Skip to content

Instantly share code, notes, and snippets.

@atErik
Created March 5, 2015 19:16
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save atErik/1a495624a5f03e3fe499 to your computer and use it in GitHub Desktop.
Save atErik/1a495624a5f03e3fe499 to your computer and use it in GitHub Desktop.
A comparatively stronger & safer & secured gpg.conf
# Created by atErik / tErik.
# Copyright 2011-2015, atErik.
# a4t4erik AT out4look dot co4m, t4erik AT sfk4 dot co4
# (Remove "4" from above, for address).
# Released under GPL (GNU Public License).
#
#
# First modified original gpg.conf on 2011.
# Then continued to tranfer modifications on top of other new versions.
# Changed & improved options, when it was necessary.
#
#
#
# THIS GPG.CONF IS USED WITH GnuPG v1.4.18 (classic) IN WINDOWS,
# RUN FROM PORTABLE USB OR FLASH MEDIA STORAGE DRIVE.
# This Portable/external USB/FLASH media storage drive was
# assigned a fixed drive letter: J:
# by using windows "Computer Management" panel.
# (run: compmgmt.msc for "Computer Management")
#
#
#
# HOW GnuPG BINARY FILES WERE OBTAINED ?
# [1] After obtaining installer file from gnupg.org, [2] install GnuPG
# classic v1.4.18 into a sub-folder
# "C:\Program Files (x86)\GNU\GnuPG1\" <-- notice the "1".
# in a fresh+uninfected system, (after thorough checking of
# installer file).
# [3] Then copy all files except "uninstall.exe", from
# "C:\Program Files (x86)\GNU\GnuPG1\" into "J:\GPG\1\App\"
# And [4] again copy all files from "J:\GPG\1\App\"
# into "J:\GPG\1\v1.4.18\" It is backup of GPG v1.4.18.
# [5] Obtain Vanilla edition of GPG4Win (GPG v2.0.26) and
# [6] install into "C:\Program Files (x86)\GNU\GnuPG\"
# above folder, in a fresh & uninfected system, (you must check
# installer file thoroughly).
# [7] And then copy below 9 files from
# "C:\Program Files (x86)\GNU\GnuPG\"
# into "J:\GPG\1\App\"
# libadns-1.dll libcurl-4.dll
# libgcrypt-20.dll libgnutls-26.dll
# libgpg-error-0.dll libiconv-2.dll
# libtasn1-3.dll zlib1.dll
# gpgkeys_kdns.exe
# [8] Delete these 4 files from "J:\GPG\1\App\"
# gpgkeys_curl.exe gpgkeys_ldap.exe
# gpgkeys_finger.exe gpgkeys_hkp.exe
# [9] Copy below 4 files from "C:\Program Files (x86)\GNU\GnuPG\"
# into "J:\GPG\1\App\"
# gpg2keys_curl.exe gpg2keys_ldap.exe
# gpg2keys_finger.exe gpg2keys_hkp.exe
# [10] Then rename above 4 files, and remove the "2".
# [11] Now your files will look like the list, which shown below.
