old
 1{config, ...}: {
 2  programs.gpg = {
 3    enable = true;
 4    homedir = "${config.home.homeDirectory}/.gnupg";
 5
 6    mutableTrust = false;
 7    mutableKeys = false;
 8    publicKeys = [
 9      {
10        source = ./public.asc;
11        trust = 5;
12      }
13    ];
14
15    # This configuration is based on the tutorial below, it allows for a robust setup
16    # https://blog.eleven-labs.com/en/openpgp-almost-perfect-key-pair-part-1
17    # ~/.gnupg/gpg.conf
18    settings = {
19      # Get rid of the copyright notice
20      no-greeting = true;
21
22      # --- Avoid information leaked --- #
23      # Disable inclusion of the version string in ASCII armored output
24      no-emit-version = true;
25      # Do not write comment packets
26      no-comments = false;
27      # Export the smallest key possible
28      # This removes all signatures except the most recent self-signature on each user ID
29      export-options = "export-minimal";
30
31      # Display long key IDs
32      keyid-format = "0xlong";
33      # List all keys (or the specified ones) along with their fingerprints
34      with-fingerprint = true;
35
36      # Display the calculated validity of user IDs during key listings
37      list-options = "show-uid-validity";
38      verify-options = "show-uid-validity show-keyserver-urls";
39
40      # Select the strongest cipher
41      personal-cipher-preferences = "AES256";
42      # Select the strongest digest
43      personal-digest-preferences = "SHA512";
44      # This preference list is used for new keys and becomes the default for "setpref" in the edit menu
45      default-preference-list = "SHA512 SHA384 SHA256 RIPEMD160 AES256 TWOFISH BLOWFISH ZLIB BZIP2 ZIP Uncompressed";
46
47      # Use the strongest cipher algorithm
48      cipher-algo = "AES256";
49      # Use the strongest digest algorithm
50      digest-algo = "SHA512";
51      # Message digest algorithm used when signing a key
52      cert-digest-algo = "SHA512";
53      # Use RFC-1950 ZLIB compression
54      compress-algo = "ZLIB";
55
56      # Disable weak algorithm
57      disable-cipher-algo = "3DES";
58      # Treat the specified digest algorithm as weak
59      weak-digest = "SHA1";
60
61      # The cipher algorithm for symmetric encryption for symmetric encryption with a passphrase
62      s2k-cipher-algo = "AES256";
63      # The digest algorithm used to mangle the passphrases for symmetric encryption
64      s2k-digest-algo = "SHA512";
65      # Selects how passphrases for symmetric encryption are mangled
66      s2k-mode = "3";
67      # Specify how many times the passphrases mangling for symmetric encryption is repeated
68      s2k-count = "65011712";
69    };
70  };
71}