean;
sudo apt-get update;
echo "APT dependencies chain cleaning procedure complete.";
}
core_gpg_tasks()
{
if [[ $whether_to_use_sid == "y" ]];
then
add_sid_apt_repos;
regular_apt_repos_update;
else
regular_apt_repos_update;
fi
pause;
if [[ $gpg_flavour == 1 ]] && [[ $web_or_repos == 1 ]];
then
get_apt_gpg1_builddeps;
pause;
get_web_gpg1_src;
pause;
raise_limits_in_source_code_dir;
pause;
build_static_gnupg1;
pause;
elif [[ $gpg_flavour == 1 ]] && [[ $web_or_repos == 2 ]];
then
get_apt_gpg1_builddeps;
pause;
get_apt_gpg1_src;
pause;
raise_limits_in_source_code_dir;
pause;
build_static_gnupg1;
pause;
elif [[ $gpg_flavour == 2 ]] && [[ $web_or_repos == 1 ]];
then
get_apt_gpg2_builddeps;
pause;
get_web_gpg2_src;
pause;
raise_limits_in_source_code_dir;
pause;
build_dynamic_gnupg2;
pause;
elif [[ $gpg_flavour == 2 ]] && [[ $web_or_repos == 2 ]];
then
get_apt_gpg2_builddeps;
pause;
get_apt_gpg2_src;
pause;
raise_limits_in_source_code_dir;
pause;
build_dynamic_gnupg2;
pause;
fi
}
closing_statements()
{
echo "All procedures complete. Completed work is present under "$work_dir".";
echo "Restart the Script to work on the other GnuPG flavour.";
echo "Move all completed work out of the directory above before reusing the Script.";
echo "This Bash Shell Script will now exit.";
}
pause()
{
echo -e "\n";
read -rsn 1 -p "Press any key to continue." < /dev/tty;
echo -e "\n";
}
main()
{
opening_statements;
pause;
debian76_check;
pause;
gpg1_or_gpg2_question;
pause;
ask_to_use_sid;
pause;
web_or_repos_question;
pause;
set_directories;
pause;
core_gpg_tasks;
pause;
ask_and_perform_install;
pause;
ask_and_perform_cleanup;
pause;
closing_statements;
pause;
}
clear;
make_log_file;
pause;
if [[ $made_log_file == 0 ]];
then
exec > >(tee -a "$log_file");
exec 2>&1;
main;
else
exec 2>&1;
main;
fi
exit;
#These are options supplied to the gpg-agent which serves as a key daemon for GnuPG-2, SSH, etc.
#This file may not always be necessary, but, import this .conf file into the ~/.gnupg folder.
#Use the system's built-in key daemon instead if problems arise.
#Add this pinentry-program option if problems arise. pinentry-curses can be installed via APT or YUM if needed.
#pinentry-program /usr/bin/pinentry-curses
daemon
disable-scdaemon
enable-ssh-support
verbose
verbose
verbose
verbose
verbose
verbose
verbose
verbose
verbose
verbose
##NOTES##
#Read Linux manuals and the GnuPG Options Index to understand these options and apply judgement to change them as needed.
#Use the latest Linux CLI implementation as the default GPG application. Create backups before experimentation.
#
#Create the default directories and .conf files with --version or --gpgconf-test or --list-config.
#Check for reasons behind errors via --debug-all --debug-level guru.
#Always copy this .conf file and all other related files into the ~/.gnupg folder.
#Check results with --list-packets, --check-sigs, --list-keys, --list-chain, or use --dry-run.
#
#A list of cross-platform and widely-supported algorithms is on the GnuPG website. Only the most widely-supported algorithms are mentioned in this .conf file.
#Compiling GPG with a different or newer libgcrypt may allow access to other different algorithms inside libgcrypt.
#
#Always run this command on the GnuPG directory to ensure proper ownership and permissions: "sudo chmod -R 700 ~/.gnupg && sudo chown -R $USER:$GROUP ~/.gnupg".
#General Warning 1: Avoid metadata leaks.
#General Warning 2: Manually change system-time, use tools that spoof system-time, or use faked-system-time before generating keys.
