1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
|
#
# ~/.gnupg/gpg.conf
# GnuPG configuration file
#
#
# Reference:
# [1] Github: ioerror/duraconf
# https://github.com/ioerror/duraconf/blob/master/configs/gnupg/gpg.conf
# [2] Riseup: OpenPGP Best Practices
# https://help.riseup.net/en/gpg-best-practices
# [3] Secure GnuPG configuration
# http://sparkslinux.wordpress.com/2013/07/09/secure-gnupg-configuration
#
# Aaron LI <aly@aaronly.me>
# 2014-06-12
# Updated: 2017-05-26
#
#-----------------------------
# default key
#-----------------------------
# The default key to sign with. If this option is not used, the default key is
# the first key found in the secret keyring
default-key 0xAC3464FADAAE632186099CA6240E2A635D72729A
#-----------------------------
# behavior
#-----------------------------
# Uncomment the following option to get rid of the copyright notice
no-greeting
# create ASCII armored output (default is binary OpenPGP format)
#armor
# If you do not use the Latin-1 (ISO-8859-1) charset, you should tell
# GnuPG which is the native character set. Please check the man page
# for supported character sets. This character set is only used for
# metadata and not for the actual message which does not undergo any
# translation. Note that future version of GnuPG will change to UTF-8
# as default character set.
charset utf-8
# Disable inclusion of the version string in ASCII armored output
no-emit-version
# Disable comment string in clear text signatures and ASCII armored messages
no-comments
# Display long key IDs
keyid-format 0xlong
# List all keys (or the specified ones) along with their fingerprints
with-fingerprint
# Also list the "keygrip", which is the ID used by `gpg-agent`.
# (GnuPG >=2.1)
with-keygrip
# Display the calculated validity of user IDs during key listings
list-options show-uid-validity
verify-options show-uid-validity
# Try to use the GnuPG-Agent. With this option, GnuPG first tries to connect to
# the agent before it asks for a passphrase.
use-agent
#-----------------------------
# keyserver
#-----------------------------
# This is the server that --recv-keys, --send-keys, and --search-keys will
# communicate with to receive keys from, send keys to, and search for keys on
keyserver hkp://pool.sks-keyservers.net
#keyserver hkps://hkps.pool.sks-keyservers.net
# Provide a certificate store to override the system default
# Get this from https://sks-keyservers.net/sks-keyservers.netCA.pem
# option 'ca-cert-file' is obsolete. (GnuPG >= 2.1)
#keyserver-options ca-cert-file=~/dotfiles/.gnupg/sks-keyservers.netCA.pem
# Set the proxy to use for HTTP and HKP keyservers - default to the standard
# local Tor socks proxy
# It is encouraged to use Tor for improved anonymity. Preferrably use either a
# dedicated SOCKSPort for GnuPG and/or enable IsolateDestPort and
# IsolateDestAddr
#keyserver-options http-proxy=socks5-hostname://127.0.0.1:9050
# Don't leak DNS, see https://trac.torproject.org/projects/tor/ticket/2846
# XXX: unknown to gnupg 2.1.7
#keyserver-options no-try-dns-srv
# When using --refresh-keys, if the key in question has a preferred keyserver
# URL, then disable use of that preferred keyserver to refresh the key from
keyserver-options no-honor-keyserver-url
# When searching for a key with --search-keys, include keys that are marked on
# the keyserver as revoked
keyserver-options include-revoked
# Automatic retrieve keys from a keyserver when verifying signatures made by
# keys that are not on the local keyring.
# NOTE: This option makes a "web bug" like behavior possible.
# Keyserver operators can see which keys you rquest, so by sending
# you a message signed by a brand new key (which you naturally will
# not have on your local keyring), the operator can tell both your
# IP address and the time when you verified the signature.
keyserver-options auto-key-retrieve
#-----------------------------
# algorithm and ciphers
#-----------------------------
# list of personal digest preferences. When multiple digests are supported by
# all recipients, choose the strongest one
#personal-cipher-preferences AES256 TWOFISH AES192 AES
personal-cipher-preferences AES256 AES192 AES CAST5
# list of personal digest preferences. When multiple ciphers are supported by
# all recipients, choose the strongest one
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
# list of personal compress preferences
personal-compress-preferences ZLIB BZIP2 ZIP
# message digest algorithm used when signing a key
cert-digest-algo SHA512
# This preference list is used for new keys and becomes the default for
# "setpref" in the edit menu
#default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 TWOFISH AES192 AES ZLIB BZIP2 ZIP Uncompressed
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
# vim: set ts=8 sw=4 tw=0 fenc=utf-8 ft=gpg: #
|