A comparatively stronger & safer & secured gpg.conf

gpg.conf

# Created by atErik / tErik.
# Copyright 2011-2015, atErik.
# a4t4erik AT out4look dot co4m, t4erik AT sfk4 dot co4
# (Remove "4" from above, for address).
# Released under GPL (GNU Public License). 
# 
# 
# First modified original gpg.conf on 2011.
# Then continued to tranfer modifications on top of other new versions.
# Changed & improved options, when it was necessary.
# 
# 
# 
# THIS GPG.CONF IS USED WITH GnuPG v1.4.18 (classic) IN WINDOWS,
# RUN FROM PORTABLE USB OR FLASH MEDIA STORAGE DRIVE.
# This Portable/external USB/FLASH media storage drive was
# assigned a fixed drive letter:  J: 
# by using windows "Computer Management" panel.
# (run: compmgmt.msc for "Computer Management")
# 
# 
# 
# HOW GnuPG BINARY FILES WERE OBTAINED ? 
# [1] After obtaining installer file from gnupg.org, [2] install GnuPG 
# classic v1.4.18 into a sub-folder  
#   "C:\Program Files (x86)\GNU\GnuPG1\"  <-- notice the "1". 
# in a fresh+uninfected system, (after thorough checking of 
# installer file).
# [3] Then copy all files except "uninstall.exe", from
# "C:\Program Files (x86)\GNU\GnuPG1\" into  "J:\GPG\1\App\" 
# And [4] again copy all files from "J:\GPG\1\App\" 
# into  "J:\GPG\1\v1.4.18\"   It is backup of GPG v1.4.18. 
# [5] Obtain Vanilla edition of GPG4Win (GPG v2.0.26) and 
# [6] install into   "C:\Program Files (x86)\GNU\GnuPG\" 
# above folder, in a fresh & uninfected system, (you must check
# installer file thoroughly). 
# [7] And then copy below 9 files from 
#   "C:\Program Files (x86)\GNU\GnuPG\" 
# into "J:\GPG\1\App\" 
#   libadns-1.dll              libcurl-4.dll 
#   libgcrypt-20.dll           libgnutls-26.dll 
#   libgpg-error-0.dll         libiconv-2.dll 
#   libtasn1-3.dll             zlib1.dll 
#   gpgkeys_kdns.exe 
# [8] Delete these 4 files from "J:\GPG\1\App\" 
#   gpgkeys_curl.exe           gpgkeys_ldap.exe 
#   gpgkeys_finger.exe         gpgkeys_hkp.exe 
# [9] Copy below 4 files from "C:\Program Files (x86)\GNU\GnuPG\" 
# into  "J:\GPG\1\App\" 
#   gpg2keys_curl.exe           gpg2keys_ldap.exe 
#   gpg2keys_finger.exe         gpg2keys_hkp.exe 
# [10] Then rename above 4 files, and remove the "2". 
# [11] Now your files will look like the list, which shown below. 
# [12] As GPG v2.0.26 supports HKPS (secure+encrypted connection) & 
# other features, which we want to use, but was not avaiable 
# in v1.4.18, thats why we have to do these steps. 
# [13] Create an empty file "gpg.conf" inside "J:\GPG\1\Data\" 
# [14] Copy-paste codes from this webpage into that "gpg.conf" file. 
# [15] Obtain ThunderbirdPortable installer and [16] install into 
#   "J:\PortableApps\ThunderbirdPortable\" 
# [17] Obtain "GPG for ThunderbirdPortable" installer, and 
# [18] install into same "J:\PortableApps\ThunderbirdPortable\" 
# [19] Copy/backup all files & folders from here 
#   "J:\PortableApps\ThunderbirdPortable\App\gpg\" 
# and [20] paste into "J:\GPG\1\OldGPG\" 
# [21] Download the "sks-keyservers.netCA.pem" file, from below 
# website. It is the root CA TLS/SSL certificate file of a 
# keyserver which supports HKPS encrypted connection, and
# it's domain name is also DNSSEC signed: 
#   https://sks-keyservers.net/overview-of-pools.php 
# and [22] download pem file into this below folder: "J:\GPG\1\App\" 
# [23] Create an empty (0/zero byte sized) file "gpgconf.ctl"
# inside this folder "J:\GPG\1\App\" 
# [24] Now copy all files from here "J:\GPG\1\App\" and paste 
# into   "J:\PortableApps\ThunderbirdPortable\App\gpg\" 
# [25] and copy all files from here "J:\GPG\1\Data\" and paste 
# into   "J:\PortableApps\ThunderbirdPortable\Data\gpg\" 
# [26] Now start ThunderbirdPortable, [27] install "Enigmail" addon 
# extension. [28] Restart Thunderbird. 
# [29] Goto main menu > Enigmail > Preferences > Basic > and 
# [30] click on "Show Expert Settings".  [31] Then select the 
# "Override with" option and [32] click on "Browse" button, 
# and [33] select the "gpg.exe" file, located inside below 
# folder: "J:\PortableApps\ThunderbirdPortable\App\gpg\" 
# [34] Goto Enigmail > Preferences > Advanced > and 
# [35] insert below line inside the "Additional parameters for GnuPG" 
# textbox: 
#   --homedir "..\\..\\Data\\gpg\\" --options "..\\..\\Data\\gpg\\gpg.conf" --verbose --verbose --require-secmem --no-default-keyring --secret-keyring "..\\..\\Data\\gpg\\secring.gpg" --trustdb-name "..\\..\\Data\\gpg\\trustdb.gpg" --primary-keyring "..\\..\\Data\\gpg\\pubring.gpg" --keyring "..\\..\\Data\\gpg\\pubring.gpg" 
# [36] keep one space character (an empty space) in fron of above 
# line, and keep one space char at end. 
# [37] Goto Enigmail > Preferences > Keyserver > and 
# [38] insert below line inside the "Specify your keyservers" textbox: 
#   hkps://hkps.pool.sks-keyservers.net no-honor-keyserver-url,verbose,check-cert,ca-cert-file=".\\sks-keyservers.netCA.pem" 
# [39] keep one space character (an empty space) in front of above
# line, and keep one space char at end.
# [40] Press "Ok" to save your changes, in Enigmail. 
# [41] You should restart Thunderbird once.
# [42] Now you are ready to use it, from external USB/Flash
# storage drive.
# 
# 
# [100] Why do we have to copy/backup files on different folders ? 
# [101] when/if you update portable-thunderbird next-time, then 
# [102] installer program will AUTOMATICALLY DELETE existing all 
# binary files & folders located inside 
#   "J:\PortableApps\ThunderbirdPortable\App\" 
# folder! including the Improved-GPG folder.  ( [103] The 
# ThunderbirdPortable\Data\gpg\ folder & "gpg.conf" file 
# will remain fine). [104] So we must have to keep backup of 
# Improved-GPG, which is this location "J:\GPG\1\App\", 
# and [105] keep backup of old-GPG into  "J:\GPG\1\OldGPG\" 
# And [106] IF you have updated ThunderbirdPortable, then you [107] must 
# have to run the old "GPG for ThunderbirdPortable" installer 
# again. [108] Then over-write old-GPG with Improved-GPG, by doing this: 
# copy all files & folders from "J:\GPG\1\App\" into below 
# folder:  "J:\PortableApps\ThunderbirdPortable\App\" 
# And then, finally, [109] you are again ready to use Thunderbird 
# Portable, and portable & improved GPG. 
#
#
#
#
# File list in "J:\GPG\1\App\" 
# gpg.exe
# gpgconf.ctl                gpgkeys_curl.exe
# gpgkeys_finger.exe         gpgkeys_hkp.exe
# gpgkeys_kdns.exe           gpgkeys_ldap.exe
# gpgsplit.exe               gpgv.exe
# gpg_readme.txt             iconv.dll
# libadns-1.dll              libcurl-4.dll
# libgcrypt-20.dll           libgnutls-26.dll
# libgpg-error-0.dll         libiconv-2.dll
# libtasn1-3.dll             zlib1.dll
# sks-keyservers.netCA.pem
# CAcert_class3.crt          CAcert_root.crt
# [Doc]
# [gnupg.nls]
#
#
#
#
#
# These first three lines are not copied to the gpg.conf file in
# the users home directory.
# $Id$
# Options for GnuPG
# Copyright 1998, 1999, 2000, 2001, 2002, 2003,
#           2010 Free Software Foundation, Inc.
#
# This file is free software; as a special exception the author gives
# unlimited permission to copy and/or distribute it, with or without
# modifications, as long as this notice is preserved.
#
# This file is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY, to the extent permitted by law; without even the
# implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
# Unless you specify which option file to use (with the command line
# option "--options filename"), GnuPG uses the file ~/.gnupg/gpg.conf
# by default.
#
# An options file can contain any long options which are available in
# GnuPG. If the first non white space character of a line is a '#',
# this line is ignored.  Empty lines are also ignored.
#
# See the man page for a list of options.