#General Warning 3: When generating keys, set the Master Key to (C)ERTIFY only, and similarly, give only one flag (E, S, A) to each of the subkeys.
##ENCRYPTION PREFERENCES##
#All initial preferences and features placed inside keys which will also apply to any additional generated subkeys as long as the preferences in this file are given.
#Key recipients see these preferences.
#To keep only the basic features: default-preference-list MDC NO-KS-MODIFY
#To remove all preferences and features from a key: default-preference-list NO-MDC KS-MODIFY
#For a realistic and compatibility-aware statement: default-preference-list AES256 CAMELLIA256 TWOFISH CAMELLIA192 AES192 CAMELLIA128 CAST5 IDEA AES128 3DES BLOWFISH SHA512 SHA384 SHA256 SHA224 RIPEMD160 SHA1 BZIP2 ZLIB ZIP UNCOMPRESSED MDC NO-KS-MODIFY
default-preference-list MDC NO-KS-MODIFY
#
#The hash algorithm used in the key-signing/certification of oneself's keys and others' keys.
cert-digest-algo SHA512
#
#Symmetric and asymmetric encryption preferences that get reconciled with recipients' preferences.
personal-cipher-preferences AES256 CAMELLIA256 TWOFISH
personal-digest-preferences SHA512
personal-compress-preferences BZIP2 ZLIB ZIP UNCOMPRESSED
#
#Encryption settings that override recipients' preferences and all other preferences in this file.
#Must change as needed and regularly to increase security.
cipher-algo CAMELLIA256
s2k-cipher-algo CAMELLIA256
digest-algo SHA512
s2k-digest-algo SHA512
s2k-mode 3
s2k-count 100000000
force-mdc
##COMPRESSION PREFERENCES##
#Compression settings that override recipients' preferences and all other preferences in this file.
#Must change as needed and regularly to increase security.
compress-algo BZIP2
compress-level 9
bzip2-compress-level 9
##WEB OF TRUST##
#Key-signing/certification general settings for oneself's keys and others' keys.
#The level of trust to assign other people's keys
trust-model pgp
default-cert-level 0
#ask-cert-level
min-cert-level 1
completes-needed 1
marginals-needed 2
max-cert-depth 5
#Signatures, by default, are set not to expire. This can now be changed for each individual signature. Use 0 as a policy.
ask-cert-expire
ask-sig-expire
#default-sig-expire 0
#default-cert-expire 0
##METADATA REMOVAL##
#Do not place the GnuPG version or any comments in your data.
no-emit-version
no-comments
#
#throw-keyids is similar to the --hidden-recipient option but works on all keyids at once. It blocks GnuPG from emitting the keyid on an encrypted packet.
#This makes it difficult but not impossible for someone to deduct the properties of the public-key being used to encrypt a file. Keep changing the public-key to guarantee high secrecy.
#The throw-keyids option does not work on signatures and GnuPG does not hide the keyid in a standalone signature.
#One can Encrypt and Sign together to hide the signature packet under the encryption packet.
#Use available options to specify the secret-key to decrypt with when receiving encrypted files without a keyid. Otherwise, wait for GnuPG to try all secret-keys.
throw-keyids
#
#for-your-eyes-only overrides --set-filename and forces recipients to pick an output filename and extension.
#Use --set-filename fakeFilename.ext if needed.
for-your-eyes-only
no-use-embedded-filename
#
#ignore-time-conflict overrides prompts regarding timing that occur due to manual time modifications.
ignore-time-conflict
#Manually give --faked-system-time 20070924T154812 to GnuPG if it allows. Remove the comment hashtag below to set a faked-system-time but keep changing it to evade identification.
#faked-system-time 20070924T154812
##RUNTIME##
no-greeting
expert
interactive
enable-progress-filter
keyid-format 0xLONG
fingerprint
fingerprint
with-fingerprint
with-fingerprint
verbose
verbose
verbose
verbose
verbose
verbose
verbose
verbose
verbose
verbose
#
#If gpg-agent is non-functional, change the key daemon to the built-in key daemon in Gnome.
