# Configuration file for GnuPG.
#
-# Thanks to [1] for some hints to generate more secure keys (read on
-# 2013-04-04).
+# Thanks to [1] for some hints to generate stronger keys (read on 2013-04-04).
#
# [1]: https://we.riseup.net/riseuplabs+paow/openpgp-best-practices
# KEY GENERATION
-# Use more secure preferences. These are not enforced, but tried in the given
+# Use stronger preferences. These are not enforced, but tried in the given
# order and the first supported by all recipients is used.
#
# Ciphers for encryption.
personal-compress-preferences BZIP2 ZLIB ZIP Uncompressed
# Default preferences when generating a new key. Use the three settings above
-# combined to create more secure keys.
+# combined to create stronger keys.
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed
# Don't use SHA1 when signing keys, this includes self-certificates. This
cert-digest-algo SHA512
+# KEY PROTECTION
+
+# Mangle passphrases for private keys and symmetric encryption by applying a
+# hash function (s2k-digest-algo) with a salt s2k-count times (default).
+s2k-mode 3
+# Increase count. Takes ~0.5 seconds on my machine.
+s2k-count 3538944
+# Use SHA-512 as hash function. Takes a little longer than SHA-1, which is the
+# default.
+s2k-digest-algo SHA512
+
+
# KEYSERVERS
# Use the given keyserver.
keyserver hkp://pool.sks-keyservers.net
+# Don't use the preferred keyserver of the key, but our keyserver pool
+# instead. This way we won't use any broken keyservers like pgp.mit.edu
+# specified by the key.
+keyserver-options no-honor-keyserver-url
+
# MY KEYS