# [12] As GPG v2.0.26 supports HKPS (secure+encrypted connection) &
# other features, which we want to use, but was not avaiable
# in v1.4.18, thats why we have to do these steps.
# [13] Create an empty file "gpg.conf" inside "J:\GPG\1\Data\"
# [14] Copy-paste codes from this webpage into that "gpg.conf" file.
# [15] Obtain ThunderbirdPortable installer and [16] install into
# "J:\PortableApps\ThunderbirdPortable\"
# [17] Obtain "GPG for ThunderbirdPortable" installer, and
# [18] install into same "J:\PortableApps\ThunderbirdPortable\"
# [19] Copy/backup all files & folders from here
# "J:\PortableApps\ThunderbirdPortable\App\gpg\"
# and [20] paste into "J:\GPG\1\OldGPG\"
# [21] Download the "sks-keyservers.netCA.pem" file, from below
# website. It is the root CA TLS/SSL certificate file of a
# keyserver which supports HKPS encrypted connection, and
# it's domain name is also DNSSEC signed:
# https://sks-keyservers.net/overview-of-pools.php
# and [22] download pem file into this below folder: "J:\GPG\1\App\"
# [23] Create an empty (0/zero byte sized) file "gpgconf.ctl"
# inside this folder "J:\GPG\1\App\"
# [24] Now copy all files from here "J:\GPG\1\App\" and paste
# into "J:\PortableApps\ThunderbirdPortable\App\gpg\"
# [25] and copy all files from here "J:\GPG\1\Data\" and paste
# into "J:\PortableApps\ThunderbirdPortable\Data\gpg\"
# [26] Now start ThunderbirdPortable, [27] install "Enigmail" addon
# extension. [28] Restart Thunderbird.
# [29] Goto main menu > Enigmail > Preferences > Basic > and
# [30] click on "Show Expert Settings". [31] Then select the
# "Override with" option and [32] click on "Browse" button,
# and [33] select the "gpg.exe" file, located inside below
# folder: "J:\PortableApps\ThunderbirdPortable\App\gpg\"
# [34] Goto Enigmail > Preferences > Advanced > and
# [35] insert below line inside the "Additional parameters for GnuPG"
# textbox:
# --homedir "..\\..\\Data\\gpg\\" --options "..\\..\\Data\\gpg\\gpg.conf" --verbose --verbose --require-secmem --no-default-keyring --secret-keyring "..\\..\\Data\\gpg\\secring.gpg" --trustdb-name "..\\..\\Data\\gpg\\trustdb.gpg" --primary-keyring "..\\..\\Data\\gpg\\pubring.gpg" --keyring "..\\..\\Data\\gpg\\pubring.gpg"
# [36] keep one space character (an empty space) in fron of above
# line, and keep one space char at end.
# [37] Goto Enigmail > Preferences > Keyserver > and
# [38] insert below line inside the "Specify your keyservers" textbox:
# hkps://hkps.pool.sks-keyservers.net no-honor-keyserver-url,verbose,check-cert,ca-cert-file=".\\sks-keyservers.netCA.pem"