#agent-program gnome-keyring-daemon
#
#Cautiousness settings for when looking at or using keys.
list-options show-photos show-policy-urls show-notations show-std-notations show-user-notations show-keyserver-urls show-uid-validity show-unusable-uids show-unusable-subkeys show-keyring show-sig-expire show-sig-subpackets
#Add show-usage to list-options when the option becomes available in GnuPG.
verify-options show-photos show-policy-urls show-notations show-std-notations show-user-notations show-keyserver-urls show-uid-validity show-unusable-uids no-show-primary-uid-only no-pka-lookups no-pka-trust-increase
auto-check-trustdb
##KEYSERVERS##
#Only use keyservers behind a system with blanket internet traffic Onion Routing because keyservers can reveal communication networks.
#Only use the trusted keyservers designated in the gpg.conf file.
#Change to a completely new Onion Routing circuit before and after any communication with keyservers, like refreshing keys. searching for keys, or retrieving keys.
#
#Keyservers used.
#Trusted keyserver for inside-GnuPG access: hkps://hkps.pool.sks-keyservers.net.
#Trusted keyserver for outside-GnuPG website access: https://sks-keyservers.net.
#Trusted email-verified keyserver for manual key transfer through website: https://keyserver.pgp.com.
#All keyserver certificates, including websites' public-key certificates, should be placed under the ~/.gnupg/Keyservers_Certificates directory and used to verify keyservers' authenticity upon each connection that is made.
#To activate the trusted keyserver, remove the two comment-hastags below.
#keyserver-options ca-cert-file=~/.gnupg/Keyservers_Certificates/sks-keyservers.netCA.pem
#keyserver hkps://hkps.pool.sks-keyservers.net
#
#Keyserver connection settings that help mitigate leakage threats when a connection to a keyserver is made.
no-auto-key-locate
keyserver-options no-try-dns-srv no-auto-key-retrieve no-honor-keyserver-url no-honor-pka-record include-revoked include-disabled include-subkeys check-cert
keyserver-options verbose verbose verbose verbose verbose verbose verbose verbose verbose verbose
keyserver-options timeout 10
#
#To manually use a keyserver with an Onion Routing SOCKS5 Proxy on Port 9050, remove the comment-hastag below. Change the port number if needed.
#Warning: Blanket Onion Routing of the whole OS is better. This setting overrides the "http_proxy" environment variable, if any.
#keyserver-options http-proxy=socks5h://127.0.0.1:9050
#This controls dirmngr and gpgsm, both of which are certificate managers connected to GnuPG-2.
#One may accidentally or purposefully connect to keyservers and leak data, so it is necessary to clean the connection as much as possible.
#Check for reasons behind errors via --debug-all --debug-level guru.
#Security precautions to neutralize protocols that can leak information.
disable-ldap
ignore-ldap-dp
disable-crl-checks
disable-policy-checks
disable-trusted-cert-crl-check
#disable-http
#ignore-http-dp
#Proxy settings. Try to stay behind a system with blanket internet traffic Onion Routing.
honor-http-proxy
#http-proxy host[:port]
#ldap-proxy host[:port]
#
#To manually use a keyserver with an Onion Routing SOCKS5 Proxy on Port 9050. Change the port number if needed. Blanket Onion Routing of the whole OS is better.
#The use of this option overrides the environment variable http_proxy regardless whether --honor-http-proxy has been set.
#http-proxy=socks5h://127.0.0.1:9050
#Runtime preferences.
verbose
verbose
verbose
verbose
verbose
verbose
verbose
verbose
verbose
verbose
#Note about OSCP (Online Certificate Status Protocol) from inside the GnuPG manual.
#--allow-ocsp
#This option enables OCSP support if requested by the client.
#OCSP requests are rejected by default because they may violate the privacy of the user; for example it is possible to track the time when a user is reading a mail.
disable-ocsp
#Manually give --faked-system-time 20070924T154812 to GnuPG if it allows. Remove the comment-hastag below to set a constant faked-system-time but keep changing it to evade identification.
#This option is generally not necessary for use with GPGSM.
#faked-system-time 20070924T154812
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment