Comment by johnisgood

5 months ago

At https://github.com/drduh/YubiKey-Guide?tab=readme-ov-file#co..., these options are not the most secure one.

  personal-cipher-preferences CHACHA20 AES256 AES192
  personal-digest-preferences BLAKE2B SHA512 SHA384 SHA256
  personal-compress-preferences Uncompressed
  personal-aead-preferences OCB EAX
  default-preference-list BLAKE2B SHA512 SHA384 SHA256 CHACHA20 AES256 AES192 Uncompressed OCB EAX
  cert-digest-algo BLAKE2B
  s2k-digest-algo BLAKE2B
  s2k-cipher-algo CHACHA20
  s2k-count 65011712
  charset utf-8
  no-comments
  no-emit-version
  no-greeting
  keyid-format 0xlong
  list-options show-uid-validity
  verify-options show-uid-validity
  with-fingerprint
  require-cross-certification
  require-secmem
  no-symkey-cache
  armor
  use-agent
  throw-keyids
  weak-digest SHA1 RIPEMD160 MD5
  disable-cipher-algo 3DES CAST5 IDEA BLOWFISH TWOFISH CAMELLIA128 CAMELLIA192 CAMELLIA256
  disable-pubkey-algo RSA1024
  trust-model tofu+pgp
  keyserver hkps://keys.openpgp.org
  keyserver-options no-honor-keyserver-url
  keyserver-options include-revoked
  keyserver-options auto-key-retrieve
  force-mdc
  require-compliance
  compliance de-vs

These are the most secure options (correct me if I am wrong). The only drawback you may encounter is that you need GnuPG 2.3+, and some compatibility tradeoffs.

1 comment

johnisgood

Reply
johnisgood  5 months ago

On second thought, you may want to remove this line:

  compliance de-vs

Because DE-VS only recognizes AES/3DES for ciphers and SHA-2 for digests; conflicts with CHACHA20 and BLAKE2B and will reject operations using these algorithms.