-# Use AES256, SHA256 and zlib when possible (when the receiver's key allows
-# it).
-personal-cipher-preferences AES256
-personal-digest-preferences SHA256
-personal-compress-preferences ZLIB
+# Use stronger preferences. These are not enforced, but tried in the given
+# order and the first supported by all recipients is used.
+#
+# Ciphers for encryption.
+personal-cipher-preferences AES256 AES192 AES CAST5
+# Don't use insecure hashes like SHA1 or MD5 and prefer stronger hashes.
+personal-digest-preferences SHA512 SHA384 SHA256 SHA224
+# Prefer better compression methods.
+personal-compress-preferences BZIP2 ZLIB ZIP Uncompressed
+
+# Default preferences when generating a new key. Use the three settings above
+# combined to create stronger keys.
+default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed
+
+# Don't use SHA1 when signing keys, this includes self-certificates. This
+# setting is separate from the settings above and needs to be explicitly set
+# or SHA1 will be used! Thanks to [1].
+cert-digest-algo SHA512
+
+
+# KEY PROTECTION
+
+# Mangle passphrases for private keys and symmetric encryption by applying a
+# hash function (s2k-digest-algo) with a salt s2k-count times (default).
+s2k-mode 3
+# Increase count. Takes ~0.5 seconds on my machine.
+s2k-count 3538944
+# Use SHA-512 as hash function. Takes a little longer than SHA-1, which is the
+# default.
+s2k-digest-algo SHA512