S1SYPHOS · June 17, 2019 17:10
diff --git a/dirmngr.conf b/dirmngr.conf
 ##################
 #  DIRMNGR CONF  #
 ##################

 ##
 # SKS keyserver running as Tor hidden service
 # See https://sks-keyservers.net/overview-of-pools.php#pool_tor
 keyserver hkp://jirk5u4osbsr34t5.onion

 ##
 # Switches GnuPG into "Tor mode", routing all network access via Tor (an anonymity network).
 use-tor

 # For more information, see https://www.gnupg.org/documentation/manuals/gnupg/Dirmngr-Options.html
 ##
diff --git a/gpg-agent.conf b/gpg-agent.conf
 ####################
 #  GPG-AGENT CONF  #
 ####################

 ##
 # Set the time a cache entry is valid. Each time a cache entry is accessed,
 # the entry's timer is reset.
 # The default is 600 seconds.
 default-cache-ttl 1800 # 30 minutes

 ##
 # Set the maximum time a cache entry is valid. After this time a cache entry
 # will be expired even if it has been accessed recently.
 # The default is 2 hours (7200 seconds).
 max-cache-ttl 3600 # 1 hour

 ##
 # Like `default-cache-ttl`, but for SSH keys.
 # The default is 1800 seconds.
 default-cache-ttl-ssh 1800 # 30 minutes

 ##
 # Like `max-cache-ttl`, but for SSH keys.
 # The default is 2 hours (7200 seconds).
 max-cache-ttl-ssh 3600 # 1 hour

 ##
 # Enable OpenSSH Agent (ssh-agent) protocol support
 enable-ssh-support

 # For more information, see https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html
 ##
diff --git a/gpg.conf b/gpg.conf
 ##############
 #  GPG CONF  #
 ##############

 ####
 # Behaviour
 ##

 ##
 # Use `default-key` as the default key to sign with
 # default-key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

 ##
 # Use `default-key` as default recipient
 default-recipient-self

 ##
 # Disable inclusion of the version string in ASCII armored output
 # Enabled by default (but I like being explicit)
 no-emit-version

 ##
 # Disable comment string in clear text signatures and ASCII armored messages
 # Enabled by default (but I like being explicit)
 no-comments

 ##
 # Suppress the initial copyright message
 no-greeting

 ##
 # Don't include recipient key IDs as it may disclose the sender or any other non-obvious key IDs
 # as a (limited) countermeasure against traffic analysis
 # Enabled by default (but I like being explicit)
 throw-keyids

 ##
 # Display the calculated validity of ..
 #
 # .. user IDs during key listings
 list-options show-uid-validity

 # .. the user IDs on the key that issued the signature
 verify-options show-uid-validity

 ##
 # Enable the creation of RSA secret keys as large as 8192 bit
 # Note: 8192 bit is more than is generally recommended. These large keys don't significantly improve security,
 # but they are more expensive to use, and their signatures and certifications are larger
 # enable-large-rsa

 ##
 # Cross-certify that subkeys are present and valid
 # This protects against a subtle attack against subkeys that can sign
 # Enabled by default (but I like being explicit)
 require-cross-certification

 # This is just for show, as `gpg` always requires the agent
 # Enabled by default (but I like being explicit)
 use-agent


 ####
 # Input & Output
 ##

 ## Input

 ##
 # Force UTF-8 encoding
 display-charset utf-8
 utf8-strings

 ## Output

 ##
 # Display long key IDs
 keyid-format 0xlong

 ##
 # List keys along with their fingerprints
 with-fingerprint

 ##
 # Create ASCII armored output
 # Defaults to creating the binary OpenPGP format
 armor

 ##
 # When outputting certificates, view user IDs distinctly from keys
 # Always enabled since GnuPG v2.0.10 (obsolete)
 fixed-list-mode


 ####
 # Keyserver
 ##

 # When searching for a key with --search-keys, include keys that are marked on
 # the keyserver as revoked
 keyserver-options include-revoked

 # When using --refresh-keys, if the key in question has a preferred keyserver
 # URL, then disable use of that preferred keyserver to refresh the key from
 keyserver-options no-honor-keyserver-url


