This document is an introduction to the primary GPG configuration file, gpg.conf. In GPG 1.4.x it is the only configuration file, but GPG 2.0.x usually includes a separate configuration file for GPG Agent (gpg-agent.conf).This guide requires basic use of the command line and use of a text editor, such as Notepad (Windows), TextEdit (OS X), Nano (Linux, BSD, OS X), Vim (Linux, BSD, OS X) or Emacs (Linux, BSD, OS X). More advanced editors, like Vim and Emacs, will display different parts of the config file in different colours to make them easier to read.To view or modify your gpg.conf file you first need to locate it. It is in the GPG home directory for your user account, usually ~/.gnupg/ on Linux and OS X, but elsewhere on Windows machines. Some customised configurations may have it elsewhere, such as on a USB stick. If you already know your GPG files are on the USB stick (with GPG4USB) you can skip this location step and open the GPG home directory.To locate the home directory for GPG open up a terminal (shell or DOS prompt on Windows) and type:Code: [Select]gpg --versionThis will display output something like the following:Quotegpg (GnuPG) 1.4.12Copyright (C) 2012 Free Software Foundation, Inc.License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>This is free software: you are free to change and redistribute it.There is NO WARRANTY, to the extent permitted by law.Home: ~/.gnupgSupported algorithms:Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSACipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128,     CAMELLIA192, CAMELLIA256Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224Compression: Uncompressed, ZIP, ZLIB, BZIP2Above the list of algorithms you will see a line that begins with "Home:" which tells you where your GPG home directory is. Open the directory or folder specified.The GPG home directory will contain a number of files. At minimum it will contain the following files:gpg.conf = The GPG configuration filepubring.gpg = Your public keyring, it contains all the public keys you haverandom_seed = A file for introducing (pseudo) randomness to the encryption processsecring.gpg = Your secret keyring, it contains all the private keys you havetrustdb.gpg = The trust database for the keys you haveThe first thing you should do is make a backup of your gpg.conf file. Name the backup something like gpg.conf.bak. That way if you make a mistake you can always copy from the backup and start again.Once that is done, open the gpg.conf file in the text editor of your choice. You will see that most lines begin with the hash (#) symbol. This means they are comments and are not used by GPG as configuration. They provide instructions within the file and you should leave those explanations in place. I will not be including most of them in this guide.The majority of the options that can be added to the gpg.conf can also be used on the command line. It is also possible to override these settings on the command line if a particular case calls for it. Furthermore it is possible to have multiple gpg.conf files and use different ones with the gpg --options command.Where a key needs to be specified in an example (code snippet) I will use the traditional "0xDEADBEEF" entry. You should replace this with the key ID for your key.Now, on with the configuration options.*****Option 1: No greetingBy default this is commented out, you should uncomment this otherwise you will see the GPG copyright notice every time GPG is invoked on the command line.Default setting:Quote# Uncomment the following option to get rid of the copyright notice#no-greetingNew setting:Code: [Select]# Uncomment the following option to get rid of the copyright noticeno-greetingOption 2: Default keyThe default key is used for signing messages and is the one you generally use. If it is not specified here then it needs to be specified on the command line. Most GUIs will keep their own record of the default key or will report what is set here.Default setting:Quote# If you have more than 1 secret key in your keyring, you may want to# uncomment the following option and set your preferred keyid.#default-key You should uncomment this line and include the key ID for your preferred key. The key ID is the hexadecimal code you see next to your name in the key list (either GUI or command line). The key can be specified in short form (with or without the 0x at the beginning) or long form.I use the long form, like this:Quote# If you have more than 1 secret key in your keyring, you may want to# uncomment the following option and set your preferred keyid.default-key 0x7E8BE6B1DD7B4576You should do something similar:Code: [Select]# If you have more than 1 secret key in your keyring, you may want to# uncomment the following option and set your preferred keyid.default-key 0xDEADBEEFOption 3: Encrypting to yourselfThis is the option that tells GPG to include your key (the specified key) every time you encrypt a message. So you never have to remember to include it when encrypting to someone. Particularly useful if, for example, your high and a bit scattered. ;)Below the default key there is a section for a default recipient. Ignore this, it does not do what you assume, leave it commented out.Instead skip further down to the encrypt-to section.Quote# Use --encrypt-to to add the specified key as a recipient to all# messages. This is useful, for example, when sending mail through a# mail client that does not automatically encrypt mail to your key.# In the example, this option allows you to read your local copy of# encrypted mail that you've sent to others.