# [39] keep one space character (an empty space) in front of above
# line, and keep one space char at end.
# [40] Press "Ok" to save your changes, in Enigmail.
# [41] You should restart Thunderbird once.
# [42] Now you are ready to use it, from external USB/Flash
# storage drive.
#
#
# [100] Why do we have to copy/backup files on different folders ?
# [101] when/if you update portable-thunderbird next-time, then
# [102] installer program will AUTOMATICALLY DELETE existing all
# binary files & folders located inside
# "J:\PortableApps\ThunderbirdPortable\App\"
# folder! including the Improved-GPG folder. ( [103] The
# ThunderbirdPortable\Data\gpg\ folder & "gpg.conf" file
# will remain fine). [104] So we must have to keep backup of
# Improved-GPG, which is this location "J:\GPG\1\App\",
# and [105] keep backup of old-GPG into "J:\GPG\1\OldGPG\"
# And [106] IF you have updated ThunderbirdPortable, then you [107] must
# have to run the old "GPG for ThunderbirdPortable" installer
# again. [108] Then over-write old-GPG with Improved-GPG, by doing this:
# copy all files & folders from "J:\GPG\1\App\" into below
# folder: "J:\PortableApps\ThunderbirdPortable\App\"
# And then, finally, [109] you are again ready to use Thunderbird
# Portable, and portable & improved GPG.
#
#
#
#
# File list in "J:\GPG\1\App\"
# gpg.exe
# gpgconf.ctl gpgkeys_curl.exe
# gpgkeys_finger.exe gpgkeys_hkp.exe
# gpgkeys_kdns.exe gpgkeys_ldap.exe
# gpgsplit.exe gpgv.exe
# gpg_readme.txt iconv.dll
# libadns-1.dll libcurl-4.dll
# libgcrypt-20.dll libgnutls-26.dll
# libgpg-error-0.dll libiconv-2.dll
# libtasn1-3.dll zlib1.dll
# sks-keyservers.netCA.pem
# CAcert_class3.crt CAcert_root.crt
# [Doc]
# [gnupg.nls]
#
#
#
#
#
# These first three lines are not copied to the gpg.conf file in
# the users home directory.
# $Id$
# Options for GnuPG
# Copyright 1998, 1999, 2000, 2001, 2002, 2003,
# 2010 Free Software Foundation, Inc.
#
# This file is free software; as a special exception the author gives
# unlimited permission to copy and/or distribute it, with or without
# modifications, as long as this notice is preserved.
#
# This file is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
# Unless you specify which option file to use (with the command line
# option "--options filename"), GnuPG uses the file ~/.gnupg/gpg.conf
# by default.
#
# An options file can contain any long options which are available in
# GnuPG. If the first non white space character of a line is a '#',
# this line is ignored. Empty lines are also ignored.
#
# See the man page for a list of options.
homedir "J:\PortableApps\ThunderbirdPortable\Data\gpg\"
options "J:\PortableApps\ThunderbirdPortable\Data\gpg\gpg.conf"
no-default-keyring
secret-keyring "J:\PortableApps\ThunderbirdPortable\Data\gpg\secring.gpg"
trustdb-name "J:\PortableApps\ThunderbirdPortable\Data\gpg\trustdb.gpg"
primary-keyring "J:\PortableApps\ThunderbirdPortable\Data\gpg\pubring.gpg"
keyring "J:\PortableApps\ThunderbirdPortable\Data\gpg\pubring.gpg"
# Below options are specified to Enigmail via Thunderbird's Config-Editor.
# --homedir "J:\\PortableApps\\ThunderbirdPortable\\Data\\gpg" --options "J:\\PortableApps\\ThunderbirdPortable\\Data\\gpg\\gpg.conf" --verbose --verbose --require-secmem --no-default-keyring --secret-keyring "J:\\PortableApps\\ThunderbirdPortable\\Data\\gpg\\secring.gpg" --trustdb-name "J:\\PortableApps\\ThunderbirdPortable\\Data\\gpg\\trustdb.gpg" --primary-keyring "J:\\PortableApps\\ThunderbirdPortable\\Data\\gpg\\pubring.gpg" --keyring "J:\\PortableApps\\ThunderbirdPortable\\Data\\gpg\\pubring.gpg"
# Relative-PATH can be specified, becasue ThunderbirdPortable uses this
# folder: ThunderbirdPortable\\App\gpg\ as its CWD (current working directory):
# --homedir "..\\..\\Data\\gpg\\" --options "..\\..\\Data\\gpg\\gpg.conf" --verbose --verbose --require-secmem --no-default-keyring --secret-keyring "..\\..\\Data\\gpg\\secring.gpg" --trustdb-name "..\\..\\Data\\gpg\\trustdb.gpg" --primary-keyring "..\\..\\Data\\gpg\\pubring.gpg" --keyring "..\\..\\Data\\gpg\\pubring.gpg"