homedir         "J:\PortableApps\ThunderbirdPortable\Data\gpg\"
options         "J:\PortableApps\ThunderbirdPortable\Data\gpg\gpg.conf"
no-default-keyring
secret-keyring  "J:\PortableApps\ThunderbirdPortable\Data\gpg\secring.gpg"
trustdb-name    "J:\PortableApps\ThunderbirdPortable\Data\gpg\trustdb.gpg"
primary-keyring "J:\PortableApps\ThunderbirdPortable\Data\gpg\pubring.gpg"
keyring         "J:\PortableApps\ThunderbirdPortable\Data\gpg\pubring.gpg"


# Below options are specified to Enigmail via Thunderbird's Config-Editor.
# --homedir "J:\\PortableApps\\ThunderbirdPortable\\Data\\gpg" --options "J:\\PortableApps\\ThunderbirdPortable\\Data\\gpg\\gpg.conf" --verbose --verbose --require-secmem --no-default-keyring --secret-keyring "J:\\PortableApps\\ThunderbirdPortable\\Data\\gpg\\secring.gpg" --trustdb-name "J:\\PortableApps\\ThunderbirdPortable\\Data\\gpg\\trustdb.gpg" --primary-keyring "J:\\PortableApps\\ThunderbirdPortable\\Data\\gpg\\pubring.gpg" --keyring "J:\\PortableApps\\ThunderbirdPortable\\Data\\gpg\\pubring.gpg" 
# Relative-PATH can be specified, becasue ThunderbirdPortable uses this
# folder: ThunderbirdPortable\\App\gpg\ as its CWD (current working directory):
# --homedir "..\\..\\Data\\gpg\\" --options "..\\..\\Data\\gpg\\gpg.conf" --verbose --verbose --require-secmem --no-default-keyring --secret-keyring "..\\..\\Data\\gpg\\secring.gpg" --trustdb-name "..\\..\\Data\\gpg\\trustdb.gpg" --primary-keyring "..\\..\\Data\\gpg\\pubring.gpg" --keyring "..\\..\\Data\\gpg\\pubring.gpg" 

# If you use ThunderbirdPortable from USB-drive, then change all "J:\PortableApps\ThunderbirdPortable\"
# into this: "E:\ThunderbirdPortable\"  if E: drive is your USB-drive.

# Uncomment the following option to get rid of the copyright notice

#no-greeting

# If you have more than 1 secret key in your keyring, you may want to
# uncomment the following option and set your preferred keyid.

#default-key 621CC013

# If you do not pass a recipient to gpg, it will ask for one.  Using
# this option you can encrypt to a default key.  Key validation will
# not be done in this case.  The second form uses the default key as
# default recipient.