#encrypt-toThe easy solution here is to uncomment this line and specify the same key as you did for the default key:Code: [Select]encrypt-to 0xDEADBEEFThere is, however, another option that is not included in the gpg.conf file by default. This is the hidden-encrypt-to option which will encrypt to the specified key, but hide that in the message. If an encrypted message is intercepted it can be examined and the key IDs it is encrypted with will be visible. If the hidden-encrypt-to option is used an analysis of a message will show that one of the keys was anonymous.Code: [Select]hidden-encrypt-to 0xDEADBEEFNote: the hidden-encrypt-to option will only conceal your key ID, it will not conceal the key IDs of other recipients. To conceal other recipients key IDs refer to my previous guide on this topic:http://dkn255hz262ypmii.onion/index.php?topic=29235.0Also, if a message is signed that signature will reveal the sender's key. For this reason it may be preferable to clearsign the text of a message and then encrypt that signed message to preserve anonymity.Option 4: character setBy default GPG uses the standard Latin-1 (ISO-8859-1) character set. If you want to use extended characters or are communicating with people in parts of the world where that is common (e.g. northern Europe or Asia), it is polite to be able to reproduce those characters correctly. In which case the charset option should be used.Default setting:Quote# If you do not use the Latin-1 (ISO-8859-1) charset, you should tell# GnuPG which is the native character set. Please check the man page# for supported character sets. This character set is only used for# metadata and not for the actual message which does not undergo any# translation. Note that future version of GnuPG will change to UTF-8# as default character set. In most cases this option is not required# as GnuPG is able to figure out the correct charset at runtime.#charsetI usually set this to Unicode (UTF-8):Code: [Select]charset utf-8Note: to get the full benefit of this you may need to set this in other environments as well (e.g. Firefox, Thunderbird, your text editor, etc.).Option 5: Group namesGroup names are used to specify or override key selection on the command line. Group lines can be used by email GUIs if they match a relevant email address. Most people won't use these options unless they use the command line, but it is worth mentioning.Multiple group names can be included here for different keys or sets of keys. The comments in the file also includes important information about how group names are handled, with examples:Quote# Group names may be defined like this:# group mynames = paige 0x12345678 joe patti## Any time "mynames" is a recipient (-r or --recipient), it will be# expanded to the names "paige", "joe", and "patti", and the key ID# "0x12345678". Note there is only one level of expansion - you# cannot make an group that points to another group. Note also that# if there are spaces in the recipient name, this will appear as two# recipients. In these cases it is better to use the key ID.#group mynames = paige 0x12345678 joe pattiFor example, I have a group line for Pine because the PGP Club key does not contain any reference to the username Pine and because other keys are referring to PGP Club in the comment field. So I added this line:Code: [Select]group pine = 0x19B63B71E9094AF9This enables me to just use the word "pine" when encrypting to Pine when I use the "-r" or "-R" flags.Option 6: KeyserversMost people won't use the keyservers and will want to leave this entire section commented out. There are two main reasons for this.The first reason is that the keyservers are public, they can be accessed by anyone and once a key is on there it cannot be removed. Most people on Silk Road want to fly under the radar, so they leave keys on vendor pages or the PGP keys thread. A small number use the keyservers, but invariably those keys give no indication (or little indication) that they relate to Silk Road.The second reason is that by default GPG will not use Tor. It will connect to the Internet directly from your IP address.If you are using the separate Vidalia bundle (with Privoxy) instead of or in addition to the Tor Browser Bundle it can be safe to use keyservers with GPG with some configuration changes. If you do not or cannot do this then you should disable the keyservers.The default keyserver configuration is this:Quotekeyserver hkp://keys.gnupg.net#keyserver mailto:pgp-public-keys@keys.nl.pgp.net#keyserver ldap://keyserver.pgp.comIf you want to disable keyserver access then change that section to this:Code: [Select]#keyserver hkp://keys.gnupg.net#keyserver mailto:pgp-public-keys@keys.nl.pgp.net#keyserver ldap://keyserver.pgp.comIf you want to use keyservers safely either leave that section as the default or add an alternate keyserver:Code: [Select]#keyserver hkp://subkeys.pgp.net#keyserver mailto:pgp-public-keys@keys.nl.pgp.net#keyserver ldap://keyserver.pgp.comkeyserver hkp://pool.sks-keyservers.netTo use the keyservers safely you need to tell GPG to use the Vidalia proxy server in the keyserver-options sections. To do that add the following line:Code: [Select]#keyserver-options auto-key-retrievekeyserver-options http-proxy="127.0.0.1:8118"You will need to have the Vidalia bundle running for this to work. If you use the Tor Browser Bundle you can run the Vidalia bundle in addition and at the same time.The remaining options included in the gpg.conf file can remain commented out, but you should skip to the end of the file to add some more comments.Option 7: Expert modeThis is not included by default as it opens up options