GnuPG

about | blog | config | notes | github

gnupg_logo.png

GnuPG is GNU's implementation of the OpenPGP standard.

1. GPG Configuration

When outputting certificates, view user IDs distinctly from keys

fixed-list-mode

Long keyids are more collision-resistant than short keyids. (Its trivial to make a key with any desired short keyid).

keyid-format 0xlong
with-fingerprint

when multiple digests are supported by all recipients, choose the strongest one.

personal-digest-preferences SHA512 SHA384 SHA256 SHA224

Preferences chosen for new keys should prioritize stronger algorithms.

default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed

If you use a graphical environment (and even if you don't) you should be using an agent (similar arguments as https://www.debian-administration.org/users/dkg/weblog/64)

use-agent

You should always know at a glance which User IDs gpg thinks are legitimately bound to the keys in your keyring

verify-options show-uid-validity
list-options show-uid-validity

when making an OpenPGP certification, use a stronger digest than the default SHA1.

cert-digest-algo SHA256

Prevent version string from appearing in your signatures/public keys

no-emit-version

2. GPG Agent Configuration

Some sane defaults here

default-cache-ttl 600
max-cache-ttl 7200

This tells gpg to act as our OpenSSH agent as well.

enable-ssh-support

We also want to make use of my pinentry switcher. It switches which pinentry program to use based on context (environment variables).

pinentry-program /usr/bin/pinentry-switcher

This means clients like Emacs can get the password in their own way and push to gpg. For this to work with emacs, set epa-pinentry-mode to 'loopback in Emacs.

allow-emacs-pinentry
allow-loopback-pinentry

3. Helper Scripts

3.1. GPG Lock

Here is a simple script I setup to quickly encrypt files with GPG. Can't say I use this too much now days, but I have it here because its something to have in my back pocket. It looks for ~/.gpg-id for the key-id to use.

infile=$1
if [ -z "$(echo $infile | grep -E '.+\.gpg$')" ]; then
    gpg_id=$(cat ~/.gpg-id)
    outfile="${1}.gpg"
    gpg --output $outfile -r $gpg_id --encrypt $infile
else
    echo "Trying to encrypt already encrypted file"
fi

3.2. GPG Unlock

Like the gpg-lock but instead this is for decrypting. Like before, it uses ~/.gpg-id for the key-id to use.

infile=$1
if [ -n "$(echo $infile | grep -E '.+\.gpg$')" ]; then
    outfile=$(echo ${infile} | sed -e 's/\.gpg$//g')
    gpg --output $outfile --decrypt $infile
else
    echo "Not a valid gpg locked file; Unable to unlock!"
fi

Created: 2021-11-13

Emacs 26.1 (Org mode 9.5)