# If you use ThunderbirdPortable from USB-drive, then change all "J:\PortableApps\ThunderbirdPortable\"
# into this: "E:\ThunderbirdPortable\" if E: drive is your USB-drive.
# Uncomment the following option to get rid of the copyright notice
#no-greeting
# If you have more than 1 secret key in your keyring, you may want to
# uncomment the following option and set your preferred keyid.
#default-key 621CC013
# If you do not pass a recipient to gpg, it will ask for one. Using
# this option you can encrypt to a default key. Key validation will
# not be done in this case. The second form uses the default key as
# default recipient.
#default-recipient some-user-id
#default-recipient-self
# By default GnuPG creates version 4 signatures for data files as
# specified by OpenPGP. Some earlier (PGP 6, PGP 7) versions of PGP
# require the older version 3 signatures. Setting this option forces
# GnuPG to create version 3 signatures.
#force-v3-sigs
# Because some mailers change lines starting with "From " to ">From "
# it is good to handle such lines in a special way when creating
# cleartext signatures; all other PGP versions do it this way too.
# To enable full OpenPGP compliance you may want to use this option.
#no-escape-from-lines
# When verifying a signature made from a subkey, ensure that the cross
# certification "back signature" on the subkey is present and valid.
# This protects against a subtle attack against subkeys that can sign.
# Defaults to --no-require-cross-certification. However for new
# installations it should be enabled.
require-cross-certification
# If you do not use the Latin-1 (ISO-8859-1) charset, you should tell
# GnuPG which is the native character set. Please check the man page
# for supported character sets. This character set is only used for
# metadata and not for the actual message which does not undergo any
# translation. Note that future version of GnuPG will change to UTF-8
# as default character set.
#charset utf-8
display-charset utf-8
# Group names may be defined like this:
# group mynames = paige 0x12345678 joe patti
#
# Any time "mynames" is a recipient (-r or --recipient), it will be
# expanded to the names "paige", "joe", and "patti", and the key ID
# "0x12345678". Note there is only one level of expansion - you
# cannot make an group that points to another group. Note also that
# if there are spaces in the recipient name, this will appear as two
# recipients. In these cases it is better to use the key ID.
#group mynames = paige 0x12345678 joe patti
# Some old Windows platforms require 8.3 filenames. If your system
# can handle long filenames, uncomment this.
#no-mangle-dos-filenames
# Lock the file only once for the lifetime of a process. If you do
# not define this, the lock will be obtained and released every time
# it is needed - normally this is not needed.
#lock-once
# GnuPG can send and receive keys to and from a keyserver. These
# servers can be HKP, email, or LDAP (if GnuPG is built with LDAP
# support).
#
# Example HKP keyservers:
# hkp://keys.gnupg.net
#
# Example LDAP keyservers:
# ldap://pgp.surfnet.nl:11370
#
# Regular URL syntax applies, and you can set an alternate port
# through the usual method:
# hkp://keyserver.example.net:22742
#
# If you have problems connecting to a HKP server through a buggy http
# proxy, you can use keyserver option broken-http-proxy (see below),
# but first you should make sure that you have read the man page
# regarding proxies (keyserver option honor-http-proxy)
#
# Most users just set the name and type of their preferred keyserver.
# Note that most servers (with the notable exception of
# ldap://keyserver.pgp.com) synchronize changes with each other. Note
# also that a single server name may actually point to multiple
# servers via DNS round-robin. hkp://keys.gnupg.net is an example of
# such a "server", which spreads the load over a number of physical
# servers. To see the IP address of the server actually used, you may use
# the "--keyserver-options debug".
#keyserver hkp://keys.gnupg.net
#keyserver http://http-keys.gnupg.net
#keyserver mailto:pgp-public-keys@keys.nl.pgp.net
## We want to see more info from keyserver, so:
#keyserver-options debug,verbose
# Always use HKPS supported keyserver
keyserver hkps://hkps.pool.sks-keyservers.net
#keyserver-options no-honor-keyserver-url,check-cert,ca-cert-file="J:\\PortableApps\\ThunderbirdPortable\\App\\gpg\\sks-keyservers.netCA.pem"
# testing relative-path
keyserver-options no-honor-keyserver-url,check-cert,ca-cert-file=".\\sks-keyservers.netCA.pem"
# Below is specified in Enigmail, via Thunderbird's Config-editor:
# hkps://hkps.pool.sks-keyservers.net no-honor-keyserver-url,verbose,check-cert,ca-cert-file="J:\\PortableApps\\ThunderbirdPortable\\App\\gpg\\sks-keyservers.netCA.pem"
# From TorProject.org & sks-keyservers.net site:
#keyserver hkps://hkps.pool.sks-keyservers.net
#keyserver-options ca-cert-file=/path/to/CA/sks-keyservers.netCA.pem
#keyserver-options ca-cert-file=C:\Users\<user-name>\AppData\Local\gnupg\sks-keyservers.netCA.pem
#keyserver hkps://hkps.pool.sks-keyservers.net check-cert,ca-cert-file="J:\PortableApps\GnuPG\sks-keyservers.netCA.pem"
#keyserver hkps://keys.indymedia.org verbose,check-cert,ca-cert-file="C:\Users\<user-name>\AppData\Local\gnupg\CAcert_root.crt"
