old
1{config, ...}: {
2 programs.gpg = {
3 enable = true;
4 homedir = "${config.home.homeDirectory}/.gnupg";
5
6 mutableTrust = false;
7 mutableKeys = false;
8 publicKeys = [
9 {
10 source = ./public.asc;
11 trust = 5;
12 }
13 ];
14
15 # This configuration is based on the tutorial below, it allows for a robust setup
16 # https://blog.eleven-labs.com/en/openpgp-almost-perfect-key-pair-part-1
17 # ~/.gnupg/gpg.conf
18 settings = {
19 # Get rid of the copyright notice
20 no-greeting = true;
21
22 # --- Avoid information leaked --- #
23 # Disable inclusion of the version string in ASCII armored output
24 no-emit-version = true;
25 # Do not write comment packets
26 no-comments = false;
27 # Export the smallest key possible
28 # This removes all signatures except the most recent self-signature on each user ID
29 export-options = "export-minimal";
30
31 # Display long key IDs
32 keyid-format = "0xlong";
33 # List all keys (or the specified ones) along with their fingerprints
34 with-fingerprint = true;
35
36 # Display the calculated validity of user IDs during key listings
37 list-options = "show-uid-validity";
38 verify-options = "show-uid-validity show-keyserver-urls";
39
40 # Select the strongest cipher
41 personal-cipher-preferences = "AES256";
42 # Select the strongest digest
43 personal-digest-preferences = "SHA512";
44 # This preference list is used for new keys and becomes the default for "setpref" in the edit menu
45 default-preference-list = "SHA512 SHA384 SHA256 RIPEMD160 AES256 TWOFISH BLOWFISH ZLIB BZIP2 ZIP Uncompressed";
46
47 # Use the strongest cipher algorithm
48 cipher-algo = "AES256";
49 # Use the strongest digest algorithm
50 digest-algo = "SHA512";
51 # Message digest algorithm used when signing a key
52 cert-digest-algo = "SHA512";
53 # Use RFC-1950 ZLIB compression
54 compress-algo = "ZLIB";
55
56 # Disable weak algorithm
57 disable-cipher-algo = "3DES";
58 # Treat the specified digest algorithm as weak
59 weak-digest = "SHA1";
60
61 # The cipher algorithm for symmetric encryption for symmetric encryption with a passphrase
62 s2k-cipher-algo = "AES256";
63 # The digest algorithm used to mangle the passphrases for symmetric encryption
64 s2k-digest-algo = "SHA512";
65 # Selects how passphrases for symmetric encryption are mangled
66 s2k-mode = "3";
67 # Specify how many times the passphrases mangling for symmetric encryption is repeated
68 s2k-count = "65011712";
69 };
70 };
71}