From cf7c3fc7c0313a23729011395445f8af15db0fed Mon Sep 17 00:00:00 2001
From: Simon Ruderich <simon@ruderich.org>
Date: Thu, 4 Apr 2013 02:56:19 +0200
Subject: [PATCH] gnupg/gpg.conf: Use more secure key preferences.

---
 gnupg/gpg.conf | 28 +++++++++++++++++++++++-----
 1 file changed, 23 insertions(+), 5 deletions(-)

diff --git a/gnupg/gpg.conf b/gnupg/gpg.conf
index d10858f..8c115f7 100644
--- a/gnupg/gpg.conf
+++ b/gnupg/gpg.conf
@@ -1,4 +1,9 @@
 # Configuration file for GnuPG.
+#
+# Thanks to [1] for some hints to generate more secure keys (read on
+# 2013-04-04).
+#
+# [1]: https://we.riseup.net/riseuplabs+paow/openpgp-best-practices
 
 # Copyright (C) 2009-2012  Simon Ruderich
 #
@@ -24,11 +29,24 @@ no-greeting
 
 # KEY GENERATION
 
-# Use AES256, SHA256 and zlib when possible (when the receiver's key allows
-# it).
-personal-cipher-preferences AES256
-personal-digest-preferences SHA256
-personal-compress-preferences ZLIB
+# Use more secure preferences. These are not enforced, but tried in the given
+# order and the first supported by all recipients is used.
+#
+# Ciphers for encryption.
+personal-cipher-preferences AES256 AES192 AES CAST5
+# Don't use insecure hashes like SHA1 or MD5 and prefer stronger hashes.
+personal-digest-preferences SHA512 SHA384 SHA256 SHA224
+# Prefer better compression methods.
+personal-compress-preferences BZIP2 ZLIB ZIP Uncompressed
+
+# Default preferences when generating a new key. Use the three settings above
+# combined to create more secure keys.
+default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed
+
+# Don't use SHA1 when signing keys, this includes self-certificates. This
+# setting is separate from the settings above and needs to be explicitly set
+# or SHA1 will be used! Thanks to [1].
+cert-digest-algo SHA512
 
 
 # KEYSERVERS
-- 
2.45.2