## When creating a key, individuals may designate a specific keyserver to
## use to pull their keys from. The below option will disregard this
## designation and use the pool, which is useful because (1) it prevents
## someone from designating an insecure method for pulling their key and
## (2) if the server designated uses hkps, the refresh will fail because
## the ca-cert will not match, so the keys will never be refreshed.
## (from riseup https://we.riseup.net/riseuplabs+paow/openpgp-best-practices)
#keyserver-options no-honor-keyserver-url
# Common options for keyserver functions:
#
# include-disabled = when searching, include keys marked as "disabled"
# on the keyserver (not all keyservers support this).
#
# no-include-revoked = when searching, do not include keys marked as
# "revoked" on the keyserver.
#
# verbose = show more information as the keys are fetched.
# Can be used more than once to increase the amount
# of information shown.
#
# use-temp-files = use temporary files instead of a pipe to talk to the
# keyserver. Some platforms (Win32 for one) always
# have this on.
#
# keep-temp-files = do not delete temporary files after using them
# (really only useful for debugging)
#
# honor-http-proxy = if the keyserver uses HTTP, honor the http_proxy
# environment variable
#
# broken-http-proxy = try to work around a buggy HTTP proxy
#
# auto-key-retrieve = automatically fetch keys as needed from the keyserver
# when verifying signatures or when importing keys that
# have been revoked by a revocation key that is not
# present on the keyring.
#
# no-include-attributes = do not include attribute IDs (aka "photo IDs")
# when sending keys to the keyserver.
#keyserver-options auto-key-retrieve
# Uncomment this line to display photo user IDs in key listings and
# when a signature from a key with a photo is verified.
#show-photos
# Use this program to display photo user IDs
#
# %i is expanded to a temporary file that contains the photo.
# %I is the same as %i, but the file isn't deleted afterwards by GnuPG.
# %k is expanded to the key ID of the key.
# %K is expanded to the long OpenPGP key ID of the key.
# %t is expanded to the extension of the image (e.g. "jpg").
# %T is expanded to the MIME type of the image (e.g. "image/jpeg").
# %f is expanded to the fingerprint of the key.
# %% is %, of course.
#
# If %i or %I are not present, then the photo is supplied to the
# viewer on standard input. If your platform supports it, standard
# input is the best way to do this as it avoids the time and effort in
# generating and then cleaning up a secure temp file.
#
# The default program is "xloadimage -fork -quiet -title 'KeyID 0x%k' stdin"
# On Mac OS X and Windows, the default is to use your regular JPEG image
# viewer.
#
# Some other viewers:
# photo-viewer "qiv %i"
# photo-viewer "ee %i"
# photo-viewer "display -title 'KeyID 0x%k'"
#
# This one saves a copy of the photo ID in your home directory:
# photo-viewer "cat > ~/photoid-for-key-%k.%t"
#
# Use your MIME handler to view photos:
# photo-viewer "metamail -q -d -b -c %T -s 'KeyID 0x%k' -f GnuPG"
#personal-cipher-preferences AES256 TWOFISH AES192 AES
personal-cipher-preferences AES256 TWOFISH CAMELLIA256 AES192 CAMELLIA192 AES CAMELLIA128 BLOWFISH CAST5 3DES
