On Sat, Dec 14, 2019 at 11:18:32PM +0100, Defiant wrote:
Hey, I recall back in the days there were lots of online tutorials about how to strengthen your GnuPG configuration.
I don’t know which tutorials exactly you’re referring to, but I have seen several of them myself, and I have always had the feeling that they were written by people who couldn’t be bothered to check what GnuPG’s default configuration actually is before deciding it needed to be ”strengthened”…
no-emit-version no-comments
Not needed, those are the defaults.
export-options export-minimal
That’s up to you. Note, this does not actually “strengthen” anything.
keyid-format 0xlong with-fingerprint
For information, the default is not to display any key ID (either short or long) but to display the full fingerprint instead (which makes displaying the key ID quite irrelevant).
Setting keyid-format to either “short” or “long” however has the effect of forcing GnuPG to display the key ID of *subkeys*, so if that’s something you need, you may keep that line.
list-options show-uid-validity verify-options show-uid-validity
Already enabled by default.
personal-cipher-preferences AES256
The default is AES256, AES192, AES128, 3DES. Note that you cannot remove 3DES which is mandatory as per the RFC 4880 (that’s the only algorithm which is guaranteed to be supported by any compliant OpenPGP implementation): even if you do not include it, GnuPG will silently add it back.
By removing AES192 and AES128, you’re actually increasing the risk that GnuPG will have to fallback to 3DES if AES256 is not supported by the other party. I don’t think this is what you want.
personal-digest-preferences SHA512
The default is SHA256, SHA384, SHA512, SHA-224, SHA1, with SHA1 being mandatory. Same problem as above: by limiting GnuPG’s options, you are increasing the risk of having to fallback to SHA1.
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES TWOFISH ZLIB BZIP2 ZIP Uncompressed
This is almost exactly the default list, except that the default list does not include TWOFISH.
cipher-algo AES256 digest-algo SHA512 cert-digest-algo SHA512 compress-algo ZLIB
You are basically bypassing the whole preference-based mechanism used to select algorithms compatible with your recipients’ implementation. Almost certainly a bad idea unless you are operating in a context where you know you don’t need to care about interoperability (e.g. if you are only encrypting files for yourself).
disable-cipher-algo 3DES IDEA CAST5 Blowfish weak-digest SHA1
3DES and SHA1 are mandatory as said above. The other algorithms are already not used by default.
s2k-cipher-algo AES256 s2k-digest-algo SHA512 s2k-mode 3 s2k-count 65011712
The default S2K mode is already 3 (iter+salt). As for the S2K count, for information the default is a value automatically determined by GPG Agent so that, on your computer, running the S2K algorithm will take ~100ms.
Overall I’d say most of your configuration is either uneeded or even counterproductive. I’ll quote GnuPG’s FAQ [1]:
Does GnuPG need to be ‘tuned’ before use? No. GnuPG has sensible defaults right out of the box.
Cheers, - Damien [1] https://gnupg.org/faq/gnupg-faq.html#tuning
signature.asc
Description: PGP signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
