about | blog | config | notes | github


GnuPG is GNU's implementation of the OpenPGP standard.

1. GPG Configuration

When outputting certificates, view user IDs distinctly from keys


Long keyids are more collision-resistant than short keyids. (Its trivial to make a key with any desired short keyid).

keyid-format 0xlong

when multiple digests are supported by all recipients, choose the strongest one.

personal-digest-preferences SHA512 SHA384 SHA256 SHA224

Preferences chosen for new keys should prioritize stronger algorithms.

default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 BZIP2 ZLIB ZIP Uncompressed

If you use a graphical environment (and even if you don't) you should be using an agent (similar arguments as


You should always know at a glance which User IDs gpg thinks are legitimately bound to the keys in your keyring

verify-options show-uid-validity
list-options show-uid-validity

when making an OpenPGP certification, use a stronger digest than the default SHA1.

cert-digest-algo SHA256

Prevent version string from appearing in your signatures/public keys


2. GPG Agent Configuration

Some sane defaults here

default-cache-ttl 600
max-cache-ttl 7200

This tells gpg to act as our OpenSSH agent as well.


We also want to make use of my pinentry switcher. It switches which pinentry program to use based on context (environment variables).

pinentry-program /usr/bin/pinentry-switcher

This means clients like Emacs can get the password in their own way and push to gpg. For this to work with emacs, set epa-pinentry-mode to 'loopback in Emacs.


3. Helper Scripts

3.1. GPG Lock

Here is a simple script I setup to quickly encrypt files with GPG. Can't say I use this too much now days, but I have it here because its something to have in my back pocket. It looks for ~/.gpg-id for the key-id to use.

if [ -z "$(echo $infile | grep -E '.+\.gpg$')" ]; then
    gpg_id=$(cat ~/.gpg-id)
    gpg --output $outfile -r $gpg_id --encrypt $infile
    echo "Trying to encrypt already encrypted file"

3.2. GPG Unlock

Like the gpg-lock but instead this is for decrypting. Like before, it uses ~/.gpg-id for the key-id to use.

if [ -n "$(echo $infile | grep -E '.+\.gpg$')" ]; then
    outfile=$(echo ${infile} | sed -e 's/\.gpg$//g')
    gpg --output $outfile --decrypt $infile
    echo "Not a valid gpg locked file; Unable to unlock!"

Created: 2021-11-13

Emacs 26.1 (Org mode 9.5)