Tuesday, June 17, 2014

GNUPG defaults

GNUPG stands for GNU Privacy Guard.
For now I'm just interested in adjusting some security defaults.
Whenever possible I'll be relying on Seahorse for the dirty work.
Maybe because I'm lazy or because I don't want details at this moment.

The key adjustment that's highly recommended is the replacement of SHA-1.
Until the advent of SHA-3, it's recommended to use SHA-256 or SHA-512.
As note here, don't create new RSA keys less than 4096 bits either.

In Solaris, GNUPG is delivered by the following IPS package:

$ pkg info -r gnupg
          Name: crypto/gnupg
       Summary: GNU Privacy Guard
   Description: ... OpenPGP Standard as defined by RFC4880.
      Category: Applications/System Utilities
         State: Installed
     Publisher: solaris
       Version: 2.0.17
 Build Release: 5.11
        Branch: 0.175.1.0.0.24.0
Packaging Date: September  4, 2012 05:06:14 PM
          Size: 7.98 MB
          FMRI: pkg://solaris/crypto/gnupg@...


Two fundamental CLI programs are:
  • gpg2 (documented in GPG2(1))
  • gpgconf (documented in GPGCONF(1))
  • gpg-zip (documented in GPG-ZIP(1))
  
The configuration files are "two level" (local and global).
The local settings override the global settings.
By the way, this is quite traditional in Unix.
They are:
  • .gnupg/gpg.conf
  • /etc/gnupg/gpgconf.conf    (doesn't exist by default)

Finally, to achieve what I need, according to The Appache Software Foundation the following adjustments are required to avoid SHA-1 weakness:

$ tail .gnupg/gpg.conf
...
#
# Setting Defaults
#

personal-digest-preferences SHA512
cert-digest-algo SHA512
default-preference-list SHA512 SHA384 SHA256 SHA224 \

                        AES256 AES192 AES \
                        CAST5 ZLIB BZIP2 ZIP Uncompressed