6

The OpenPGP key contains a list of personal algorithm preferences (the meaning of the numbers can be decoded in RFC 4880):

# gpg -a --export "foo@example.com" | gpg --list-packets | fgrep 'pref-'
hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3 2)
hashed subpkt 21 len 5 (pref-hash-algos: 8 2 9 10 11)
hashed subpkt 22 len 3 (pref-zip-algos: 2 3 1)

How can I change the preferences of an existing key?

For instance, lets say I want to change pref-hash-algos to: SHA512 SHA256 SHA384 (10, 8, 9).

Community
  • 1
Martin Vegter
  • 1,826
  • 4
  • 27
  • 39

1 Answers1

13

OpenPGP Algorithm Defaults

These are the algorithms you prefer others to use when they send encrypted messages to you. To print and change those settings, use gpg --edit-key [key-id]. You can list the settings in a more readable way without looking up the algorithm IDs in RFC 4880 using showpref , and set it afterwards using setpref.

Changing Defaults

setpref cannot change only some preferred algorithms (like only digest algorithms), you have to list all three categories at the same time. If you omit some, it will fall back to the most universal defaults which all OpenPGP implementations following RFC 4880 are required to offer.

An example line proposed again and again is

setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed

Minimum Required Set of Algorithms

But be aware, that GnuPG will automatically add 3DES, SHA1, uncompressed and those are the minimum set of algorithms all implementations must or should support. If you don't choose any compression algorithm, also ZIP will be added to the list. You can observe this default setting by setting any of those as preference, and nothing else:

gpg> setpref uncompressed 
Set preference list to:
     Cipher: 3DES
     Digest: SHA1
     Compression: Uncompressed
     Features: MDC, Keyserver no-modify

Defaults might be different based on compliance options used.

Community
  • 1
Jens Erat
  • 23,446
  • 12
  • 72
  • 96