#default-recipient some-user-id
#default-recipient-self

# By default GnuPG creates version 4 signatures for data files as
# specified by OpenPGP.  Some earlier (PGP 6, PGP 7) versions of PGP
# require the older version 3 signatures.  Setting this option forces
# GnuPG to create version 3 signatures.

#force-v3-sigs

# Because some mailers change lines starting with "From " to ">From "
# it is good to handle such lines in a special way when creating
# cleartext signatures; all other PGP versions do it this way too.
# To enable full OpenPGP compliance you may want to use this option.

#no-escape-from-lines

# When verifying a signature made from a subkey, ensure that the cross
# certification "back signature" on the subkey is present and valid.
# This protects against a subtle attack against subkeys that can sign.
# Defaults to --no-require-cross-certification.  However for new
# installations it should be enabled.

require-cross-certification


# If you do not use the Latin-1 (ISO-8859-1) charset, you should tell
# GnuPG which is the native character set.  Please check the man page
# for supported character sets.  This character set is only used for
# metadata and not for the actual message which does not undergo any
# translation.  Note that future version of GnuPG will change to UTF-8
# as default character set.

#charset utf-8

display-charset utf-8

# Group names may be defined like this:
#   group mynames = paige 0x12345678 joe patti
#
# Any time "mynames" is a recipient (-r or --recipient), it will be
# expanded to the names "paige", "joe", and "patti", and the key ID
# "0x12345678".  Note there is only one level of expansion - you
# cannot make an group that points to another group.  Note also that
# if there are spaces in the recipient name, this will appear as two
# recipients.  In these cases it is better to use the key ID.

#group mynames = paige 0x12345678 joe patti

# Some old Windows platforms require 8.3 filenames.  If your system
# can handle long filenames, uncomment this.

#no-mangle-dos-filenames

# Lock the file only once for the lifetime of a process.  If you do
# not define this, the lock will be obtained and released every time
# it is needed - normally this is not needed.

#lock-once

# GnuPG can send and receive keys to and from a keyserver.  These
# servers can be HKP, email, or LDAP (if GnuPG is built with LDAP
# support).
#
# Example HKP keyservers:
#      hkp://keys.gnupg.net
#
# Example LDAP keyservers:
#      ldap://pgp.surfnet.nl:11370
#
# Regular URL syntax applies, and you can set an alternate port
# through the usual method:
#      hkp://keyserver.example.net:22742
#
# If you have problems connecting to a HKP server through a buggy http
# proxy, you can use keyserver option broken-http-proxy (see below),
# but first you should make sure that you have read the man page
# regarding proxies (keyserver option honor-http-proxy)
#
# Most users just set the name and type of their preferred keyserver.
# Note that most servers (with the notable exception of
# ldap://keyserver.pgp.com) synchronize changes with each other.  Note
# also that a single server name may actually point to multiple
# servers via DNS round-robin.  hkp://keys.gnupg.net is an example of
# such a "server", which spreads the load over a number of physical
# servers.  To see the IP address of the server actually used, you may use
# the "--keyserver-options debug".

#keyserver hkp://keys.gnupg.net
#keyserver http://http-keys.gnupg.net
#keyserver mailto:[email protected]

## We want to see more info from keyserver, so:
#keyserver-options debug,verbose

# Always use HKPS supported keyserver
keyserver hkps://hkps.pool.sks-keyservers.net
#keyserver-options no-honor-keyserver-url,check-cert,ca-cert-file="J:\\PortableApps\\ThunderbirdPortable\\App\\gpg\\sks-keyservers.netCA.pem"
# testing relative-path
keyserver-options no-honor-keyserver-url,check-cert,ca-cert-file=".\\sks-keyservers.netCA.pem"

# Below is specified in Enigmail, via Thunderbird's Config-editor:
# hkps://hkps.pool.sks-keyservers.net no-honor-keyserver-url,verbose,check-cert,ca-cert-file="J:\\PortableApps\\ThunderbirdPortable\\App\\gpg\\sks-keyservers.netCA.pem"

