My GnuPG setup

I am a daily user of GnuPG. This software is powerful but complex, here is how I configured it on my laptops. This post is not about how I generate or manage my keys as this greatly depends on operational needs, threat models and personal choices.

My gpg.conf

# Use safer ciphers first and AES256 as a default
personal-cipher-preferences aes256 aes192 twofish aes
# For a more restrictive enforcement, use `cipher-algo`

# Use AES256 for s2k
s2k-cipher-algo aes256

# Disable unsafe (64 bits block) ciphers
disable-cipher-algo idea 3des cast5 blowfish
 
# Use safer hash algorithms first
personal-digest-preferences sha512 sha384 sha256
# For a more restrictive enforcement, use `digest-algo`

# Use sha512 for s2k
s2k-digest-algo sha512

# Use sha512 to sign keys
cert-digest-algo sha512

# Use 64 bits long key IDs
keyid-format long

# Disable useless verbosity
no-greeting

# Use HKPS for more privacy
keyserver hkps://keys.fedoraproject.org
keyserver-options no-honor-keyserver-url

# Enable more options
expert

# Show per-uid validity
verify-options show-uid-validity
list-options show-uid-validity

# Ask for signature expiration date
ask-sig-expire
ask-cert-expire

My GnuPG version

I use GnuPG stable (aka 2.0.x) in my desktop setup. For more convenience I add the following line to my bashrc.

alias gpg='gpg2'

Using gpg-agent

Using gpg-agent in the right way is an important element of the GnuPG integration for desktop computers.

Disabling the GNOME gpg agent

GNOME users should disable the gpg agent provided by GNOME and use the default one. If you disagree with that statement, please let me know.

To disable it, edit the file name gnome-keyring-gpg.desktop that is usually located in /etc/xdg/autostart/ and set X-GNOME-Autostart-enabled=false.

Start gpg-agent at the session startup

There are various ways to do that. Systemd fans can do it with systemd-user. I chose to just put the following lines in ~/.xsessionrc .

#!/bin/bash

eval $(gpg-agent --daemon)

Don’t forget to make the file executable.