Designed Cybersecurity
Tutorials

Harden Your GnuPG Configuration

Michael Berg
Posted . Last modified .

Make your GnuPG configuration more secure with these hardened settings.

You may want to review the typographical conventions used on this site.

Threat Model

Adversaries that can monitor unencrypted network communication with the keyservers can build a social network based on the keys that clients request from the keyservers. The specific set of keys that each client refreshes can also be used to fingerprint and track individual clients.

Malicious keyservers can record the IP addresses from which clients connect and the keys that clients request in order to fingerprint and track users.

Unnecessarily leaking information about the specific versions of software that you have installed makes it easier for an attacker to target specific software vulnerabilities or de-anonymize users.

Install the Required Linux Software

Install the required GnuPG packages if you haven’t already.

apt-get install pinentry-curses pinentry-gtk2 pinentry-qt
apt-get install gnupg gpg gpg-agent dirmngr

Optionally, install Tor to anonymize your keyserver interactions.

apt-get install tor

Configure gpg

~/.gnupg/gpg.conf

# Use UTF-8 character encoding everywhere.
display-charset utf-8
utf8-strings

# Use GnuPG Agent (gpg-agent) for secret key management.
use-agent

# Don't leak comments or software version information.
no-comments
no-emit-version

# Display full fingerprints.
keyid-format long
with-fingerprint

# Default key to use since more than one private key is in the keyring.
# Get public key ID with: gpg --list-secret-keys
default-key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
default-recipient-self

# When verifying a signature made from a subkey, require that the
# cross-certification "back signature" on the subkey is present and valid.
require-cross-certification

# Prefer the strongest ciphers and digests in the OpenPGP specification.
# To list available algorithms: gpg --version
personal-cipher-preferences AES256 AES192 AES
personal-digest-preferences SHA512 SHA384 SHA256 SHA224
personal-compress-preferences BZIP2 ZLIB ZIP Uncompressed

# Use the strongest digest when signing a key.
cert-digest-algo SHA512

default-preference-list AES256 AES192 AES SHA512 SHA384 SHA256 SHA224 BZIP2 ZLIB ZIP Uncompressed

Configure gpg-agent

~/.gnupg/gpg-agent.conf

# Enable OpenSSH Agent (ssh-agent) protocol support.
enable-ssh-support

# Set number of seconds for which cache entries are valid.
default-cache-ttl       300  #  5 minutes.
default-cache-ttl-ssh   300  #  5 minutes.
max-cache-ttl           900  # 15 minutes.
max-cache-ttl-ssh       900  # 15 minutes.

Add the following to your ~/.profile so that ssh will use gpg-agent instead of ssh-agent.

if [ -z "$SSH_AUTH_SOCK" ]; then
    export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
fi

Add the following to your ~/.bashrc so that a required environment variable will be set per-shell.

export GPG_TTY="$(tty)"

Configure dirmngr

All communication between dirmngr and the OpenPGP keyservers should be encrypted and optionally anonymized via the Tor network.

If you want to interact with the keyservers directly over TLS, use the following configuration.

~/.gnupg/dirmngr.conf

keyserver hkps://keys.openpgp.org

If you want to interact with the keyservers via the Tor hidden service, use the following configuration. However, you will need to have Tor installed and running for this configuration to work.

~/.gnupg/dirmngr.conf

use-tor
keyserver hkp://zkaan2xfbuxia2wpf7ofnkbz6r5zdbbvxbunvp5g2iebopbfc4iqmbad.onion

Systemd

If your system uses systemd user sessions, users may need to enable the gpg-agent sockets via systemd. Some systems auto-enable these user sockets, while others don’t.

systemctl --user enable gpg-agent.socket
systemctl --user enable gpg-agent-ssh.socket

I use the following systemd user-configuration files to automatically refresh my keys from the keyservers several times each week.

~/.config/systemd/user/gpg-refresh-keys.service

[Unit]
Description=GnuPG Refresh Keys
After=network.target network-online.target

[Service]
Type=oneshot
ExecStart=/usr/bin/gpg --refresh-keys

~/.config/systemd/user/gpg-refresh-keys.timer

[Unit]
Description=GnuPG Refresh Keys

[Timer]
OnCalendar=Mon,Wed,Fri *-*-* 04:00:00
RandomizedDelaySec=1h
Persistent=true

[Install]
WantedBy=timers.target

systemctl --user daemon-reload
systemctl --user enable gpg-refresh-keys.timer

OpenPGP Cards

To protect your OpenPGP keys against surreptitious theft, store your OpenPGP keys on a YubiKey or other OpenPGP Card. Your private keys will then be inside of a tamper-resistant hardware token, instead of in easily-copied files on your hard drive.

Tags: encryption, GnuPG, OpenPGP, PGP, privacy, security