gpg.conf current best practices (April 2015)

While I am by no means a security expert the following are the current best practices for configuring your gpg.conf file as best as I can determine.

Key usage options

default-key <your primary key>

Use as the default key to sign with. If this option is not used, the default key is the first key found in the secret keyring.

hidden-encrypt-to <your primary key>

Same as –hidden-recipient but this one is intended for use in the options file and may be used with your own user-id as a hidden “encrypt-to-self”. These keys are only used when there are other recipients given either by use of –recipient or by the asked user id. No trust checking is performed for these user ids and even disabled keys can be used.

Behaviour options


Do not include comment line


Force exclusion of the version string in ASCII armored output.

keyid-format 0xlong

Select how to display key IDs. “short” is the traditional 8-character key ID. “long” is the more accurate (but less convenient) 16-character key ID. Add an “0x” to either to include an “0x” at the beginning of the key ID, as in 0x12345678.


List all keys (or the specified ones) along with their fingerprints.

verify-options show-uid-validity
list-options show-uid-validity

Display the calculated validity of user IDs during key listings.


Try to use the GnuPG-Agent. With this option, GnuPG first tries to connect to the agent before it asks for a passphrase.

You may also want to configure a keyserver as well as some auto-key-locate options.

Algorithm and ciphers options

cert-digest-algo SHA512

Use SHA512 as the message digest algorithm used when signing a key. Be aware that if you choose an algorithm that GnuPG supports but other OpenPGP implementations do not, then some users will not be able to use the key signatures you make, or quite possibly your entire key.

default-preference-list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

Set the list of default preferences. This preference list is used for new keys and becomes the default for “setpref” in the edit menu.

personal-cipher-preferences AES256 AES192 AES CAST5

Set the list of personal cipher preferences.

personal-digest-preferences SHA512 SHA256 SHA384 SHA224

Set the list of personal digest preferences.