Setting up GnuPG from scratch

The default setting of GnuPG are quite reasonable but often you will want to make changes to further improve the security and usability, one good reason to do this is to ensure your keys are in the newer pubring.kbx format rather than the pubring.gpg, it is still compatible but using the new format is recommended.

Firstly you want to export all your keys including secret keys, to do this run the following commands.

gpg --export --armor > pubkeys
gpg --export-secret-keys --armor > seckeys

Once this is done delete the contents of your GnuPG home folder, typically ~/.gnupg/ or GNUPGHOME, you may want to keep your trustdb.gpg and configuration files.

Ensure the private-keys-v1.d folder exists otherwise you will get an error when importing the secret keys, import all your keys in to the new keyring.

gpg --import pubkeys
gpg --import seckeys

If you did not keep your trustdb.gpg make sure you run the following:

gpg --update-trustdb

Recommended GnuPG Settings

GnuPG has a huge number of settings which you can adjust, but these are the most important ones  I recommend adding to your gpg.conf

- Expert mode gives you much more control, a must if you want to generate ECC keys

s2k-digest-algo SHA256
This sets the digest algorithm to SHA256 rather than the less secure SHA1

default-key (your key id)
- Sets the default key which is a good idea

- Asks for certification level when signing a key (recommended)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s