X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=gnupg%2Fgpg.conf;h=2cbec146950ffaa25a7bad98e7af1159f8e2abe2;hb=bf502c718806d7711c584078648803affa67e127;hp=d10858f71bbe5e5ba285c0803e3ddffa89bf55ff;hpb=0cb426a3bbc2c2722271a2c33821afecefe58c7a;p=config%2Fdotfiles.git

diff --git a/gnupg/gpg.conf b/gnupg/gpg.conf
index d10858f..2cbec14 100644
--- a/gnupg/gpg.conf
+++ b/gnupg/gpg.conf
@@ -1,6 +1,10 @@
 # Configuration file for GnuPG.
+#
+# Thanks to [1] for some hints to generate stronger keys (read on 2013-04-04).
+#
+# [1]: https://we.riseup.net/riseuplabs+paow/openpgp-best-practices
 
-# Copyright (C) 2009-2012  Simon Ruderich
+# Copyright (C) 2009-2013  Simon Ruderich
 #
 # This file is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -21,14 +25,42 @@
 # Don't display the copyright notice.
 no-greeting
 
+# Use long keyids because the short ones have collisions.
+keyid-format 0xlong
+
 
 # KEY GENERATION
 
-# Use AES256, SHA256 and zlib when possible (when the receiver's key allows
-# it).
-personal-cipher-preferences AES256
-personal-digest-preferences SHA256
-personal-compress-preferences ZLIB
+# Use stronger preferences. These are not enforced, but tried in the given
+# order and the first supported by all recipients is used.
+#
+# Ciphers for encryption.
+personal-cipher-preferences AES256 AES192 AES CAST5
+# Don't use insecure hashes like SHA1 or MD5 and prefer stronger hashes.
+personal-digest-preferences SHA512 SHA384 SHA256 SHA224
+# Prefer better compression methods.
+personal-compress-preferences BZIP2 ZLIB ZIP Uncompressed
+
+# Default preferences when generating a new key. Use the three settings above
+# combined to create stronger keys.
+default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed
+
+# Don't use SHA1 when signing keys, this includes self-certificates. This
+# setting is separate from the settings above and needs to be explicitly set
+# or SHA1 will be used! Thanks to [1].
+cert-digest-algo SHA512
+
+
+# KEY PROTECTION
+
+# Mangle passphrases for private keys and symmetric encryption by applying a
+# hash function (s2k-digest-algo) with a salt s2k-count times (default).
+s2k-mode 3
+# Increase count. Takes ~0.5 seconds on my machine.
+s2k-count 3538944
+# Use SHA-512 as hash function. Takes a little longer than SHA-1, which is the
+# default.
+s2k-digest-algo SHA512
 
 
 # KEYSERVERS
@@ -36,10 +68,15 @@ personal-compress-preferences ZLIB
 # Use the given keyserver.
 keyserver hkp://pool.sks-keyservers.net
 
+# Don't use the preferred keyserver of the key, but our keyserver pool
+# instead. This way we won't use any broken keyservers like pgp.mit.edu
+# specified by the key.
+keyserver-options no-honor-keyserver-url
+
 
 # MY KEYS
 
 # Use my newest key as default key.
-default-key 0xE44C32F9
+default-key 0x92FEFDB7E44C32F9
 
 # vim: ft=gpg