gnupg/gpg.conf: Use more secure key preferences.

diff --git a/gnupg/gpg.conf b/gnupg/gpg.conf
index d10858f71bbe5e5ba285c0803e3ddffa89bf55ff..8c115f75c067fcdc8ebd3e36ce8c233cd3233a68 100644 (file)
--- a/gnupg/gpg.conf
+++ b/gnupg/gpg.conf
@@ -1,4 +1,9 @@
 # Configuration file for GnuPG.
+#
+# Thanks to [1] for some hints to generate more secure keys (read on
+# 2013-04-04).
+#
+# [1]: https://we.riseup.net/riseuplabs+paow/openpgp-best-practices
 
 # Copyright (C) 2009-2012  Simon Ruderich
 #
@@ -24,11 +29,24 @@ no-greeting
 
 # KEY GENERATION
 
-# Use AES256, SHA256 and zlib when possible (when the receiver's key allows
-# it).
-personal-cipher-preferences AES256
-personal-digest-preferences SHA256
-personal-compress-preferences ZLIB
+# Use more secure preferences. These are not enforced, but tried in the given
+# order and the first supported by all recipients is used.
+#
+# Ciphers for encryption.
+personal-cipher-preferences AES256 AES192 AES CAST5
+# Don't use insecure hashes like SHA1 or MD5 and prefer stronger hashes.
+personal-digest-preferences SHA512 SHA384 SHA256 SHA224
+# Prefer better compression methods.
+personal-compress-preferences BZIP2 ZLIB ZIP Uncompressed
+
+# Default preferences when generating a new key. Use the three settings above
+# combined to create more secure keys.
+default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed
+
+# Don't use SHA1 when signing keys, this includes self-certificates. This
+# setting is separate from the settings above and needs to be explicitly set
+# or SHA1 will be used! Thanks to [1].
+cert-digest-algo SHA512
 
 
 # KEYSERVERS