 ####
 # Cryptography
 ##

 ## Algorithms & Ciphers

 ##
 # Prefer the strongest ciphers and digests in the OpenPGP specification
 # To list available algorithms: gpg --version
 personal-cipher-preferences AES256 TWOFISH
 personal-digest-preferences SHA512 SHA384 SHA256 SHA224
 personal-compress-preferences BZIP2 ZLIB ZIP Uncompressed

 ##
 # Use the strongest digest when signing a key
 cert-digest-algo SHA512

 ##
 # Set the list of personal compression preferences
 default-preference-list SHA512 SHA384 SHA256 SHA224 RIPEMD160 AES256 TWOFISH BLOWFISH ZLIB BZIP2 ZIP Uncompressed

 ##
 # Disable insecure algorithms
 disable-cipher-algo 3DES IDEA

 ##
 # Disable the passphrase cache used for symmetrical operations
 no-symkey-cache

 ##
 # Force the use of encryption with a modification detection code.
 # Enabled by default (but I like being explicit)
 force-mdc

 ## String-to-Key Specifiers

 # Cipher algorithm for symmetric encryption with a passphrase
 # Defaults to AES-128
 s2k-cipher-algo TWOFISH

 ##
 # Digest algorithm used to mangle the passphrases for symmetric encryption
 # Defaults to SHA-1
 s2k-digest-algo SHA512

 ##
 # Selects how passphrases for symmetric encryption are
 # Defaults to 3 (iterated & salted, see RFC4880) (obsolete)
 s2k-mode 3

 ##
 # Specify how many times the passphrases mangling for symmetric encryption is repeated
 # Note: this is only meaningful if `s2k-mode` is set to the default of 3
 s2k-count 65536

 ##
 # Sources & further information:
 # - GnuPG options: https://www.gnupg.org/documentation/manuals/gnupg/GPG-Options.html
 # - S2K Specifications: https://tools.ietf.org/html/rfc4880#section-3.7
 # - Parcimonie.sh: https://github.com/EtiennePerot/parcimonie.sh
 #
 # Useful tweaks:
 # - https://github.com/Whonix/anon-gpg-tweaks/tree/master/etc/skel/.gnupg
 # - https://www.designed-cybersecurity.com/tutorials/harden-your-gnupg-config
 #
 # A bit outdated, but still a good starting point:
 # - https://github.com/ioerror/duraconf
 # - https://alexcabal.com/creating-the-perfect-gpg-keypair
 # - https://riseup.net/en/security/message-security/openpgp/best-practices
 ##
	##################
	# DIRMNGR CONF #
	##################

	##
	# SKS keyserver running as Tor hidden service
	# See https://sks-keyservers.net/overview-of-pools.php#pool_tor
	keyserver hkp://jirk5u4osbsr34t5.onion

	##
	# Switches GnuPG into "Tor mode", routing all network access via Tor (an anonymity network).
	use-tor

	# For more information, see https://www.gnupg.org/documentation/manuals/gnupg/Dirmngr-Options.html
	##
	####################
	# GPG-AGENT CONF #
	####################

	##
	# Set the time a cache entry is valid. Each time a cache entry is accessed,
	# the entry's timer is reset.
	# The default is 600 seconds.
	default-cache-ttl 1800 # 30 minutes

	##
	# Set the maximum time a cache entry is valid. After this time a cache entry
	# will be expired even if it has been accessed recently.
	# The default is 2 hours (7200 seconds).
	max-cache-ttl 3600 # 1 hour

	##
	# Like `default-cache-ttl`, but for SSH keys.
	# The default is 1800 seconds.
	default-cache-ttl-ssh 1800 # 30 minutes

	##
	# Like `max-cache-ttl`, but for SSH keys.
	# The default is 2 hours (7200 seconds).
	max-cache-ttl-ssh 3600 # 1 hour

	##
	# Enable OpenSSH Agent (ssh-agent) protocol support
	enable-ssh-support

	# For more information, see https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html
	##
	##############
	# GPG CONF #
	##############

	####
	# Behaviour
	##

	##
	# Use `default-key` as the default key to sign with
	# default-key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

	##
	# Use `default-key` as default recipient
	default-recipient-self

	##
	# Disable inclusion of the version string in ASCII armored output
	# Enabled by default (but I like being explicit)
	no-emit-version

	##
	# Disable comment string in clear text signatures and ASCII armored messages
	# Enabled by default (but I like being explicit)
	no-comments

