From: Simon Ruderich Date: Thu, 4 Apr 2013 00:56:19 +0000 (+0200) Subject: gnupg/gpg.conf: Use more secure key preferences. X-Git-Url: https://ruderich.org/simon/gitweb/?a=commitdiff_plain;h=cf7c3fc7c0313a23729011395445f8af15db0fed;p=config%2Fdotfiles.git gnupg/gpg.conf: Use more secure key preferences. --- diff --git a/gnupg/gpg.conf b/gnupg/gpg.conf index d10858f..8c115f7 100644 --- a/gnupg/gpg.conf +++ b/gnupg/gpg.conf @@ -1,4 +1,9 @@ # Configuration file for GnuPG. +# +# Thanks to [1] for some hints to generate more secure keys (read on +# 2013-04-04). +# +# [1]: https://we.riseup.net/riseuplabs+paow/openpgp-best-practices # Copyright (C) 2009-2012 Simon Ruderich # @@ -24,11 +29,24 @@ no-greeting # KEY GENERATION -# Use AES256, SHA256 and zlib when possible (when the receiver's key allows -# it). -personal-cipher-preferences AES256 -personal-digest-preferences SHA256 -personal-compress-preferences ZLIB +# Use more secure preferences. These are not enforced, but tried in the given +# order and the first supported by all recipients is used. +# +# Ciphers for encryption. +personal-cipher-preferences AES256 AES192 AES CAST5 +# Don't use insecure hashes like SHA1 or MD5 and prefer stronger hashes. +personal-digest-preferences SHA512 SHA384 SHA256 SHA224 +# Prefer better compression methods. +personal-compress-preferences BZIP2 ZLIB ZIP Uncompressed + +# Default preferences when generating a new key. Use the three settings above +# combined to create more secure keys. +default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed + +# Don't use SHA1 when signing keys, this includes self-certificates. This +# setting is separate from the settings above and needs to be explicitly set +# or SHA1 will be used! Thanks to [1]. +cert-digest-algo SHA512 # KEYSERVERS