##NOTES## #Read Linux manuals and the GnuPG Options Index to understand these options and apply judgement to change them as needed. #Use the latest Linux CLI implementation as the default GPG application. Create backups before experimentation. # #Create the default directories and .conf files with --version or --gpgconf-test or --list-config. #Check for reasons behind errors via --debug-all --debug-level guru. #Always copy this .conf file and all other related files into the ~/.gnupg folder. #Check results with --list-packets, --check-sigs, --list-keys, --list-chain, or use --dry-run. # #A list of cross-platform and widely-supported algorithms is on the GnuPG website. Only the most widely-supported algorithms are mentioned in this .conf file. #Compiling GPG with a different or newer libgcrypt may allow access to other different algorithms inside libgcrypt. # #Always run this command on the GnuPG directory to ensure proper ownership and permissions: "sudo chmod -R 700 ~/.gnupg && sudo chown -R $USER:$GROUP ~/.gnupg". #General Warning 1: Avoid metadata leaks. #General Warning 2: Manually change system-time, use tools that spoof system-time, or use faked-system-time before generating keys. #General Warning 3: When generating keys, set the Master Key to (C)ERTIFY only, and similarly, give only one flag (E, S, A) to each of the subkeys. ##ENCRYPTION PREFERENCES## #All initial preferences and features placed inside keys which will also apply to any additional generated subkeys as long as the preferences in this file are given. #Key recipients see these preferences. #To keep only the basic features: default-preference-list MDC NO-KS-MODIFY #To remove all preferences and features from a key: default-preference-list NO-MDC KS-MODIFY #For a realistic and compatibility-aware statement: default-preference-list AES256 CAMELLIA256 TWOFISH CAMELLIA192 AES192 CAMELLIA128 CAST5 IDEA AES128 3DES BLOWFISH SHA512 SHA384 SHA256 SHA224 RIPEMD160 SHA1 BZIP2 ZLIB ZIP UNCOMPRESSED MDC NO-KS-MODIFY default-preference-list MDC NO-KS-MODIFY # #The hash algorithm used in the key-signing/certification of oneself's keys and others' keys. cert-digest-algo SHA512 # #Symmetric and asymmetric encryption preferences that get reconciled with recipients' preferences. personal-cipher-preferences AES256 CAMELLIA256 TWOFISH personal-digest-preferences SHA512 personal-compress-preferences BZIP2 ZLIB ZIP UNCOMPRESSED # #Encryption settings that override recipients' preferences and all other preferences in this file. #Must change as needed and regularly to increase security. cipher-algo CAMELLIA256 s2k-cipher-algo CAMELLIA256 digest-algo SHA512 s2k-digest-algo SHA512 s2k-mode 3 s2k-count 100000000 force-mdc ##COMPRESSION PREFERENCES## #Compression settings that override recipients' preferences and all other preferences in this file. #Must change as needed and regularly to increase security. compress-algo BZIP2 compress-level 9 bzip2-compress-level 9 ##WEB OF TRUST## #Key-signing/certification general settings for oneself's keys and others' keys. #The level of trust to assign other people's keys trust-model pgp default-cert-level 0 #ask-cert-level min-cert-level 1 completes-needed 1 marginals-needed 2 max-cert-depth 5 #Signatures, by default, are set not to expire. This can now be changed for each individual signature. Use 0 as a policy. ask-cert-expire ask-sig-expire #default-sig-expire 0 #default-cert-expire 0 ##METADATA REMOVAL## #Do not place the GnuPG version or any comments in your data. no-emit-version no-comments # #throw-keyids is similar to the --hidden-recipient option but works on all keyids at once. It blocks GnuPG from emitting the keyid on an encrypted packet. #This makes it difficult but not impossible for someone to deduct the properties of the public-key being used to encrypt a file. Keep changing the public-key to guarantee high secrecy. #The throw-keyids option does not work on signatures and GnuPG does not hide the keyid in a standalone signature. #One can Encrypt and Sign together to hide the signature packet under the encryption packet. #Use available options to specify the secret-key to decrypt with when receiving encrypted files without a keyid. Otherwise, wait for GnuPG to try all secret-keys. throw-keyids # #for-your-eyes-only overrides --set-filename and forces recipients to pick an output filename and extension. #Use --set-filename fakeFilename.ext if needed. for-your-eyes-only no-use-embedded-filename # #ignore-time-conflict overrides prompts regarding timing that occur due to manual time modifications. ignore-time-conflict #Manually give --faked-system-time 20070924T154812 to GnuPG if it allows. Remove the comment hashtag below to set a faked-system-time but keep changing it to evade identification. #faked-system-time 20070924T154812 ##RUNTIME## no-greeting expert interactive enable-progress-filter keyid-format 0xLONG fingerprint fingerprint with-fingerprint with-fingerprint verbose verbose verbose verbose verbose verbose verbose verbose verbose verbose # #If gpg-agent is non-functional, change the key daemon to the built-in key daemon in Gnome. #agent-program gnome-keyring-daemon # #Cautiousness settings for when looking at or using keys. list-options show-photos show-policy-urls show-notations show-std-notations show-user-notations show-keyserver-urls show-uid-validity show-unusable-uids show-unusable-subkeys show-keyring show-sig-expire show-sig-subpackets #Add show-usage to list-options when the option becomes available in GnuPG. verify-options show-photos show-policy-urls show-notations show-std-notations show-user-notations show-keyserver-urls show-uid-validity show-unusable-uids no-show-primary-uid-only no-pka-lookups no-pka-trust-increase auto-check-trustdb ##KEYSERVERS## #Only use keyservers behind a system with blanket internet traffic Onion Routing because keyservers can reveal communication networks. #Only use the trusted keyservers designated in the gpg.conf file. #Change to a completely new Onion Routing circuit before and after any communication with keyservers, like refreshing keys. searching for keys, or retrieving keys. # #Keyservers used. #Trusted keyserver for inside-GnuPG access: hkps://hkps.pool.sks-keyservers.net. #Trusted keyserver for outside-GnuPG website access: https://sks-keyservers.net. #Trusted email-verified keyserver for manual key transfer through website: https://keyserver.pgp.com. #All keyserver certificates, including websites' public-key certificates, should be placed under the ~/.gnupg/Keyservers_Certificates directory and used to verify keyservers' authenticity upon each connection that is made. #To activate the trusted keyserver, remove the two comment-hastags below. #keyserver-options ca-cert-file=~/.gnupg/Keyservers_Certificates/sks-keyservers.netCA.pem #keyserver hkps://hkps.pool.sks-keyservers.net # #Keyserver connection settings that help mitigate leakage threats when a connection to a keyserver is made. no-auto-key-locate keyserver-options no-try-dns-srv no-auto-key-retrieve no-honor-keyserver-url no-honor-pka-record include-revoked include-disabled include-subkeys check-cert keyserver-options verbose verbose verbose verbose verbose verbose verbose verbose verbose verbose keyserver-options timeout 10 # #To manually use a keyserver with an Onion Routing SOCKS5 Proxy on Port 9050, remove the comment-hastag below. Change the port number if needed. #Warning: Blanket Onion Routing of the whole OS is better. This setting overrides the "http_proxy" environment variable, if any. #keyserver-options http-proxy=socks5h://127.0.0.1:9050