main
  1{
  2  den.aspects.desktop.gnupg = {
  3    persistHome = {config, ...}: {
  4      directories = [
  5        {
  6          directory = config.programs.gpg.homedir;
  7          mode = "0700";
  8        }
  9      ];
 10    };
 11
 12    nixos = {pkgs, ...}: {
 13      programs.gnupg.agent = {
 14        enable = true;
 15        pinentryPackage = pkgs.pinentry-gnome3;
 16        enableSSHSupport = false;
 17        settings.default-cache-ttl = 4 * 60 * 60; # 4 hours
 18      };
 19    };
 20
 21    homeManager = {
 22      user,
 23      config,
 24      ...
 25    }: {
 26      programs.gpg = {
 27        enable = true;
 28        homedir = "${config.home.homeDirectory}/.gnupg";
 29
 30        mutableTrust = false;
 31        mutableKeys = false;
 32
 33        publicKeys = map (key:
 34          {
 35            trust = "ultimate";
 36          }
 37          // (
 38            if (builtins.isPath key)
 39            then {
 40              source = key;
 41            }
 42            else {
 43              text = key;
 44            }
 45          ))
 46        user.identity.gpgKeys;
 47
 48        # This configuration is based on the tutorial below, it allows for a robust setup
 49        # https://blog.eleven-labs.com/en/openpgp-almost-perfect-key-pair-part-1
 50        # ~/.gnupg/gpg.conf
 51        settings = {
 52          # Get rid of the copyright notice
 53          no-greeting = true;
 54
 55          # --- Avoid information leaked --- #
 56          # Disable inclusion of the version string in ASCII armored output
 57          no-emit-version = true;
 58          # Do not write comment packets
 59          no-comments = false;
 60          # Export the smallest key possible
 61          # This removes all signatures except the most recent self-signature on each user ID
 62          export-options = "export-minimal";
 63
 64          # Display long key IDs
 65          keyid-format = "0xlong";
 66          # List all keys (or the specified ones) along with their fingerprints
 67          with-fingerprint = true;
 68
 69          # Display the calculated validity of user IDs during key listings
 70          list-options = "show-uid-validity";
 71          verify-options = "show-uid-validity show-keyserver-urls";
 72
 73          # Select the strongest cipher
 74          personal-cipher-preferences = "AES256";
 75          # Select the strongest digest
 76          personal-digest-preferences = "SHA512";
 77          # This preference list is used for new keys and becomes the default for "setpref" in the edit menu
 78          default-preference-list = "SHA512 SHA384 SHA256 RIPEMD160 AES256 TWOFISH BLOWFISH ZLIB BZIP2 ZIP Uncompressed";
 79
 80          # Use the strongest cipher algorithm
 81          cipher-algo = "AES256";
 82          # Use the strongest digest algorithm
 83          digest-algo = "SHA512";
 84          # Message digest algorithm used when signing a key
 85          cert-digest-algo = "SHA512";
 86          # Use RFC-1950 ZLIB compression
 87          compress-algo = "ZLIB";
 88
 89          # Disable weak algorithm
 90          disable-cipher-algo = "3DES";
 91          # Treat the specified digest algorithm as weak
 92          weak-digest = "SHA1";
 93
 94          # The cipher algorithm for symmetric encryption for symmetric encryption with a passphrase
 95          s2k-cipher-algo = "AES256";
 96          # The digest algorithm used to mangle the passphrases for symmetric encryption
 97          s2k-digest-algo = "SHA512";
 98          # Selects how passphrases for symmetric encryption are mangled
 99          s2k-mode = "3";
100          # Specify how many times the passphrases mangling for symmetric encryption is repeated
101          s2k-count = "65011712";
102        };
103      };
104    };
105  };
106}