that take a lot of reading and research to understand. If you do include it, leave it commented out and then uncomment it when you need it:Code: [Select]#expertMy instructions on creating large keys in expert mode are here:http://dkn255hz262ypmii.onion/index.php?topic=28474.0Option 8: Trust modelTrust is used by GPG to determine whether a key is safe to use, including whether to encrypt to a key. By default GPG will prevent you from encrypting to an untrusted key without a prompt asking you to confirm if you really want to.Because we are outside of the Web of Trust and most people do not locally sign the keys they receive, using GPG on the command line will always trigger this prompt. While most GUIs override this by default.Command line users will find this prompt becomes very irritating very quickly. To permanently override it, add the following option:Code: [Select]trust-model alwaysNote: this will stop the trust database (trustdb.gpg) from updating. If you like that to be updated you will need to periodically comment this line out and update the database. Once a month should be fine. If you don't know what this refers to then you're not using the trust database.Option 9: DSA 2 keysOriginally DSA only supported SHA-1 and not SHA-2, to provide SHA-2 support to DSA keys you should add this option:Code: [Select]enable-dsa2Option 10: Version concealmentIf you do not want GPG to reveal the version number and the type of operating system you use (Windows, OS X, Linux, etc.) then add this option:Code: [Select]no-emit-versionOption 11: Key ID display formatBy default GPG will display and identify keys in the short form without the 0x at the beginning (e.g DEADBEEF). This is the same as setting:Quotekeyid-format shortThe alternatives are 0xshort (e.g. 0xDEADBEEF):Code: [Select]keyid-format 0xshortLong format (e.g. 12345678DEADBEEF):Code: [Select]keyid-format long0xlong format (e.g. 0x12345678DEADBEEF):Code: [Select]keyid-format 0xlongI use the 0xlong format, but most people prefer either the default short format or the 0xshort format.Option 12: Preference listsThis is where you set the order in which you want GPG to select the algorithms for ciphers, hash digests and compression. There are four lines you should specify: default-preference-list, personal-cipher-preferences, personal-digest-preferences and personal-compress-preferences.The default-preference-list should be the same as the personal-cipher-preferences, personal-digest-preferences and personal-compress-preferences; in that order.If these preferences are set when a new key is created the key will inherit these preferences as its own. A key generated before these preferences were set may need to be updated if you want them to match.There are two types of settings which can be used to specify a cipher, digest or compression algorithm: the name of it (e.g. AES256) or the GPG code for it (e.g. S9).To view the supported algorithms with the corresponding GPG codes, run the following command:Code: [Select]gpg -v --versionOn my system the result is:Quotegpg (GnuPG) 1.4.12Copyright (C) 2012 Free Software Foundation, Inc.License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>This is free software: you are free to change and redistribute it.There is NO WARRANTY, to the extent permitted by law.Home: ~/.gnupgSupported algorithms:Pubkey: RSA, RSA-E, RSA-S, ELG-E, DSACipher: IDEA (S1), 3DES (S2), CAST5 (S3), BLOWFISH (S4), AES (S7), AES192 (S8),     AES256 (S9), TWOFISH (S10), CAMELLIA128 (S11), CAMELLIA192 (S12),     CAMELLIA256 (S13)Hash: MD5 (H1), SHA1 (H2), RIPEMD160 (H3), SHA256 (H8), SHA384 (H9),    SHA512 (H10), SHA224 (H11)Compression: Uncompressed (Z0), ZIP (Z1), ZLIB (Z2), BZIP2 (Z3)My installation of GPG 1.4.12 has been customised and may include more ciphers than some installations. I also use the GPG codes to specify the algorithm preferences. It may not be the best option to just copy my settings, but if your copy of GPG includes all the same ciphers as mine then you are welcome to use the same settings:Code: [Select]default-preference-list S9 S10 S13 S8 S12 S7 S11 S2 S3 S4 H10 H9 H8 H11 H3 H2 H1 Z2 Z3 Z1 Z0personal-cipher-preferences S9 S10 S13 S8 S12 S7 S11 S2 S3 S4personal-digest-preferences H10 H9 H8 H11 H3 H2 H1personal-compress-preferences Z2 Z3 Z1 Z0I've left IDEA out of that list because of prior patent restrictions (the patent is expired, but not many people use it anymore or have it installed), but if you want to include it just add it to the end of the ciphers:Code: [Select]default-preference-list S9 S10 S13 S8 S12 S7 S11 S2 S3 S4 S1 H10 H9 H8 H11 H3 H2 H1 Z2 Z3 Z1 Z0personal-cipher-preferences S9 S10 S13 S8 S12 S7 S11 S2 S3 S4 S1personal-digest-preferences H10 H9 H8 H11 H3 H2 H1personal-compress-preferences Z2 Z3 Z1 Z0If you want to select your own order it might be easier to use the algorithm names instead of the GPG codes. In general larger cipher strengths and hash sizes are better.Option 13: CommentsIt is possible to add a comment to ASCII armoured GPG output which appears under the version information, if it is included. To include a comment use:Code: [Select]comment some text hereIn that example the result would be:QuoteComment: some text hereI do not recommend using this option at all, but it is worth mentioning because some programs will add a self-promoting comment to the gpg.conf file. GPGTools for Mac is a prime example of this.*****There are many other options, but this is a solid configuration file based on those options available. Also, this guide has already reached 17Kb, so I need to wind it up here.Hopefully you will find this useful.[/code]