Permalink
c00d919 Mar 11, 2014
@adrelanos @ioerror
92 lines (66 sloc) 3.77 KB
## gpg.conf optimized for privacy 0.2
## homepage:
## https://github.com/ioerror/torbirdy/pull/11
## source:
## https://github.com/ioerror/torbirdy/blob/master/gpg.conf
##################################################################
## BEGIN some suggestions from TorBirdy setting extensions.enigmail.agentAdditionalParam
## Don't disclose the version
no-emit-version
## Don't add additional comments (may leak language, etc)
no-comments
## We want to force UTF-8 everywhere
display-charset utf-8
## Proxy settings
keyserver-options http-proxy=socks5://TORIP:TORPORT
keyserver hkp://qdigse2yzvuglcix.onion
## END some suggestions from TorBirdy TorBirdy setting extensions.enigmail.agentAdditionalParam
##################################################################
##################################################################
## BEGIN Some suggestions from Debian http://keyring.debian.org/creating-key.html
personal-digest-preferences SHA512
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
## END Some suggestions from Debian http://keyring.debian.org/creating-key.html
##################################################################
##################################################################
## BEGIN Some suggestions added from riseup https://we.riseup.net/riseuplabs+paow/openpgp-best-practices
## When creating a key, individuals may designate a specific keyserver to use to pull their keys from.
## The above option will disregard this designation and use the pool, which is useful because (1) it
## prevents someone from designating an insecure method for pulling their key and (2) if the server
## designated uses hkps, the refresh will fail because the ca-cert will not match, so the keys will
## never be refreshed.
keyserver-options no-honor-keyserver-url
## when outputting certificates, view user IDs distinctly from keys:
fixed-list-mode
## long keyids are more collision-resistant than short keyids (it's trivial to make a key with any desired short keyid)
keyid-format 0xlong
## when multiple digests are supported by all recipients, choose the strongest one:
## already defined above
#personal-digest-preferences SHA512 SHA384 SHA256 SHA224
## preferences chosen for new keys should prioritize stronger algorithms:
## already defined above
#default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed
## If you use a graphical environment (and even if you don't) you should be using an agent:
## (similar arguments as https://www.debian-administration.org/users/dkg/weblog/64)
use-agent
## You should always know at a glance which User IDs gpg thinks are legitimately bound to the keys in your keyring:
verify-options show-uid-validity
list-options show-uid-validity
## include an unambiguous indicator of which key made a signature:
## (see http://thread.gmane.org/gmane.mail.notmuch.general/3721/focus=7234)
sig-notation issuer-fpr@notations.openpgp.fifthhorseman.net=%g
## when making an OpenPGP certification, use a stronger digest than the default SHA1:
## already defined above
#cert-digest-algo SHA256
## END Some suggestions added from riseup https://we.riseup.net/riseuplabs+paow/openpgp-best-practices
##################################################################
##################################################################
## BEGIN Some suggestions from TorBirdy opt-in's
## Up to you whether you in comment it (remove the single # in front of
## it) or not. Disabled by default, because it causes too much complaints and
## confusion.
## Don't include keyids that may disclose the sender or any other non-obvious keyids
#throw-keyids
## END Some suggestions from TorBirdy opt-in's
##################################################################