{{tag>GPG}}
= GPG - Config
Voir :
* https://ungeek.fr/gpg-et-le-chiffrement-pour-tous/
* https://www.gnupg.org/gph/fr/manual.html
* https://mbourgeois.developpez.com/articles/securite/pgp/
* https://docs.abuledu.org/abuledu/mainteneur/creer_une_cle_gpg
Voir faille de sécu des anciennes versions :
* https://security-tracker.debian.org/tracker/source-package/gnupg2
== Fichier de conf GPG
Voir :
* https://github.com/drduh/YubiKey-Guide
* https://raw.githubusercontent.com/drduh/config/master/gpg.conf
''~/.gnupg/gpg.conf''
### DISPLAY
# Suppress the initial copyright message
no-greeting
# Les identifiants de clés courts sont triviaux à usurper ; il est facile de
# créer une collision sur les identifiants de clé longs (16 caractères) ; si vous voulez des
# identifiants de clé forts, vous voudrez toujours voir l empreinte
# both short and long key IDs are insecure
# keyid-format 0xlong
keyid-format none
# use full fingerprint instead
with-subkey-fingerprint
with-fingerprint
# when outputting certificates, view user IDs distinctly from keys:
#fixed-list-mode
# Display validity of UIDs when verifying signatures.
list-options show-uid-validity
verify-options show-uid-validity
### EXPORT
# N'inclut pas la version de votre GPG en commentaire de vos fichiers
# prevent version string from appearing in your signatures/public keys
no-emit-version
# Lors de l'export d'une clef, exclut les signatures par défaut
export-options export-minimal
### PREFER & CYPHERS
# http://www.gnupg.org/faq/gnupg-faq.html
# remove 3DES and prefer AES256
personal-cipher-preferences AES256 AES192 AES CAST5
# personal-cipher-preferences TWOFISH CAMELLIA256 AES256
# not for creating keys, but signing and encrypting. The most preferred algorithm supported by the recipient.
# remove SHA-1 and prefer SHA-512
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
# Prefer better compression methods.
personal-compress-preferences BZIP2 ZLIB ZIP Uncompressed
# remove SHA-1 and 3DES from cipher preferences of newly created key
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed
# use SHA-512 when signing a key
cert-digest-algo SHA512
# override recipient key digest preferences
# remove SHA-1 and prefer SHA-512
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
# reject SHA-1 signature
weak-digest SHA1
# never allow use 3DES
disable-cipher-algo 3DES
### KEYSERVERS
# Utilisation de hkps ou en passant par Tor
#keyserver hkp://keys.gnupg.net
#keyserver hkps://hkps.pool.sks-keyservers.net
#keyserver hkp://jirk5u4osbsr34t5.onion
# Don't use the preferred keyserver of the key, but our keyserver pool
# instead. This way we won't use any broken keyservers like pgp.mit.edu
# specified by the key.
keyserver-options no-honor-keyserver-url
### SYMETRIC ENCRYPTION
# use AES256 when symmetric encryption
s2k-cipher-algo AES256
# use SHA-512 when symmetric encryption
s2k-digest-algo SHA512
# Mangle passphrases for private keys and symmetric encryption by applying a
# hash function (s2k-digest-algo) with a salt s2k-count times (default).
s2k-mode 3
# mangle password many times as possible when symmetric encryption
s2k-count 65011712
### OTHERS
# If you have more than 1 secret key in your keyring, you may want to
# uncomment the following option and set your preferred keyid.
#default-key 621CC013
# Encrypted file whithout recipient. Prevent data analyse
throw-keyids
# When verifying a signature made from a subkey, ensure that the cross
# certification "back signature" on the subkey is present and valid.
# This protects against a subtle attack against subkeys that can sign.
# Defaults to --no-require-cross-certification. However for new
# installations it should be enabled.
require-cross-certification
# vim: ft=gpg
Valider la syntaxe du ficher de conf
echo | gpg
gpg: WARNING: no command supplied. Trying to guess what you mean ...
gpg: [don't know]: invalid packet (ctb=0a)
== Config de l'agent GPG
Change the pinentry
''~/.gnupg/gpg-agent.conf''
# pinentry-program /usr/bin/pinentry-tty
pinentry-program /usr/bin/pinentry-curses
Reload configuration
gpg-connect-agent reloadagent /bye