	##
	# Suppress the initial copyright message
	no-greeting

	##
	# Don't include recipient key IDs as it may disclose the sender or any other non-obvious key IDs
	# as a (limited) countermeasure against traffic analysis
	# Enabled by default (but I like being explicit)
	throw-keyids

	##
	# Display the calculated validity of ..
	#
	# .. user IDs during key listings
	list-options show-uid-validity

	# .. the user IDs on the key that issued the signature
	verify-options show-uid-validity

	##
	# Enable the creation of RSA secret keys as large as 8192 bit
	# Note: 8192 bit is more than is generally recommended. These large keys don't significantly improve security,
	# but they are more expensive to use, and their signatures and certifications are larger
	# enable-large-rsa

	##
	# Cross-certify that subkeys are present and valid
	# This protects against a subtle attack against subkeys that can sign
	# Enabled by default (but I like being explicit)
	require-cross-certification

	# This is just for show, as `gpg` always requires the agent
	# Enabled by default (but I like being explicit)
	use-agent


	####
	# Input & Output
	##

	## Input

	##
	# Force UTF-8 encoding
	display-charset utf-8
	utf8-strings

	## Output

	##
	# Display long key IDs
	keyid-format 0xlong

	##
	# List keys along with their fingerprints
	with-fingerprint

	##
	# Create ASCII armored output
	# Defaults to creating the binary OpenPGP format
	armor

	##
	# When outputting certificates, view user IDs distinctly from keys
	# Always enabled since GnuPG v2.0.10 (obsolete)
	fixed-list-mode


	####
	# Keyserver
	##

	# When searching for a key with --search-keys, include keys that are marked on
	# the keyserver as revoked
	keyserver-options include-revoked

	# When using --refresh-keys, if the key in question has a preferred keyserver
	# URL, then disable use of that preferred keyserver to refresh the key from
	keyserver-options no-honor-keyserver-url


	####
	# Cryptography
	##

	## Algorithms & Ciphers

	##
	# Prefer the strongest ciphers and digests in the OpenPGP specification
	# To list available algorithms: gpg --version
	personal-cipher-preferences AES256 TWOFISH
	personal-digest-preferences SHA512 SHA384 SHA256 SHA224
	personal-compress-preferences BZIP2 ZLIB ZIP Uncompressed

	##
	# Use the strongest digest when signing a key
	cert-digest-algo SHA512

	##
	# Set the list of personal compression preferences
	default-preference-list SHA512 SHA384 SHA256 SHA224 RIPEMD160 AES256 TWOFISH BLOWFISH ZLIB BZIP2 ZIP Uncompressed

	##
	# Disable insecure algorithms
	disable-cipher-algo 3DES IDEA

	##
	# Disable the passphrase cache used for symmetrical operations
	no-symkey-cache

	##
	# Force the use of encryption with a modification detection code.
	# Enabled by default (but I like being explicit)
	force-mdc

	## String-to-Key Specifiers

	# Cipher algorithm for symmetric encryption with a passphrase
	# Defaults to AES-128
	s2k-cipher-algo TWOFISH

	##
	# Digest algorithm used to mangle the passphrases for symmetric encryption
	# Defaults to SHA-1
	s2k-digest-algo SHA512

	##
	# Selects how passphrases for symmetric encryption are
	# Defaults to 3 (iterated & salted, see RFC4880) (obsolete)
	s2k-mode 3

	##
	# Specify how many times the passphrases mangling for symmetric encryption is repeated
	# Note: this is only meaningful if `s2k-mode` is set to the default of 3
	s2k-count 65536

	##
	# Sources & further information:
	# - GnuPG options: https://www.gnupg.org/documentation/manuals/gnupg/GPG-Options.html
	# - S2K Specifications: https://tools.ietf.org/html/rfc4880#section-3.7
	# - Parcimonie.sh: https://github.com/EtiennePerot/parcimonie.sh
	#
	# Useful tweaks:
	# - https://github.com/Whonix/anon-gpg-tweaks/tree/master/etc/skel/.gnupg
	# - https://www.designed-cybersecurity.com/tutorials/harden-your-gnupg-config
	#
	# A bit outdated, but still a good starting point:
	# - https://github.com/ioerror/duraconf
	# - https://alexcabal.com/creating-the-perfect-gpg-keypair
	# - https://riseup.net/en/security/message-security/openpgp/best-practices
	##