Hardened GPG Configuration

After installing GnuPG, one of the first steps to take before generating and using OpenPGP keys is to start to learn about and harden the GPG configuration file, i.e., gpg.conf.

GPG Configuration Location

GnuPG will look for configuration options in the gpg.conf file which it uses to determine various runtime parameters.

On Linux and macOS the gpg.conf file will be stored in the user’s home directory:

~/.gnupg

On Windows the gpg.conf file will be stored in the following location:

C:\Users\<username>\.gnupg

Example Configuration

GnuPG has sane defaults, so adding your own options to the configuration file isn’t strictly necessary. However, it’s recommended to add these options to further increase the privacy and security of the program.

Be sure to learn about the gpg options being used here as well as more options, so you can have a better understanding of what each option does as well as being able to apply your own customization to meet your specific needs.

Here’s an example of a hardened configuration:

# Use UTF-8 character encoding everywhere (option is not supported on Windows)
display-charset utf-8

# Enable smartcard support
use-agent

# Don't leak comments or software version information
no-comments
no-emit-version

# Disable initial copyright message
no-greeting

# Use the more accurate long key id format prefixed with 0x
keyid-format 0xlong

# Display all keys and their fingerprints
with-fingerprint

# Display UID validity
list-options show-uid-validity
verify-options show-uid-validity

# Can enable this option to display the locally held information on the
# origin and last update of a key in a key listing
#with-key-origin

# Does not put the recipient key IDs into encrypted messages
# This helps to hide the receivers of the message and is a limited
# countermeasure against traffic analysis
# May break Mailvelope
throw-keyids

# Sets the default key to use when signing
# Can get the key fingerprint with: gpg -K
default-key <replace-with-the-fingerprint-of-your-key>

# Use the default key as the default recipient
default-recipient-self

# When verifying a signature made from a subkey, require that the
# cross certification "back signature" on the subkey is present and
# valid
# This protects against a subtle attack against subkeys that can sign
require-cross-certification

# Disable caching of passphrase for symmetrical encryption and
# decryption
no-symkey-cache

# Prefer the strongest ciphers and digests in the OpenPGP specification
# Allows the user to safely override the algorithm chosen by the
# recipient key preferences as gpg only selects an algorithm that's
# usable by all recipients
# To list available algorithms run: gpg --version

# The most highly ranked cipher in the list is also used for the
# symmetric encryption command
personal-cipher-preferences AES256 AES192 AES

# The most highly ranked digest algorithm in this list is also used
# when signing without encryption
personal-digest-preferences SHA512 SHA384 SHA256 SHA224

# The most highly ranked compression algorithm in this list is also
# used when there are no recipient keys to consider, e.g., the
# symmetric encryption command
personal-compress-preferences ZLIB BZIP2 ZIP Uncompressed

# Default preferences for new keys
default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES ZLIB BZIP2 ZIP Uncompressed

# Use the strongest digest when signing a key
# Be aware that if you choose an algorithm that GnuPG supports but other
# OpenPGP implementations do not, then some users will not be able to
# use the key signatures you make, or quite possibly your entire key
cert-digest-algo SHA512

# Use SHA512 as the digest algorithm used to mangle passphrases for
# symmetric encryption
s2k-digest-algo SHA512

# Use AES256 as the cipher algorithm for symmetric encryption with a
# passphrase
s2k-cipher-algo AES256

# Allows the user to locate keys using the local keyring
auto-key-locate local

# Trust model that combines Trust On First Use (TOFU)
# with the Web of Trust
# Trust level is computed for each model then the max trust level is
# taken where the trust levels are ordered as follows
# unknown < undefined < marginal < fully < ultimate < expired < never
trust-model tofu+pgp

# By setting the TOFU default policy to unknown the model can use the
# Web of Trust with TOFU's conflict detection algorithm without the
# assignment of positive trust values
tofu-default-policy unknown

# Set this to get more information in the output
#verbose

Be sure to replace <replace-with-the-fingerprint-of-your-key> for the default key value with the fingerprint of your key.

Resources

Here are some links to other hardened configurations as well as to GnuPG documentation about the various options that can be set:

- GnuPG Option Summary

- drduh GPG Configuration

- GnuPG FAQ