main
1{
2 den.aspects.desktop.gnupg = {
3 persistHome = {config, ...}: {
4 directories = [
5 {
6 directory = config.programs.gpg.homedir;
7 mode = "0700";
8 }
9 ];
10 };
11
12 nixos = {pkgs, ...}: {
13 programs.gnupg.agent = {
14 enable = true;
15 pinentryPackage = pkgs.pinentry-gnome3;
16 enableSSHSupport = false;
17 settings.default-cache-ttl = 4 * 60 * 60; # 4 hours
18 };
19 };
20
21 homeManager = {
22 user,
23 config,
24 ...
25 }: {
26 programs.gpg = {
27 enable = true;
28 homedir = "${config.home.homeDirectory}/.gnupg";
29
30 mutableTrust = false;
31 mutableKeys = false;
32
33 publicKeys = map (key:
34 {
35 trust = "ultimate";
36 }
37 // (
38 if (builtins.isPath key)
39 then {
40 source = key;
41 }
42 else {
43 text = key;
44 }
45 ))
46 user.identity.gpgKeys;
47
48 # This configuration is based on the tutorial below, it allows for a robust setup
49 # https://blog.eleven-labs.com/en/openpgp-almost-perfect-key-pair-part-1
50 # ~/.gnupg/gpg.conf
51 settings = {
52 # Get rid of the copyright notice
53 no-greeting = true;
54
55 # --- Avoid information leaked --- #
56 # Disable inclusion of the version string in ASCII armored output
57 no-emit-version = true;
58 # Do not write comment packets
59 no-comments = false;
60 # Export the smallest key possible
61 # This removes all signatures except the most recent self-signature on each user ID
62 export-options = "export-minimal";
63
64 # Display long key IDs
65 keyid-format = "0xlong";
66 # List all keys (or the specified ones) along with their fingerprints
67 with-fingerprint = true;
68
69 # Display the calculated validity of user IDs during key listings
70 list-options = "show-uid-validity";
71 verify-options = "show-uid-validity show-keyserver-urls";
72
73 # Select the strongest cipher
74 personal-cipher-preferences = "AES256";
75 # Select the strongest digest
76 personal-digest-preferences = "SHA512";
77 # This preference list is used for new keys and becomes the default for "setpref" in the edit menu
78 default-preference-list = "SHA512 SHA384 SHA256 RIPEMD160 AES256 TWOFISH BLOWFISH ZLIB BZIP2 ZIP Uncompressed";
79
80 # Use the strongest cipher algorithm
81 cipher-algo = "AES256";
82 # Use the strongest digest algorithm
83 digest-algo = "SHA512";
84 # Message digest algorithm used when signing a key
85 cert-digest-algo = "SHA512";
86 # Use RFC-1950 ZLIB compression
87 compress-algo = "ZLIB";
88
89 # Disable weak algorithm
90 disable-cipher-algo = "3DES";
91 # Treat the specified digest algorithm as weak
92 weak-digest = "SHA1";
93
94 # The cipher algorithm for symmetric encryption for symmetric encryption with a passphrase
95 s2k-cipher-algo = "AES256";
96 # The digest algorithm used to mangle the passphrases for symmetric encryption
97 s2k-digest-algo = "SHA512";
98 # Selects how passphrases for symmetric encryption are mangled
99 s2k-mode = "3";
100 # Specify how many times the passphrases mangling for symmetric encryption is repeated
101 s2k-count = "65011712";
102 };
103 };
104 };
105 };
106}