X-Git-Url: https://ruderich.org/simon/gitweb/?a=blobdiff_plain;f=gnupg%2Fgpg.conf;h=2cbec146950ffaa25a7bad98e7af1159f8e2abe2;hb=e11c5b6b77b49c85b7c4070619e3987ba152f1c3;hp=0b1f73cec91904392629bee876d41a1d285ed5ef;hpb=37385b59875b18cef6f24e7ede0c92a24b22042a;p=config%2Fdotfiles.git

diff --git a/gnupg/gpg.conf b/gnupg/gpg.conf
index 0b1f73c..2cbec14 100644
--- a/gnupg/gpg.conf
+++ b/gnupg/gpg.conf
@@ -1,7 +1,6 @@
 # Configuration file for GnuPG.
 #
-# Thanks to [1] for some hints to generate more secure keys (read on
-# 2013-04-04).
+# Thanks to [1] for some hints to generate stronger keys (read on 2013-04-04).
 #
 # [1]: https://we.riseup.net/riseuplabs+paow/openpgp-best-practices
 
@@ -32,7 +31,7 @@ keyid-format 0xlong
 
 # KEY GENERATION
 
-# Use more secure preferences. These are not enforced, but tried in the given
+# Use stronger preferences. These are not enforced, but tried in the given
 # order and the first supported by all recipients is used.
 #
 # Ciphers for encryption.
@@ -43,7 +42,7 @@ personal-digest-preferences SHA512 SHA384 SHA256 SHA224
 personal-compress-preferences BZIP2 ZLIB ZIP Uncompressed
 
 # Default preferences when generating a new key. Use the three settings above
-# combined to create more secure keys.
+# combined to create stronger keys.
 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed
 
 # Don't use SHA1 when signing keys, this includes self-certificates. This
@@ -52,11 +51,28 @@ default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP
 cert-digest-algo SHA512
 
 
+# KEY PROTECTION
+
+# Mangle passphrases for private keys and symmetric encryption by applying a
+# hash function (s2k-digest-algo) with a salt s2k-count times (default).
+s2k-mode 3
+# Increase count. Takes ~0.5 seconds on my machine.
+s2k-count 3538944
+# Use SHA-512 as hash function. Takes a little longer than SHA-1, which is the
+# default.
+s2k-digest-algo SHA512
+
+
 # KEYSERVERS
 
 # Use the given keyserver.
 keyserver hkp://pool.sks-keyservers.net
 
+# Don't use the preferred keyserver of the key, but our keyserver pool
+# instead. This way we won't use any broken keyservers like pgp.mit.edu
+# specified by the key.
+keyserver-options no-honor-keyserver-url
+
 
 # MY KEYS