## when multiple digests are supported by all recipients, choose the
## strongest one:
## (from Debian http://keyring.debian.org/creating-key.html)
#personal-digest-preferences SHA512
## By K_F at #gnupg @ irc.freenode.net
personal-digest-preferences SHA512 SHA384 SHA256
## when making an OpenPGP certification, use a stronger digest than the
## default SHA1:
## (from Debian http://keyring.debian.org/creating-key.html)
cert-digest-algo SHA512
## (from whom??)
personal-compress-preferences ZLIB BZIP2 ZIP
## preferences chosen for new keys should prioritize stronger algorithms:
## (from Debian http://keyring.debian.org/creating-key.html)
#default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
## (from whom??)
default-preference-list SHA512 SHA384 SHA256 SHA224 RIPEMD160 SHA1 AES256 TWOFISH CAMELLIA256 AES192 CAMELLIA192 AES CAMELLIA128 BLOWFISH CAST5 3DES BZIP2 ZIP ZLIB
## default-preference-list SHA512 SHA384 SHA256 SHA224 RIPEMD160 SHA1 MD5 AES256 TWOFISH CAMELLIA256 AES192 CAMELLIA192 AES CAMELLIA128 BLOWFISH CAST5 3DES BZIP2 ZIP ZLIB
# From http://www.postgresql.org/docs/9.2/static/pgcrypto.html
# When encrypting with a symmetric key (i.e., a password): The given
# password is hashed using a String2Key (S2K) algorithm. This is rather
# similar to crypt() algorithms — purposefully slow and with random salt
# — but it produces a full-length binary key.
## (from whom??)
s2k-cipher-algo AES256
s2k-digest-algo SHA512
## long keyids are more collision-resistant than short keyids (it's trivial
## to make a key with any desired short keyid)
## (from riseup https://we.riseup.net/riseuplabs+paow/openpgp-best-practices)
keyid-format 0xlong
## if you care about strong key identifiers, you always want to see the
## fingerprint: (info from riseup).
with-fingerprint
## You should always know at a glance which User IDs gpg thinks are
## legitimately bound to the keys in your keyring:
## (from riseup https://we.riseup.net/riseuplabs+paow/openpgp-best-practices)
verify-options show-uid-validity
list-options show-uid-validity
## (From riseup https://we.riseup.net/riseuplabs+paow/openpgp-best-practices)
## Only use your primary key for certification (and possibly signing).
## Have a separate subkey for encryption. Have a separate subkey for
## signing, and keep your primary key entirely offline. In this scenario,
## your primary key is used only for certifications, which happen
## infrequently.
##
## Primary keys should be DSA-2 or RSA, 2048 bits or more. (RSA preferred).
## To check if you are using DSA-2 or RSA, you can do this:
## gpg --export-options export-minimal --export <fingerprint> | gpg --list-packets |grep -A2 '^:public key packet:$'|grep algo
## If the algo reported is 1, you are using RSA. If it is 17, then it is
## DSA and you will need to confirm that the size reported in the next
## check reports a bit-length key size as greater than 1024, otherwise
## you aren’t using DSA-2. If the algo reported is 19, you are using
## ECDSA, if it is 18 you are using ECC, and the key bit-length deter-
## -mination check below is not an appropriate criteria for these types
## of keys as as the key sizes will drop significantly. To check the
## bit-length of the primary key you can do this:
## gpg --export-options export-minimal --export <fingerprint> | gpg --list-packets |grep -A2 'public key'|grep 'pkey\[0\]:'
## Do not start the gpg-agent or the dirmngr if it has not yet been started
## and if its service is required. This option is mostly useful on machines
## where the connection to gpg-agent has been redirected to another machines.
## If dirmngr is required on the remote machine, it may be started manually
## using gpgconf --launch dirmngr.
##no-autostart
## This is dummy option. gpg2 always requires the agent.
# Gnupg 1.4.x does not support/need agent, so disable agent:
no-use-agent
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment