# Configuration file for GnuPG.
+#
+# Thanks to [1] for some hints to generate stronger keys (read on 2013-04-04).
+#
+# [1]: https://we.riseup.net/riseuplabs+paow/openpgp-best-practices
-# Copyright (C) 2009-2012 Simon Ruderich
+# Copyright (C) 2009-2013 Simon Ruderich
#
# This file is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# along with this file. If not, see <http://www.gnu.org/licenses/>.
+# DISPLAY
+
# Don't display the copyright notice.
no-greeting
-# Use my newest key as default key.
-default-key 0xE44C32F9
+# Use long keyids because the short ones have collisions.
+keyid-format 0xlong
+
+
+# KEY GENERATION
+
+# Use stronger preferences. These are not enforced, but tried in the given
+# order and the first supported by all recipients is used.
+#
+# Ciphers for encryption.
+personal-cipher-preferences AES256 AES192 AES CAST5
+# Don't use insecure hashes like SHA1 or MD5 and prefer stronger hashes.
+personal-digest-preferences SHA512 SHA384 SHA256 SHA224
+# Prefer better compression methods.
+personal-compress-preferences BZIP2 ZLIB ZIP Uncompressed
+
+# Default preferences when generating a new key. Use the three settings above
+# combined to create stronger keys.
+default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed
+
+# Don't use SHA1 when signing keys, this includes self-certificates. This
+# setting is separate from the settings above and needs to be explicitly set
+# or SHA1 will be used! Thanks to [1].
+cert-digest-algo SHA512
+
+
+# KEY PROTECTION
+
+# Mangle passphrases for private keys and symmetric encryption by applying a
+# hash function (s2k-digest-algo) with a salt s2k-count times (default).
+s2k-mode 3
+# Increase count. Takes ~0.5 seconds on my machine.
+s2k-count 3538944
+# Use SHA-512 as hash function. Takes a little longer than SHA-1, which is the
+# default.
+s2k-digest-algo SHA512
+
+
+# KEYSERVERS
# Use the given keyserver.
keyserver hkp://pool.sks-keyservers.net
-# Use AES256, SHA256 and zlib when possible (when the receiver's key allows
-# it).
-personal-cipher-preferences AES256
-personal-digest-preferences SHA256
-personal-compress-preferences ZLIB
+# Don't use the preferred keyserver of the key, but our keyserver pool
+# instead. This way we won't use any broken keyservers like pgp.mit.edu
+# specified by the key.
+keyserver-options no-honor-keyserver-url
+
+
+# MY KEYS
+
+# Use my newest key as default key.
+default-key 0x92FEFDB7E44C32F9
+
+# vim: ft=gpg