Following my recent blogpost series about Thunderbird, I’d like to show you my GnuPG configuration today. I’m for sure no expert, so feedback on improvements is highly welcome. I run GPGTools on OS X, but this guide should be applicable to all recent versions of GnuPG.
Generating a safe key pair
For generating a safe key pair, I recommend reading Alex Cabal’s blogposting, which was a tremendous help to me.
The GnuPG configuration
GnuPG’s configuration is done in ~/.gnupg/gpg.conf, a file that is read each time GnuPG is started. Note that external wrappers like Enigmail can overwrite some of the settings at runtime by using individual command-line parameters.
Let’s now have a look at my configuration file, line by line:
This sets the character set of the input files to UTF-8, which should be the default encoding on most modern systems.
This configures a default keyserver for public key retrieval.
personal-digest-preferences SHA512 cert-digest-algo SHA512 default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
This configures SHA512 hashing, to avoid using weak algorithms.
Agreeably a bit of security by obscurity, this disables not only the output of GnuPG’s version, but also completely disables the comment field that is used to display the software’s name and operating system.
This omits the greeting message when GnuPG is invoked on the command line.
This sets the default key used for signing messages. 0x12345678 should be replaced by your key ID, of course. Note: You can also use the 16-character display of your key here, as provided by the 0xlong keyid-format.
With the help of this option, your own key (see above) is used as default recipient for encrypted messages in case no other one is provided.
This setting can be used to encrypt all messages additionally with your own key, next to the original recipient one’s. 0x12345678 should be replaced by your key ID, of course. Note: You can also use the 16-character display of your key here, as provided by the 0xlong keyid-format.
To display key IDs in their long format (16 instead of 8 characters), use this setting.
How to group recipients
When you regularly encrypt files for the same recipients, like your colleagues, the group feature comes in handy. In gpg.conf you can define a set of keys and assign an identifier to them:
group colleagues=0x12345678 0x23456789 0x34567890
This creates the group colleagues with three keys. To now encrypt files with these keys, you can use
gpg --always-trust --recipient colleagues --encrypt-files file1 file2 file3
Right now, I’m looking into using my external key token as storage for my private key. An interesting side-effect of this is to use the same key as SSH authentication token – but those topics will most likely be covered in a separate blogpost in the future.