GPG - Config

Voir :

Voir faille de sécu des anciennes versions :

https://security-tracker.debian.org/tracker/source-package/gnupg2

Fichier de conf GPG

Voir :

~/.gnupg/gpg.conf

### DISPLAY

# Suppress the initial copyright message
no-greeting

# Les identifiants de clés courts sont triviaux à usurper ; il est facile de
# créer une collision sur les identifiants de clé longs (16 caractères) ; si vous voulez des
# identifiants de clé forts, vous voudrez toujours voir l empreinte
# both short and long key IDs are insecure
# keyid-format 0xlong
keyid-format none

# use full fingerprint instead
with-subkey-fingerprint
with-fingerprint

# when outputting certificates, view user IDs distinctly from keys:
#fixed-list-mode


# Display validity of UIDs when verifying signatures.
list-options   show-uid-validity
verify-options show-uid-validity



### EXPORT

# N'inclut pas la version de votre GPG en commentaire de vos fichiers
# prevent version string from appearing in your signatures/public keys
no-emit-version

# Lors de l'export d'une clef, exclut les signatures par défaut
export-options export-minimal



### PREFER & CYPHERS

# http://www.gnupg.org/faq/gnupg-faq.html 
# remove 3DES and prefer AES256
personal-cipher-preferences AES256 AES192 AES CAST5
# personal-cipher-preferences TWOFISH CAMELLIA256 AES256

# not for creating keys, but signing and encrypting. The most preferred algorithm supported by the recipient.
# remove SHA-1 and prefer SHA-512
personal-digest-preferences SHA512 SHA384 SHA256 SHA224

# Prefer better compression methods.
personal-compress-preferences BZIP2 ZLIB ZIP Uncompressed

# remove SHA-1 and 3DES from cipher preferences of newly created key
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed

# use SHA-512 when signing a key
cert-digest-algo SHA512

# override recipient key digest preferences
# remove SHA-1 and prefer SHA-512
personal-digest-preferences SHA512 SHA384 SHA256 SHA224

# reject SHA-1 signature
weak-digest SHA1

# never allow use 3DES
disable-cipher-algo 3DES



### KEYSERVERS

# Utilisation de hkps ou en passant par Tor
#keyserver hkp://keys.gnupg.net
#keyserver hkps://hkps.pool.sks-keyservers.net
#keyserver hkp://jirk5u4osbsr34t5.onion

# Don't use the preferred keyserver of the key, but our keyserver pool
# instead. This way we won't use any broken keyservers like pgp.mit.edu
# specified by the key.
keyserver-options no-honor-keyserver-url



### SYMETRIC ENCRYPTION

# use AES256 when symmetric encryption
s2k-cipher-algo AES256

# use SHA-512 when symmetric encryption
s2k-digest-algo SHA512

# Mangle passphrases for private keys and symmetric encryption by applying a
# hash function (s2k-digest-algo) with a salt s2k-count times (default).
s2k-mode 3

# mangle password many times as possible when symmetric encryption
s2k-count 65011712



### OTHERS

# If you have more than 1 secret key in your keyring, you may want to
# uncomment the following option and set your preferred keyid.

#default-key 621CC013

# Encrypted file whithout recipient. Prevent data analyse
throw-keyids


# When verifying a signature made from a subkey, ensure that the cross
# certification "back signature" on the subkey is present and valid.
# This protects against a subtle attack against subkeys that can sign.
# Defaults to --no-require-cross-certification.  However for new
# installations it should be enabled.
require-cross-certification

# vim: ft=gpg

Valider la syntaxe du ficher de conf

echo | gpg
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
gpg: [don't know]: invalid packet (ctb=0a)

Config de l'agent GPG

Change the pinentry

~/.gnupg/gpg-agent.conf

# pinentry-program /usr/bin/pinentry-tty
pinentry-program /usr/bin/pinentry-curses

Reload configuration

gpg-connect-agent reloadagent /bye