# From TorProject.org & sks-keyservers.net site:
#keyserver hkps://hkps.pool.sks-keyservers.net
#keyserver-options ca-cert-file=/path/to/CA/sks-keyservers.netCA.pem
#keyserver-options ca-cert-file=C:\Users\<user-name>\AppData\Local\gnupg\sks-keyservers.netCA.pem

#keyserver hkps://hkps.pool.sks-keyservers.net check-cert,ca-cert-file="J:\PortableApps\GnuPG\sks-keyservers.netCA.pem"

#keyserver hkps://keys.indymedia.org verbose,check-cert,ca-cert-file="C:\Users\<user-name>\AppData\Local\gnupg\CAcert_root.crt"



## When creating a key, individuals may designate a specific keyserver to
## use to pull their keys from. The below option will disregard this
## designation and use the pool, which is useful because (1) it prevents
## someone from designating an insecure method for pulling their key and
## (2) if the server designated uses hkps, the refresh will fail because
## the ca-cert will not match, so the keys will never be refreshed.
## (from riseup https://we.riseup.net/riseuplabs+paow/openpgp-best-practices)
#keyserver-options no-honor-keyserver-url



# Common options for keyserver functions:
#
# include-disabled = when searching, include keys marked as "disabled"
#                    on the keyserver (not all keyservers support this).
#
# no-include-revoked = when searching, do not include keys marked as
#                      "revoked" on the keyserver.
#
# verbose = show more information as the keys are fetched.
#           Can be used more than once to increase the amount
#           of information shown.
#
# use-temp-files = use temporary files instead of a pipe to talk to the
#                  keyserver.  Some platforms (Win32 for one) always
#                  have this on.
#
# keep-temp-files = do not delete temporary files after using them
#                   (really only useful for debugging)
#
# honor-http-proxy = if the keyserver uses HTTP, honor the http_proxy
#                    environment variable
#
# broken-http-proxy = try to work around a buggy HTTP proxy
#
# auto-key-retrieve = automatically fetch keys as needed from the keyserver
#                     when verifying signatures or when importing keys that
#                     have been revoked by a revocation key that is not
#                     present on the keyring.
#
# no-include-attributes = do not include attribute IDs (aka "photo IDs")
#                         when sending keys to the keyserver.

#keyserver-options auto-key-retrieve

# Uncomment this line to display photo user IDs in key listings and
# when a signature from a key with a photo is verified.

#show-photos

# Use this program to display photo user IDs
#
# %i is expanded to a temporary file that contains the photo.
# %I is the same as %i, but the file isn't deleted afterwards by GnuPG.
# %k is expanded to the key ID of the key.
# %K is expanded to the long OpenPGP key ID of the key.
# %t is expanded to the extension of the image (e.g. "jpg").
# %T is expanded to the MIME type of the image (e.g. "image/jpeg").
# %f is expanded to the fingerprint of the key.
# %% is %, of course.
#
# If %i or %I are not present, then the photo is supplied to the
# viewer on standard input.  If your platform supports it, standard
# input is the best way to do this as it avoids the time and effort in
# generating and then cleaning up a secure temp file.
#
# The default program is "xloadimage -fork -quiet -title 'KeyID 0x%k' stdin"
# On Mac OS X and Windows, the default is to use your regular JPEG image
# viewer.
#
# Some other viewers:
# photo-viewer "qiv %i"
# photo-viewer "ee %i"
# photo-viewer "display -title 'KeyID 0x%k'"
#
# This one saves a copy of the photo ID in your home directory:
# photo-viewer "cat > ~/photoid-for-key-%k.%t"
#
# Use your MIME handler to view photos:
# photo-viewer "metamail -q -d -b -c %T -s 'KeyID 0x%k' -f GnuPG"


#personal-cipher-preferences AES256 TWOFISH AES192 AES
personal-cipher-preferences AES256 TWOFISH CAMELLIA256 AES192 CAMELLIA192 AES CAMELLIA128 BLOWFISH CAST5 3DES

