On 08/27/2013 01:29 AM, Avi wrote: > With the recent release of GPG4Win, I decided to try it once again. > One of the things I like about the shell I use is the ability to use > the GUI to start more advanced operations like editing keys (for > cleaning/disabling, etc) and setting prefs for individual keys. The > bundled GPA does not allow any of those options. Is that intentional > to prevent people from monkeying around (they have to know the command > line options to mess around)? > > Also, where are the configuration options controlling the preferred > cipher used when creating keys, the bzip level, etc. adjusted? I'm > seeing that GPA does provide a front-end to gpgconf (at least on > expert mode) but I cannot find those values, whereas in GPG 1.x I > could simply have a gpg.cof file with entries like: > > s2k-digest-algo SHA512 > s2k-cipher-algo AES > cert-digest-algo SHA512 > verbose > compress-level 9 > bzip2-compress-level 9
I cannot help via the method that you are using but from the command line (yeah, I know, cmd.exe sucks): http://www.securemecca.com/public/GnuPG/GnuPG_Prefs.txt c:\> gpg --edit-key YOUR-KEY Command> set pref H10 S7 Z3 Command> save (note - you invariably have a pub/sec & sub/ssb key pair which means you need to change both if you don't like the defaults) You very rarely change the preferences and the desired way is to make it a property of the key itself since what you are really doing is telling others what your preferences are. Others can NOT see your gpg.conf file. I believe you want to make some of these attributes of the keys themselves. By that I mean if you want others to use CAMELLIA256 in sending you a PK enciphered message then you need to tell them up front in the key properties and put it first if you want it to be your s2k-cipher-algo first choice. You do that by changing the attributes of the keys themselves. If the key does not have that information the sending party will probably use the default cipher which at one time was CAST5 since your public key did not tell them what to use. Your pub/sec and sub/ssb keys if you have a key pair both have separate settings. You can also have other sub-keys. But since I only have a pair I edit both the 2048R/C83946F0 and the 2048R/BDED6C8D and give them the same preference. That is more habit than anything else and you can configure each key with a different set of preferences if that is what you want. Just be sure you use the correct key for the setting you are using. Also remember that these settings are the advice you are giving others in how you want things. If you want CAMELLIA128 instead of AES make it first. If you don't set it you will get the default which at one time was CAST5. *** ALL BUT AVI CAN STOP READING HERE *** SHA512 is fairly large. I used it for a while and dropped back to SHA256. It is just something for you to think about. I found that while SHA512 posed no burden for me it very likely will cause problems for others. Remember that GnuPG encryption is avaiable for iPhone and iPhones don't have a really powerful CPU. I assume you are using the Power Shell. I don't think GPG4Win's developers want your pass-phrase being captured by the Power Shell's GUI. The reason I gave my primitive srm program to only Linux people (I tell Windows people to purchase a good wipe program that has been around a long time so it doesn't disappear completely on you): http://www.securemecca.com/public/srm/ was because for test after test when I over-wrote the file on Windows I would find that most of it was not over-wrote at all. It didn't matter whether I used Microsoft's tools or the little free build system (it is no longer free). Huge sections of the file just didn't get over-written at all. NOW I understand the US DOD's multiple over-write requirements. By contrast my srm 'nix version over-writes everything in just one pass but only on 'nix systems. I had the same program on Windows and finally just threw it away and used a Windows wiper program. But Microsoft has this nasty habit of keeping EVERYTHING. That was when I finally did a dd of several megabytes clear back with W2K onto the start of the drive. It prevented Microsoft from SAVING that C:\ partition and building a D:\ system partition. Now that dd wipes out low level start of disk root-kits when cleaning is no longer possible. Do NOT confuse that to mean the dd erases all disk contents. It just wipes out any vestige of malware down in the bowels of the disk and makes an OS install mandatory. Windows kesps your last commands / programs started et al in the registry and in general seems to have two to three backups of EVERYTHING stashed away. Just like me setting BASH to have zero history when using gpg / gpg2 on Linux you don't want ANYTHING keepng your key's pass-phrase ANYWHERE outside the key itself other than gpg / gpg2 or the other gpg programs or libraries (dll files). Note the difference in my crypt (symmetric cipher) and pcrypt (PK enciphering) scripts: http://www.securemecca.com/public/GnuPG/crypt.txt http://www.securemecca.com/public/GnuPG/pcrypt.txt I allow for the shell possibility of reading a symmetric cipher password to be used for all enciphered files (code commented out). Just make sure you do NOT uses the password "BOGUS" or even "bogus". Either that or change the last value of the environment variable PASSPHRASE to something you will never use. I used PASSPHRASE instead of PASSWORD because many programs will use the PASSWORD environment variable. I provide NO capability for the bash shell to get the pass-phrase for the key in pcrypt even with zero history. The same thing holds for Windows. You don't want Power Shell on Windows having your key's pass-phrase any more than you want bash having it. HHH PS I made my comment on the CAMELLIA ciphers AFTER doing some symmetric cipers with the crypt script. They worked just fine so why not use the CAMELLIA ciphers if you want to? Which is best, CAMELLIA or AES? I don't know and my first choice is TWOFISH. Any of them are better than nothing. _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