## when multiple digests are supported by all recipients, choose the
## strongest one:
## (from Debian http://keyring.debian.org/creating-key.html)
#personal-digest-preferences SHA512
## By K_F at #gnupg @ irc.freenode.net
personal-digest-preferences SHA512 SHA384 SHA256

## when making an OpenPGP certification, use a stronger digest than the
## default SHA1:
## (from Debian http://keyring.debian.org/creating-key.html)
cert-digest-algo SHA512


## (from whom??)
personal-compress-preferences ZLIB BZIP2 ZIP


## preferences chosen for new keys should prioritize stronger algorithms:
## (from Debian http://keyring.debian.org/creating-key.html)
#default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

## (from whom??)
default-preference-list SHA512 SHA384 SHA256 SHA224 RIPEMD160 SHA1 AES256 TWOFISH CAMELLIA256 AES192 CAMELLIA192 AES CAMELLIA128 BLOWFISH CAST5 3DES BZIP2 ZIP ZLIB

## default-preference-list SHA512 SHA384 SHA256 SHA224 RIPEMD160 SHA1 MD5 AES256 TWOFISH CAMELLIA256 AES192 CAMELLIA192 AES CAMELLIA128 BLOWFISH CAST5 3DES BZIP2 ZIP ZLIB


# From http://www.postgresql.org/docs/9.2/static/pgcrypto.html
# When encrypting with a symmetric key (i.e., a password): The given
# password is hashed using a String2Key (S2K) algorithm. This is rather
# similar to crypt() algorithms — purposefully slow and with random salt
# — but it produces a full-length binary key.


## (from whom??)
s2k-cipher-algo AES256
s2k-digest-algo SHA512


## long keyids are more collision-resistant than short keyids (it's trivial
## to make a key with any desired short keyid)
## (from riseup https://we.riseup.net/riseuplabs+paow/openpgp-best-practices)
keyid-format 0xlong


## if you care about strong key identifiers, you always want to see the
## fingerprint: (info from riseup). 
with-fingerprint


## You should always know at a glance which User IDs gpg thinks are
## legitimately bound to the keys in your keyring:
## (from riseup https://we.riseup.net/riseuplabs+paow/openpgp-best-practices)
verify-options show-uid-validity
list-options show-uid-validity


## (From riseup https://we.riseup.net/riseuplabs+paow/openpgp-best-practices)
## Only use your primary key for certification (and possibly signing).
## Have a separate subkey for encryption. Have a separate subkey for
## signing, and keep your primary key entirely offline. In this scenario,
## your primary key is used only for certifications, which happen
## infrequently.
## 
## Primary keys should be DSA-2 or RSA, 2048 bits or more. (RSA preferred).
## To check if you are using DSA-2 or RSA, you can do this:
##  gpg --export-options export-minimal --export <fingerprint> | gpg --list-packets |grep -A2 '^:public key packet:$'|grep algo
## If the algo reported is 1, you are using RSA. If it is 17, then it is
## DSA and you will need to confirm that the size reported in the next
## check reports a bit-length key size as greater than 1024, otherwise
## you aren’t using DSA-2. If the algo reported is 19, you are using
## ECDSA, if it is 18 you are using ECC, and the key bit-length deter-
## -mination check below is not an appropriate criteria for these types
## of keys as as the key sizes will drop significantly. To check the
## bit-length of the primary key you can do this:
## gpg --export-options export-minimal --export <fingerprint> | gpg --list-packets |grep -A2 'public key'|grep 'pkey\[0\]:'


## Do not start the gpg-agent or the dirmngr if it has not yet been started
## and if its service is required. This option is mostly useful on machines
## where the connection to gpg-agent has been redirected to another machines.
## If dirmngr is required on the remote machine, it may be started manually
## using gpgconf --launch dirmngr.
##no-autostart

## This is dummy option. gpg2 always requires the agent.
#  Gnupg 1.4.x does not support/need agent, so disable agent:
no-use-agent